Zviri mukati hide
1 CISCO SD-WAN Gadzira Chengetedzo Paramita
2 Gadzira Chengetedzo Parameters
3 Gadzira Kudzora Ndege Chengetedzo Paramita
4 Gadzira DTLS muCisco SD-WAN Maneja
5 Gadzira Data Plane Security Parameters
6 Gadzira Marudzi Anotenderwa Echokwadi
7 Shandura iyo Rekeying Timer
8 Chinja Saizi yeAnti-Replay Window
9 Gadzira IPsec Static Route
10 Gadzira IPsec Tunnel Parameters
11 Shandura IKE Dead-Peer Detection
12 Gadzirisa Zvimwe Zvivakwa zveInterface
13 Dzima Weak SSH Encryption Algorithms paCisco SD-WAN Maneja
14 Zvinyorwa / Zvishandiso
14.1 References

CISCO-LOGO

CISCO SD-WAN Gadzira Chengetedzo Paramita

CISCO-SD-WAN-Gadzirisa-Security-Parameters-PRODUCT

Gadzira Chengetedzo Parameters

Cherechedza

Kuti uwane kurerutsa uye kuenderana, iyo Cisco SD-WAN mhinduro yakadzokororwa seCisco Catalyst SD-WAN. Mukuwedzera, kubva kuCisco IOS XE SD-WAN Release 17.12.1a uye Cisco Catalyst SD-WAN Release 20.12.1, iyo inotevera chikamu shanduko inoshandiswa: Cisco vManage kuCisco Catalyst SD-WAN Manager, Cisco vAnalytics kuCisco Catalyst SD-WAN Analytics, Cisco vBond kuCisco Catalyst SD-WAN Validator, uye Cisco vSmart kuCisco Catalyst SD-WAN Controller. Ona azvino Manotsi ekuburitsa kuti uwane yakazara runyorwa rwese chikamu chemhando yemhando shanduko. Tichiri kuchinjisa kumazita matsva, kumwe kusapindirana kunogona kunge kuripo muzvinyorwa zvakaiswa nekuda kwemaitiro akapatsanurwa kumashandisirwo emashandisirwo echigadzirwa chesoftware.

Ichi chikamu chinotsanangura machinjiro ekuchengetedza ma parameter endege yekudzora uye ndege yedata muCisco Catalyst SD-WAN overlay network.

  • Gadzira Kudzora Ndege Chengetedzo Paramita, pa
  • Gadzirisa Data Plane Security Parameters, pa
  • Gadzira IKE-Inogonesa IPsec Tunnels, pa
  • Dzima Weak SSH Encryption Algorithms paCisco SD-WAN Maneja, pa

Gadzira Kudzora Ndege Chengetedzo Paramita

Nekutadza, ndege yekudzora inoshandisa DTLS seprotocol inopa kuvanzika pamatanho ayo ese. DTLS inomhanya pamusoro peUDP. Iwe unogona kushandura iyo yekudzora ndege yekuchengetedza protocol kuTLS, inomhanya pamusoro peTCP. Chikonzero chikuru chekushandisa TLS ndechekuti, kana iwe uchifunga iyo Cisco SD-WAN Controller sevhavha, firewall inodzivirira TCP maseva zvirinani pane UDP maseva. Iwe unogadzirisa iyo control plane tunnel protocol paCisco SD-WAN Controller: vSmart(config)# security control protocol tls Neshanduko iyi, ese anodzora matinji endege pakati peCisco SD-WAN Controller uye ma routers uye pakati peCisco SD-WAN Controller. uye Cisco SD-WAN Maneja shandisa TLS. Dzora tunnels dzendege kuCisco Catalyst SD-WAN Validator nguva dzose shandisa DTLS, nokuti izvi zvinongedzo zvinofanira kubatwa neUDP. Munzvimbo ine akawanda maCisco SD-WAN Controllers, kana iwe ukagadzirisa TLS pane imwe yeCisco SD-WAN Controllers, ese anodzora matinji endege kubva kune iyo controller kune vamwe vatongi vanoshandisa TLS. Akataura imwe nzira, TLS inogara ichitungamira pane DTLS. Nekudaro, kubva pakuona kweimwe Cisco SD-WAN Controllers, kana usati wagadzira TLS pavari, vanoshandisa TLS panzira yekudzora ndege chete kune iyo Cisco SD-WAN Controller, uye vanoshandisa DTLS tunnels kune mamwe ese. Cisco SD-WAN Controllers uye kune avo ese akabatana marouters. Kuti uve nevese Cisco SD-WAN Controllers vanoshandisa TLS, gadzirisa pane ese. Nekusagadzikana, iyo Cisco SD-WAN Controller inoteerera pachiteshi 23456 kune TLS zvikumbiro. Kuti uchinje izvi: vSmart(config)# security control tls-port number Chiteshi chinogona kuva nhamba kubva ku1025 kusvika ku65535. Kuti uratidze ruzivo rwekuchengetedza ndege yekudzivirira, shandisa murairo wekuratidzira wekubatanidza murairo paCisco SD-WAN Controller. For example: vSmart-2# show control connections

CISCO-SD-WAN-Gadzirisa-Security-Parameters-FIG-1

Gadzira DTLS muCisco SD-WAN Maneja

Kana iwe ukagadzirisa iyo Cisco SD-WAN Maneja kushandisa TLS seyekudzora ndege yekuchengetedza protocol, iwe unofanirwa kugonesa chiteshi chekufambisa paNAT yako. Kana iwe uri kushandisa DTLS seyekudzora ndege yekuchengetedza protocol, hapana chaunofanira kuita. Huwandu hwezvikepe zvinotumirwa zvinoenderana nehuwandu hwevdaemon maitiro ari kushanda paCisco SD-WAN Maneja. Kuratidza ruzivo nezve maitiro aya uye nezve uye nehuwandu hwezviteshi zviri kuendeswa mberi, shandisa show control pfupiso yekuraira inoratidza kuti mana daemon maitiro ari kushanda:CISCO-SD-WAN-Gadzirisa-Security-Parameters-FIG-2

Kuti uone zviteshi zvekuteerera, shandisa show control yemunharaunda-properties command: vManage# show control local-properties.

CISCO-SD-WAN-Gadzirisa-Security-Parameters-FIG-3

Kubuda uku kunoratidza kuti inoteerera TCP chiteshi i23456. Kana uchimhanyisa Cisco SD-WAN Maneja kuseri kweNAT, unofanira kuvhura zviteshi zvinotevera paNAT mudziyo:

  • 23456 (hwaro - muenzaniso 0 chiteshi)
  • 23456 + 100 (base + 100)
  • 23456 + 200 (base + 200)
  • 23456 + 300 (base + 300)

Ziva kuti huwandu hwezviitiko hwakafanana nehuwandu hwemacores awakapa kuCisco SD-WAN Manager, kusvika pa8.

Rongedza Chengetedzo Paramita Uchishandisa Chengetedzo Feature template

Shandisa Chengetedzo chimiro template kune ese Cisco vEdge zvishandiso. Pamarouta ekumucheto uye paCisco SD-WAN Validator, shandisa iyi template kugadzirisa IPsec yekuchengetedza data ndege. PaCisco SD-WAN Maneja uye Cisco SD-WAN Controller, shandisa Chengetedzo chimiro template kugadzirisa DTLS kana TLS yekudzora kuchengetedzwa kwendege.

Gadzira Chengetedzo Parameters

  1. Kubva kuCisco SD-WAN Maneja menyu, sarudza Configuration> Matemplate.
  2. Dzvanya Feature Matemplate uye wobva wadzvanya Add Template.
    Cherechedza MuCisco vManage Release 20.7.1 uye kuburitswa kwekutanga, Feature Templates inonzi Feature.
  3. Kubva pane Devices rondedzero mune yekuruboshwe pane, sarudza mudziyo. Iwo matemplate anoshanda kune yakasarudzwa mudziyo anoonekwa pane yekurudyi.
  4. Dzvanya Chengetedzo kuti uvhure template.
  5. Muchikamu cheZita reTemplate, isa zita reiyo template. Iro zita rinogona kuita mabhii anosvika zana nemakumi maviri nemasere uye rinogona kunge riine mavara ealphanumeric chete.
  6. Mundima Yetsanangudzo Yetemplate, isa tsananguro yetemplate. Tsananguro yacho inogona kusvika ku2048 uye inogona kuve nealphanumeric characters chete.

Paunotanga kuvhura chimiro chetemplate, kune yega yega parameter ine kukosha kwekutanga, scope inoiswa kuDefault (inoratidzwa nechekimark), uye iyo yekumisikidza kana kukosha kunoratidzwa. Kuti uchinje iyo yakasarudzika kana kuisa kukosha, tinya iyo scope yekudonhedza-pasi menyu kuruboshwe rwenzvimbo yeparameter uye sarudza chimwe chezvinotevera:

Tafura 1:

Parameter Scope Shambadziro Tsanangudzo
Device Specific (inoratidzwa nechiratidzo chekugamuchira) Shandisa mudziyo-chaiyo kukosha kweparameter. Kune maparameta akasarudzika, haugone kuisa kukosha muchimiro chetemplate. Iwe unoisa kukosha kana iwe ukabatanidza Viptela mudziyo kune mudziyo template.

Paunodzvanya Device Specific, Enter Key bhokisi rinovhura. Bhokisi iri rinoratidza kiyi, inova tambo yakasarudzika inozivisa parameter muCSV file kuti iwe unogadzira. Izvi file iExcel spreadsheet ine koramu imwe yekiyi yega yega. Mutsara wemusoro une mazita akakosha (kiyi imwe pakoramu), uye mutsara wega wega mushure meiyo unofanana nemudziyo uye unotsanangura kukosha kwemakiyi echigadzirwa ichocho. Iwe unoisa iyo CSV file paunobatanidza Viptela mudziyo kune mudziyo template. Kuti uwane rumwe ruzivo, ona Gadzira Template Variables Spreadsheet.

Kuti uchinje kiyi yekusarudzika, nyora tambo nyowani uye bvisa cursor kunze kweEnter Key bhokisi.

Exampmashoma emidziyo-yakatarwa maparameta isystem IP kero, zita rekutambira, GPS nzvimbo, uye saiti ID.
Parameter Scope Shambadziro Tsanangudzo
Global (inoratidzwa nechiratidzo chepasirese) Isa kukosha kweiyo parameter, uye shandisa iyo kukosha kune ese maturusi.

Exampzvishoma zvema paramita aungashandisa pasi rose kuboka remidziyo iDNS server, syslog server, uye interface MTUs.

Gadzira Kudzora Ndege Chengetedzo

Cherechedza
The Configure Control Plane Security chikamu chinoshanda kune Cisco SD-WAN Maneja uye Cisco SD-WAN Controller chete.Kugadzirisa iyo yekudzora ndege yekubatanidza protocol pane Cisco SD-WAN Manager muenzaniso kana Cisco SD-WAN Controller, sarudza iyo Basic Configuration nzvimbo. uye gadzirisa zvinotevera parameter:

Tafura 2:

Parameter Zita Tsanangudzo
Protocol Sarudza iyo protocol yekushandisa pakudzora ndege yekubatanidza kune Cisco SD-WAN Controller:

• DTLS (Dataggondohwe Transport Layer Security). Izvi ndizvo zvinogara zviripo.

• TLS (Transport Layer Security)
Dzora TLS Port Kana wakasarudza TLS, gadzirisa nhamba yechiteshi chekushandisa:Range: 1025 kusvika ku65535Default: 23456

Dzvanya Save

Gadzirisa Data Plane Security
Kugadzirisa kuchengetedzwa kwendege yedata paCisco SD-WAN Validator kana Cisco vEdge router, sarudza Matebu eBasic Configuration uye Authentication Type, uye gadzirisa zvinotevera paramita:

Tafura 3:

Parameter Zita Tsanangudzo
Rekey Nguva Taura kuti kangani Cisco vEdge router inoshandura kiyi yeAES inoshandiswa pane yayo yakachengeteka DTLS yekubatanidza kuCisco SD-WAN Controller. Kana OMP ine nyasha kutangazve ikagoneswa, nguva yekudzokorodza inofanira kunge yakapetwa kaviri kukosha kweOMP ine nyasha yekutangisa nguva.Range: 10 kusvika 1209600 masekondi (14 mazuva)Default: 86400 masekondi (24 maawa)
Replay Window Taura saizi yehwindo rekutsvedza replay.

Tsika 64, 128, 256, 512, 1024, 2048, 4096, 8192 mapaketiDefault: 512 mapaketi
IPsec

pairwise-keying

 Izvi zvinodzimwa nekusingaperi. Dzvanya On kuibatidza.
Parameter Zita Tsanangudzo
Authentication Type Sarudza mhando dzechokwadi kubva ku Authentication List, wobva wadzvanya museve wakanongedza kurudyi kuti uendese marudzi echokwadi ku Yakasarudzwa List column.

Mhando dzechokwadi dzinotsigirwa kubva kuCisco SD-WAN Release 20.6.1:

•  esp: Inogonesa Encapsulating Chengetedzo Payload (ESP) encryption uye kuvimbika kutarisa pane ESP musoro.

•  ip-udp-esp: Inogonesa ESP encryption. Pamusoro pekutendeseka cheki pane ESP musoro uye mubhadharo, macheki anosanganisirawo ekunze IP uye UDP misoro.

•  ip-udp-esp-no-id: Inofuratira iyo ID munda mumusoro weIP kuitira kuti Cisco Catalyst SD-WAN inogona kushanda pamwe chete neasiri-Cisco zvishandiso.

•  hapana: Inoshandura kutendeseka kutarisa paIPSec mapaketi. Hatikurudzire kushandisa sarudzo iyi.

 

Mhando dzechokwadi dzinotsigirwa muCisco SD-WAN Release 20.5.1 uye yapfuura:

•  ah-no-id: Gonesa vhezheni yakavandudzwa yeAH-SHA1 HMAC uye ESP HMAC-SHA1 inoregeredza nzvimbo yeID mumusoro wepaketi wekunze weIP.

•  ah-sha1-hmac: Gonesa AH-SHA1 HMAC uye ESP HMAC-SHA1.

•  hapana: Sarudza hapana chokwadi.

•  sha1-hmac: Gonesa ESP HMAC-SHA1.

 

Cherechedza              Kumudziyo wekumucheto unoshanda paCisco SD-WAN Release 20.5.1 kana kumberi, unogona kunge wakagadzira mhando dzechokwadi uchishandisa Chengetedzo template. Paunosimudzira mudziyo kuenda kuCisco SD-WAN Release 20.6.1 kana gare gare, gadziridza mhando dzechokwadi dzakasarudzwa mu Chengetedzo template kune echokwadi marudzi anotsigirwa kubva kuCisco SD-WAN Release 20.6.1. Kuti uvandudze mhando dzechokwadi, ita zvinotevera:

1.      Kubva kuCisco SD-WAN Maneja menyu, sarudza Configuration >

Matemplate.

2.      Dzvanya Feature Templates.

3.      Find the Chengetedzo template yekuvandudza uye tinya ... uye tinya Edit.

4.      Dzvanya Update. Usagadzirise chero gadziriro.

Cisco SD-WAN Maneja anogadziridza iyo Chengetedzo template kuratidza marudzi echokwadi anotsigirwa.

Dzvanya Save.

Gadzira Data Plane Security Parameters

Mundege yedata, IPsec inogoneswa nekusarudzika pane ese marouters, uye nekusarudzika IPsec tunnel yekubatanidza inoshandisa yakagadziridzwa vhezheni yeEcapsulating Security Payload (ESP) protocol yekusimbisa paIPsec tunnel. Pamarouta, unogona kushandura rudzi rwechokwadi, iyo IPsec rekeying timer, uye saizi yeIPsec anti-replay hwindo.

Gadzira Marudzi Anotenderwa Echokwadi

Authentication Types muCisco SD-WAN Release 20.6.1 uye Gare gare
Kubva kuCisco SD-WAN Release 20.6.1, marudzi anotevera ekuvimbika anotsigirwa:

  • esp: Iyi sarudzo inogonesa Encapsulating Security Payload (ESP) encryption uye kutendeseka kutarisa pane ESP musoro.
  • ip-udp-esp: Iyi sarudzo inogonesa ESP encryption. Pamusoro pekutendeseka cheki pane ESP musoro uye mubhadharo, macheki anosanganisirawo ekunze IP uye UDP misoro.
  • ip-udp-esp-no-id: Iyi sarudzo yakafanana nep-udp-esp, zvisinei, iyo ID yemunda wekunze IP musoro haina kufuratirwa. Rongedza sarudzo iyi mune runyorwa rwemhando dzekuvimbika kuti uve neCisco Catalyst SD-WAN software inofuratira ID ndima mumusoro weIP kuitira kuti Cisco Catalyst SD-WAN ishande pamwe chete neasiri-Cisco zvishandiso.
  • hapana: Iyi sarudzo inoshandura kutendeseka kutarisa paIPSec mapaketi. Hatikurudzire kushandisa sarudzo iyi.

Nekumisikidza, IPsec tunnel yekubatanidza inoshandisa yakagadziridzwa vhezheni yeEcapsulating Security Payload (ESP) protocol yehuchokwadi. Kuti ugadzirise mhando dzeinterity dzakataurirana kana kudzima cheki yekuvimbika, shandisa murairo unotevera: kutendeseka-mhando {hapana | ip-udp-esp | ip-udp-esp-no-id | esp }

Authentication Types Pamberi peCisco SD-WAN Release 20.6.1
Nekumisikidza, IPsec tunnel yekubatanidza inoshandisa yakagadziridzwa vhezheni yeEcapsulating Security Payload (ESP) protocol yehuchokwadi. Kugadzirisa mhando dzechokwadi dzakataurirana kana kudzima chokwadi, shandisa murairo unotevera: Mudziyo(config)# chengetedzo ipsec authentication-type (ah-sha1-hmac | ah-no-id | sha1-hmac | | hapana) By default, IPsec tunnel yekubatanidza inoshandisa AES-GCM-256, iyo inopa zvese encryption uye yechokwadi. Gadzira mhando yega yega yechokwadi ine yakaparadzana chengetedzo ipsec authentication-mhando yekuraira. Mepu yesarudzo yekuraira kune anotevera echokwadi marudzi, ayo akanyorwa muhurongwa kubva kune akasimba kusvika kune akanyanya kusimba:

Cherechedza
Iyo sha1 mune zvigadziriso sarudzo inoshandiswa kune zvikonzero zvekare. Idzo sarudzo dzechokwadi dzinoratidza kuti yakawanda sei packet kutendeseka yekutarisa inoitwa. Ivo havatsanangure iyo algorithm inotarisa kutendeseka. Kunze kweiyo encryption ye multicast traffic, iyo yechokwadi algorithms inotsigirwa neCisco Catalyst SD WAN usashandise SHA1. Zvisinei muCisco SD-WAN Release 20.1.x uye zvichienda mberi, zvose unicast uye multicast hazvishandisi SHA1.

  • ah-sha1-hmac inogonesa encryption uye encapsulation uchishandisa ESP. Nekudaro, mukuwedzera kune kutendeseka cheki pane ESP musoro uye mubhadharo, macheki anosanganisirawo ekunze IP uye UDP misoro. Nekudaro, iyi sarudzo inotsigira cheki yekuvimbika kwepaketi yakafanana neiyo Authentication Header (AH) protocol. Kwese kutendeseka uye encryption kunoitwa uchishandisa AES-256-GCM.
  • ah-no-id inogonesa modhi yakafanana neah-sha1-hmac, zvisinei, iyo ID yemunda wekunze IP musoro haina kufuratirwa. Iyi sarudzo inogadzika zvimwe zvisiri zveCisco Catalyst SD-WAN zvishandiso, kusanganisira iyo Apple AirPort Express NAT, ine bug inokonzeresa iyo ID munda mumusoro weIP, iyo isingachinjike munda, kuti igadziriswe. Gadzira iyo ah-no-id sarudzo mune runyorwa rwemhando dzeuthentication kuti uve neCisco Catalyst SD-WAN AH software inofuratira ID munda mumusoro weIP kuitira kuti Cisco Catalyst SD-WAN software inogona kushanda pamwe chete nemidziyo iyi.
  • sha1-hmac inogonesa ESP encryption uye kuvimbika kutarisa.
  • hapana mamepu ekusina chokwadi. Iyi sarudzo inofanirwa kushandiswa chete kana ichidikanwa pakugadzirisa kwenguva pfupi. Iwe unogona zvakare kusarudza iyi sarudzo mumamiriro ezvinhu apo data ndege kutendeseka uye kutendeseka hakusi kunetseka. Cisco haikurudzire kushandisa iyi sarudzo yekugadzira network.

Kuti uwane ruzivo rwekuti ndedzipi nzvimbo dzepaketi yedata dzinokanganiswa nemhando idzi dzechokwadi, ona Data Plane Kutendeseka. Cisco IOS XE Catalyst SD-WAN zvishandiso uye Cisco vEdge madivayiri anoshambadza avo akamisirwa echokwadi marudzi mumidziyo yavo yeTLOC. Iwo ma routers maviri ari kumativi ese eIPsec tunnel yekubatanidza anotaurirana chokwadi chekushandisa pakubatana pakati pawo, uchishandisa iyo yakasimba yekusimbisa mhando inogadziriswa pane ese ma routers. For example, kana imwe router ichishambadzira ah-sha1-hmac uye ah-no-id marudzi, uye yechipiri router inoshambadzira ah-no-id mhando, ma routers maviri anotaurirana kushandisa ah-no-id pane IPsec tunnel yekubatanidza pakati. ivo. Kana pasina akajairika mhando dzechokwadi dzakagadziriswa pavezera vaviri, hapana IPsec mugero inotangwa pakati pavo. Iyo encryption algorithm paIPsec tunnel yekubatanidza zvinoenderana nerudzi rwetraffic:

  • Kune unicast traffic, iyo encryption algorithm ndeye AES-256-GCM.
  • Nezve multicast traffic:
  • Cisco SD-WAN Inoburitsa 20.1.x uye gare gare- iyo encryption algorithm ndeye AES-256-GCM
  • Zvakapfuura zvaburitswa- iyo encryption algorithm ndeye AES-256-CBC ine SHA1-HMAC.

Kana iyo IPsec yekusimbisa mhando yakashandurwa, kiyi yeAES yenzira yedata inoshandurwa.

Shandura iyo Rekeying Timer

Pamberi peCisco IOS XE Catalyst SD-WAN zvishandiso uye Cisco vEdge zvishandiso zvinogona kuchinjanisa data traffic, ivo vanogadzira yakachengeteka yakavimbiswa nzira yekutaurirana pakati pavo. Iwo ma routers anoshandisa IPSec tunnel pakati pavo sechiteshi, uye iyo AES-256 cipher kuita encryption. Imwe neimwe router inogadzira kiyi itsva yeAES yenzira yayo yedata nguva nenguva. By default, kiyi inoshanda kwe86400 masekonzi (24 maawa), uye timer renji masekonzi gumi kusvika 10 masekonzi (1209600 mazuva). Kuchinja iyo rekey timer kukosha: Chishandiso(config)# chengetedzo ipsec rekey masekonzi Iyo gadziriso inotaridzika seizvi:

  • chengetedzo ipsec rekey seconds !

Kana iwe uchida kugadzira makiyi matsva eIPsec nekukasira, unogona kuzviita usingagadzirise magadzirirwo eiyo router. Kuti uite izvi, buritsa chikumbiro chekuchengetedza ipsecrekey command pane yakakanganiswa router. For exampuye, zvinotevera zvinobuda zvinoratidza kuti SA yemuno ine Security Parameter Index (SPI) ye256:CISCO-SD-WAN-Gadzirisa-Security-Parameters-FIG-4

Kiyi yakasarudzika inosanganiswa neSPI yega yega. Kana kiyi iyi ikakanganiswa, shandisa chikumbiro chekuchengetedza ipsec-rekey command kugadzira kiyi nyowani nekukasira. Uyu murairo unowedzera SPI. Mune yedu example, iyo SPI inoshanduka kuenda ku257 uye kiyi yakabatana nayo ikozvino yashandiswa:

  • Mudziyo# kumbira chengetedzo ipsecrekey
  • Mudziyo# ratidza ipsec local-sa

CISCO-SD-WAN-Gadzirisa-Security-Parameters-FIG-5

Mushure mokunge kiyi itsva yagadzirwa, router inotumira pakarepo kuCisco SD-WAN Controllers vachishandisa DTLS kana TLS. Iwo Cisco SD-WAN Controllers anotumira kiyi kune vezera routers. Iwo ma routers anotanga kuishandisa kana angoigamuchira. Ziva kuti kiyi yakabatana neyekare SPI (256) icharamba ichishandiswa kwenguva pfupi kusvika yapera. Kuti urege kushandisa kiyi yekare nekukasira, buritsa chikumbiro chekuchengetedza ipsec-rekey kaviri, mukukurumidza kutevedzana. Iyi nhevedzano yemirairo inobvisa zvose SPI 256 uye 257 uye inogadzirisa SPI kusvika 258. Router inobva yashandisa kiyi inosanganiswa yeSPI 258. Cherechedza, zvisinei, kuti mamwe mapaketi achadonhedzwa kwenguva pfupi kusvikira vose vari kure vadzidza. kiyi itsva.CISCO-SD-WAN-Gadzirisa-Security-Parameters-FIG-6

Chinja Saizi yeAnti-Replay Window

IPsec authentication inopa anti-replay dziviriro nekupa yakasarudzika nhamba yekutevedzana kune yega yega pakiti mune data rwizi. Uku kutevedzana kwenhamba kunodzivirira kubva kune anorwisa ari kudzokorora data packet. Nekudzivirira-kudzokororwa kwekudzivirira, mutumi anogovera monotonically kuwedzera kutevedzana manhamba, uye kwainoenda inotarisa idzi nhamba dzekutevedzana kuti aone zvakapetwa. Nekuti mapaketi kazhinji haasvike akarongeka, kwainoenda kunochengeta hwindo rinotsvedza renhamba dzekutevedzana kwarichabvuma.CISCO-SD-WAN-Gadzirisa-Security-Parameters-FIG-7

Mapaketi ane manhamba ekutevedzana anowira kuruboshwe kweanotsvedza hwindo renji anoonekwa seakasakara kana akadzokororwa, uye kwekuenda kunoadonhedza. Nzvimbo yacho inoteedzera nhamba yepamusoro-soro yayakagamuchira, uye inogadzirisa hwindo rekutsvedza parinotambira pakiti rine kukosha kwepamusoro.CISCO-SD-WAN-Gadzirisa-Security-Parameters-FIG-8

Nekumisikidza, iyo inotsvedza hwindo inoiswa kune 512 mapaketi. Inogona kuiswa kune chero kukosha pakati pe64 ne4096 iyo isimba re2 (kureva, 64, 128, 256, 512, 1024, 2048, kana 4096). Kuti ugadzirise saizi ye-anti-replay windows, shandisa replay-window command, uchitsanangura saizi yehwindo:

Chishandiso(config)# chengetedzo ipsec replay-hwindo nhamba

Iyo configuration inoita seizvi:
chengetedzo ipsec replay-hwindo nhamba! !

Kuti ubatsire neQoS, mahwindo akasiyana ekudzokorora anochengeterwa imwe neimwe yemasere ekutanga emigwagwa nzira. Iyo yakagadziriswa replay hwindo saizi yakakamurwa nesere kune yega yega chiteshi. Kana QoS yakagadziridzwa pane router, iyo router inogona kuwana yakakura kudarika-inotarisirwa nhamba yemadonhwe epakiti semugumisiro we IPsec anti-replay mechanism, uye mazhinji emapakiti anodonhedzwa ndeaya ari pamutemo. Izvi zvinoitika nekuti QoS inodzokorodza mapaketi, ichipa epamusoro-yekutanga mapaketi kurapwa kwakasarudzika uye kunonoka yakaderera-yekutanga mapaketi. Kuderedza kana kudzivirira mamiriro ezvinhu aya, unogona kuita zvinotevera:

  • Wedzera saizi ye anti-replay hwindo.
  • Injiniya traffic panzira sere dzekutanga dzetraffic kuona kuti traffic mukati mechiteshi haina kurongeka.

Gadzira IKE-Inogonesa IPsec Tunnels
Kuendesa zvakachengetedzeka traffic kubva kune yakavharika network kuenda kunetiweki sevhisi, unogona kugadzirisa IPsec tunnels inomhanyisa Internet Key Exchange (IKE) protocol. IKE-inogonesa IPsec tunnels inopa huchokwadi uye encryption kuti ive yakachengeteka packet kutakura. Iwe unogadzira IKE-inogonesa IPsec tunnel nekugadzirisa iyo IPsec interface. IPsec interfaces inonzwisisika inopindirana, uye iwe unoagadzirisa senge chero imwe yemuviri interface. Iwe unogadzirisa IKE protocol paramita pane IPsec interface, uye iwe unogona kugadzirisa zvimwe interface zvivakwa.

Cherechedza Cisco inokurudzira kushandisa IKE Version 2. Kubva kuCisco SD-WAN 19.2.x kusunungurwa zvichienda mberi, kiyi yakagovaniswa inoda kuva inokwana 16 bytes pakureba. Iyo IPsec tunnel yekumisikidzwa inotadza kana kiyi saizi isingasviki mavara gumi nematanhatu kana router ichikwidziridzwa kuita vhezheni 16.

Cherechedza
Iyo Cisco Catalyst SD-WAN software inotsigira IKE Version 2 sekutsanangurwa kwazvinoitwa muRFC 7296. Imwe kushandiswa kweIPsec tunnels ndeyekubvumidza vEdge Cloud router VM zviitiko zvinomhanya paAmazon AWS kuti ibatane neAmazon virtual private cloud (VPC). Iwe unofanirwa kugadzirisa IKE Version 1 pane aya ma routers. Cisco vEdge zvishandiso zvinotsigira chete nzira-yakavakirwa VPNs mune IPSec kumisikidzwa nekuti aya maturusi haagone kutsanangura traffic selectors mune encryption domain.

Gadzira IPsec Tunnel
Kugadzirisa IPsec tunnel interface yekuchengetedza yakachengeteka traffic traffic kubva kune network yebasa, iwe unogadzira ine musoro IPsec interface:CISCO-SD-WAN-Gadzirisa-Security-Parameters-FIG-9

Iwe unogona kugadzira iyo IPsec mugero mukutakura VPN (VPN 0) uye mune chero sevhisi VPN (VPN 1 kuburikidza 65530, kunze kwe512). IPsec interface ine zita muchimiro ipsecnumber, apo nhamba inogona kubva kubva 1 kusvika 255. Imwe neimwe IPsec interface inofanira kuva ne IPv4 kero. Kero iyi inofanira kuva chivakashure che /30. Yese traffic muVPN iri mukati meiyi IPv4 prefix inonangidzirwa kune yepanyama interface muVPN 0 kuti itumirwe zvakachengeteka pamusoro peIPsec tunnel.Kugadzirisa kwakabva IPsec tunnel pane yemuno mudziyo, unogona kutsanangura chero IP kero ye. chimiro chemuviri (mune tunnel-source command) kana zita rechimiro chemuviri (mune tunnel-source-interface command). Iva nechokwadi chokuti chimiro chemuviri chinogadziriswa muVPN 0. Kuti ugadzirise nzvimbo yeIPsec tunnel, tsanangura IP kero yemudziyo uri kure mukuraira-kwekuenda. Iko kusanganiswa kwekero yenzvimbo (kana zita rekushandisa) uye kero yekuenda inotsanangura imwe IPsec tunnel. Imwe chete IPsec tunnel inogona kuvapo iyo inoshandisa chaiyo sosi kero (kana zita rekushandisa) uye kero yekuenda.

Gadzira IPsec Static Route

Kutungamira traffic kubva kune sevhisi VPN kuenda kune IPsec mugero mune yekufambisa VPN (VPN 0), iwe unogadzirisa IPsec-chaiyo static nzira musevhisi VPN (VPN kunze kweVPN 0 kana VPN 512):

  • vEdge(config)# vpn vpn-id
  • vEdge(config-vpn)# ip ipsec-nzira prefix/kureba vpn 0 interface
  • ipsecnumber [ipsecnumber2]

Iyo VPN ID ndeye chero sevhisi VPN (VPN 1 kuburikidza 65530, kunze kwe512). prefix/kureba ndiyo IP kero kana prefix, mudecimal mana-chikamu-dotted notation, uye prefix kureba kweIPsec-specific static nzira. Iyo interface ndiyo IPsec tunnel interface muVPN 0. Unogona kugadzirisa imwe kana maviri IPsec tunnel interfaces. Kana iwe ukagadzirisa maviri, yekutanga ndiyo yekutanga IPsec tunnel, uye yechipiri ndeye backup. Iine maviri interfaces, ese mapaketi anotumirwa chete kune yekutanga tunnel. Kana mugero iwoyo ukatadza, mapaketi ese anobva atumirwa kunzira yechipiri. Kana iyo yekutanga tunnel ikadzoka kumusoro, traffic yese inodzoserwa kumashure kune yekutanga IPsec tunnel.

Gonesa IKE Shanduro 1
Paunogadzira IPsec mugero pane vEdge router, IKE Version 1 inogoneswa nekusarudzika pane tunnel interface. Izvi zvinotevera zvivakwa zvakare zvinogoneswa nekusarudzika kweIKEv1:

  • Kutendesa uye encryption-AES-256 yepamusoro encryption standard CBC encryption ine HMAC-SHA1 keyed-hash meseji yekusimbisa kodhi algorithm yekuvimbika.
  • Diffie-Hellman nhamba yeboka—16
  • Rekeying nguva nguva-4 maawa
  • SA yekumisikidzwa modhi-Main

Nekutadza, IKEv1 inoshandisa IKE main mode kumisikidza IKE SAs. Mune iyi modhi, mapaketi matanhatu ekutaurirana anotsinhaniswa kuti amise iyo SA. Kuti uchinje mapaketi matatu ekutaurirana chete, gonesa maitiro ane hukasha:

Cherechedza
IKE ine hukasha modhi ine pre-yakagovaniswa makiyi inofanirwa kudzivirirwa pese pazvinogoneka. Zvikasadaro kiyi yakasimba pre-yakagovaniswa inofanira kusarudzwa.

  • vEdge(config)# vpn vpn-id interface ipsec nhamba ike
  • vEdge(config-ike)# modhi ine hukasha

Nekusagadzikana, IKEv1 inoshandisa Diffie-Hellman boka gumi nematanhatu muIKE kiyi yekutsinhana. Iri boka rinoshandisa iyo 16-bit yakawanda modular exponential (MODP) boka panguva yeIKE key exchange. Unogona kushandura nhamba yeboka kuita 4096 (ye2-bit MODP), 1024 (14-bit MODP), kana 2048 (15-bit MODP):

  • vEdge(config)# vpn vpn-id interface ipsec nhamba ike
  • vEdge(config-ike)# nhamba yeboka

Nekumisikidza, IKE kiyi yekutsinhana inoshandisa AES-256 yepamusoro encryption standard CBC encryption neHMAC-SHA1 keyed-hash meseji yekusimbisa kodhi algorithm yekutendeseka. Iwe unogona kuchinja chokwadi:

  • vEdge(config)# vpn vpn-id interface ipsec nhamba ike
  • vEdge(config-ike)# cipher-suite suite

Iyo yekusimbisa suite inogona kuva imwe yeinotevera:

  • aes128-cbc-sha1-AES-128 advanced encryption standard CBC encryption ine HMAC-SHA1 keyed-hash meseji yekusimbisa kodhi algorithm yekuvimbika.
  • aes128-cbc-sha2-AES-128 advanced encryption standard CBC encryption ine HMAC-SHA256 keyed-hash meseji yekusimbisa kodhi algorithm yekuvimbika.
  • aes256-cbc-sha1—AES-256 advanced encryption standard CBC encryption neHMAC-SHA1 keyed-hash meseji yekusimbisa kodhi algorithm yekuvimbika; iyi ndiyo default.
  • aes256-cbc-sha2-AES-256 advanced encryption standard CBC encryption ine HMAC-SHA256 keyed-hash meseji yekusimbisa kodhi algorithm yekuvimbika.

Nekumisikidza, makiyi eIKE anozorodzwa maawa ega ega (1 masekondi). Iwe unogona kushandura iyo rekeying interval kune kukosha kubva 3600 seconds kusvika 30 mazuva (14 seconds). Zvinokurudzirwa kuti nguva yekudzokorodza ingangoita 1209600 awa.

  • vEdge(config)# vpn vpn-id interface ipsec nhamba senge
  • vEdge(config-ike)# rekey masekondi

Kumanikidza kugadzirwa kwemakiyi matsva echikamu cheIKE, buritsa chikumbiro ipsec ike-rekey command.

  • vEdge(config)# vpn vpn-id interfaceipisec nhamba ike

Kune IKE, iwe unogona zvakare kugadzirisa preshared kiyi (PSK) chokwadi:

  • vEdge(config)# vpn vpn-id interface ipsec nhamba ike
  • vEdge(config-ike)# authentication-type pre-shared-kiyi pre-yakagovaniswa-yakavanzika password password ndiyo password yekushandisa nekiyi yakagovaniswa. Inogona kunge iri ASCII kana hexadecimal tambo kubva pa1 kusvika ku127 mavara kureba.

Kana iyo iri kure IKE peer ichida yemuno kana kure ID, unogona kumisikidza iyi identifier:

  • vEdge(config)# vpn vpn-id interface ipsec nhamba ike authentication-mhando
  • vEdge(config-authentication-type)# local-id id
  • vEdge(config-authentication-type)# kure-id id

Chiziviso chinogona kunge chiri IP kero kana chero mavara tambo kubva pa1 kusvika 63 mavara kureba. Nekumisikidza, iyo ID yemuno ndiyo mugero weIP kero uye iyo iri kure ID ndiyo kero yeIP kero.

Gonesa IKE Shanduro 2
Paunogadzirisa IPsec tunnel yekushandisa IKE Version 2, zvinotevera zvivakwa zvakare zvinogoneswa nekusarudzika kweIKEv2:

  • Kutendesa uye encryption-AES-256 yepamusoro encryption standard CBC encryption ine HMAC-SHA1 keyed-hash meseji yekusimbisa kodhi algorithm yekuvimbika.
  • Diffie-Hellman nhamba yeboka—16
  • Rekeying nguva nguva-4 maawa

Nekusagadzikana, IKEv2 inoshandisa Diffie-Hellman boka gumi nematanhatu muIKE kiyi yekutsinhana. Iri boka rinoshandisa iyo 16-bit yakawanda modular exponential (MODP) boka panguva yeIKE key exchange. Unogona kushandura nhamba yeboka kuita 4096 (ye2-bit MODP), 1024 (14-bit MODP), kana 2048 (15-bit MODP):

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# nhamba yeboka

Nekumisikidza, IKE kiyi yekutsinhana inoshandisa AES-256 yepamusoro encryption standard CBC encryption neHMAC-SHA1 keyed-hash meseji yekusimbisa kodhi algorithm yekutendeseka. Iwe unogona kuchinja chokwadi:

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# cipher-suite suite

Iyo yekusimbisa suite inogona kuva imwe yeinotevera:

  • aes128-cbc-sha1-AES-128 advanced encryption standard CBC encryption ine HMAC-SHA1 keyed-hash meseji yekusimbisa kodhi algorithm yekuvimbika.
  • aes128-cbc-sha2-AES-128 advanced encryption standard CBC encryption ine HMAC-SHA256 keyed-hash meseji yekusimbisa kodhi algorithm yekuvimbika.
  • aes256-cbc-sha1—AES-256 advanced encryption standard CBC encryption neHMAC-SHA1 keyed-hash meseji yekusimbisa kodhi algorithm yekuvimbika; iyi ndiyo default.
  • aes256-cbc-sha2-AES-256 advanced encryption standard CBC encryption ine HMAC-SHA256 keyed-hash meseji yekusimbisa kodhi algorithm yekuvimbika.

Nekusagadzikana, makiyi eIKE anozorodzwa maawa mana ega ega (4 masekondi). Unogona kushandura nguva yekudzokorodza kuita kukosha kubva pamasekondi makumi matatu kusvika pamazuva gumi nemana (14,400 seconds):

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# rekey masekondi

Kumanikidza kugadzirwa kwemakiyi matsva echikamu cheIKE, buritsa chikumbiro ipsec ike-rekey command. Kune IKE, iwe unogona zvakare kugadzirisa preshared kiyi (PSK) chokwadi:

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# authentication-type pre-shared-kiyi pre-yakagovaniswa-yakavanzika password password ndiyo password yekushandisa nekiyi yakagovaniswa. Inogona kunge iri ASCII kana hexadecimal tambo, kana inogona kunge iri AES-encrypted kiyi. Kana iyo iri kure IKE peer ichida yemuno kana kure ID, unogona kumisikidza iyi identifier:
  • vEdge(config)# vpn vpn-id interface ipsecnumber ike authentication-mhando
  • vEdge(config-authentication-type)# local-id id
  • vEdge(config-authentication-type)# kure-id id

Chiziviso chinogona kunge chiri IP kero kana chero mavara tambo kubva pa1 kusvika 64 mavara kureba. Nekumisikidza, iyo ID yemuno ndiyo mugero weIP kero uye iyo iri kure ID ndiyo kero yeIP kero.

Gadzira IPsec Tunnel Parameters

Tafura 4: Feature History

Feature Zita Kuburitsa Ruzivo Tsanangudzo
Yekuwedzera Cryptographic Cisco SD-WAN Kuburitswa 20.1.1 Ichi chimiro chinowedzera rutsigiro rwe
Algorithmic Tsigiro yeIPSec   HMAC_SHA256, HMAC_SHA384, uye
Tunnels   HMAC_SHA512 algorithms e
    kuchengetedzwa kwakawedzerwa.

Nekusagadzikana, anotevera ma paramita anoshandiswa paIPsec tunnel inotakura IKE traffic:

  • Kutendesa uye encryption-AES-256 algorithm muGCM (Galois/counter mode)
  • Rekeying nguva-4 maawa
  • Replay hwindo-32 mapaketi

Unogona kushandura encryption paIPsec tunnel kuenda kuAES-256 cipher muCBC (cipher block chaining mode, ine HMAC uchishandisa SHA-1 kana SHA-2 keyed-hash meseji yekusimbisa kana kudzima neHMAC uchishandisa SHA-1 kana SHA-2 keyed-hash meseji yechokwadi, kuti isavhare iyo IPsec mugero unoshandiswa IKE kiyi yekutsinhana traffic:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# cipher-suite (aes256-gcm | aes256-cbc-sha1 | aes256-cbc-sha256 |aes256-cbc-sha384 | aes256-cbc-sha512 | aes256-null-1sha-sha256 | | aes256-null-sha256 | aes384-null-sha256)

Nekusagadzikana, makiyi eIKE anozorodzwa maawa mana ega ega (4 masekondi). Unogona kushandura nguva yekudzokorodza kuita kukosha kubva pamasekondi makumi matatu kusvika pamazuva gumi nemana (14,400 seconds):

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# rekey masekondi

Kumanikidza kugadzirwa kwemakiyi matsva eIPsec tunnel, buritsa chikumbiro ipsec ipsec-rekey command. Nekumisikidza, chakavanzika chemberi (PFS) chinogoneswa paIPsec tunnels, kuve nechokwadi chekuti zvikamu zvakapfuura hazvikanganiswe kana makiyi emangwana akakanganiswa. PFS inomanikidza itsva Diffie-Hellman kiyi kuchinjanisa, nekukasira uchishandisa iyo 4096-bit Diffie-Hellman prime module boka. Unogona kushandura PFS marongero:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# yakakwana-mberi-yakavanzika pfs-setting

pfs-setting inogona kuva imwe yeinotevera:

  • boka-2—Shandisa 1024-bit Diffie-Hellman prime modulus boka.
  • boka-14—Shandisa 2048-bit Diffie-Hellman prime modulus boka.
  • boka-15—Shandisa 3072-bit Diffie-Hellman prime modulus boka.
  • boka-16—Shandisa 4096-bit Diffie-Hellman prime modulus boka. Izvi ndizvo zvinogara zviripo.
  • hapana-Dzivisa PFS.

Nekusagadzikana, iyo IPsec replay hwindo pane IPsec mugero ndeye 512 bytes. Unogona kuseta replay hwindo saizi kusvika 64, 128, 256, 512, 1024, 2048, kana 4096 mapaketi:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# replay-hwindo nhamba

Shandura IKE Dead-Peer Detection

IKE inoshandisa yakafa-peer yekuona nzira yekuona kana kubatana kune IKE peer kunoshanda uye kusvikika. Kuti uite iyi michina, IKE inotumira Hello pakiti kune vezera rayo, uye wezera anotumira kubvuma mukupindura. Nekusagadzikana, IKE inotumira Mhoro mapaketi ega ega gumi, uye mushure metatu mapaketi asina kuzivikanwa, IKE inozivisa muvakidzani kuti afa uye kubvarura mugero kune vezera. Mushure mezvo, IKE nguva nenguva inotumira Hello pakiti kune vezera, uye inomisikidzazve mugero kana wezera adzoka online. Unogona kushandura nguva yekuona hupenyu kuita kukosha kubva pa10 kusvika pa0, uye unogona kushandura huwandu hwekuyedzazve kuve kukosha kubva pa65535 kusvika pa0.

Cherechedza

Zvekufambisa VPNs, iyo liveness yekuona nguva inoshandurwa kuita masekonzi nekushandisa inotevera fomula: Kupindirana kwekuyedza kudzosera nhamba N = interval * 1.8N-1For ex.ample, kana nguva yacho yakaiswa ku10 uye inoedzazve ku5, nguva yekuona inowedzera sezvinotevera:

  • Kuedza 1: 10 * 1.81-1= 10 seconds
  • Kuedza 2: 10 * 1.82-1= 18 seconds
  • Kuedza 3: 10 * 1.83-1= 32.4 seconds
  • Kuedza 4: 10 * 1.84-1= 58.32 seconds
  • Kuedza 5: 10 * 1.85-1= 104.976 seconds

vEdge(config-interface-ipsecnumber)# vakafa-vezera-yekuona nguva inoedzazve nhamba

Gadzirisa Zvimwe Zvivakwa zveInterface

Kune IPsec tunnel interfaces, unogona kugadzirisa chete inotevera yekuwedzera interface zvivakwa:

  • vEdge(config-interface-ipsec)# mtu bytes
  • vEdge(config-interface-ipsec)# tcp-mss-adjust bytes

Dzima Weak SSH Encryption Algorithms paCisco SD-WAN Maneja

Tafura 5: Feature History Table

Feature Zita Kuburitsa Ruzivo Feature Tsanangudzo
Dzima Weak SSH Encryption Algorithms paCisco SD-WAN Maneja Cisco vManage Kuburitswa 20.9.1 Iyi ficha inobvumidza iwe kudzima isina kusimba SSH algorithms paCisco SD-WAN Maneja iyo inogona kusatevedzera mamwe data kuchengetedza zviyero.

Ruzivo Nezve Kuremadza Weak SSH Encryption Algorithms paCisco SD-WAN Maneja
Cisco SD-WAN Maneja inopa SSH mutengi wekutaurirana nezvikamu zviri mukati metiweki, zvinosanganisira zvinodzora uye edge zvishandiso. Iyo SSH mutengi inopa yakavanzika yekubatanidza kune yakachengeteka kuendesa data, zvichibva pane akasiyana encryption algorithms. Masangano mazhinji anoda encryption yakasimba kupfuura yakapihwa neSHA-1, AES-128, uye AES-192. Kubva kuCisco vManage Release 20.9.1, unogona kudzima anotevera asina kusimba encryption algorithms kuti mutengi weSSH asashandise aya algorithms:

  • SHA-1
  • AES-128
  • AES-192

Usati wadzima aya encryption algorithms, ita shuwa kuti Cisco vEdge zvishandiso, kana zviripo, mune network, zviri kushandisa software kuburitswa gare gare kupfuura Cisco SD-WAN Release 18.4.6.

Mabhenefiti ekuremadza Weak SSH Encryption Algorithms paCisco SD-WAN Maneja
Kudzima isina kusimba SSH encryption algorithms inovandudza chengetedzo yeSSH kutaurirana, uye inova nechokwadi chekuti masangano anoshandisa Cisco Catalyst SD-WAN anoenderana nemitemo yakasimba yekuchengetedza.

Dzima Weak SSH Encryption Algorithms paCisco SD-WAN Maneja Uchishandisa CLI

  1. Kubva kuCisco SD-WAN Maneja menyu, sarudza Zvishandiso> SSH Terminal.
  2. Sarudza iyo Cisco SD-WAN Maneja mudziyo waunoshuvira kudzima isina simba SSH algorithms.
  3. Pinda zita rekushandisa uye password kuti upinde mukati memudziyo.
  4. Pinda SSH server mode.
    • vmanage(config)# system
    • vmanage(config-system)# ssh-server
  5. Ita chimwe chezvinotevera kudzima SSH encryption algorithm:
    • Dzima SHA-1:
  6. maneja(config-ssh-server)# hapana kex-algo sha1
  7. maneja(config-ssh-server)# zvipira
    Inotevera meseji yambiro inoratidzwa: Yambiro dzinotevera dzakagadzirwa: 'system ssh-server kex-algo sha1': YAMBIRO: Tapota onai kuti micheto yenyu yese ine code version > 18.4.6 iyo inotaurirana zvirinani pane SHA1 ne vManage. Zvikasadaro iwo mipendero inogona kuve isina Indaneti. Proceed? [hongu, kwete] hongu
    • Ita shuwa kuti chero Cisco vEdge zvishandiso mune network iri kumhanya Cisco SD-WAN Release 18.4.6 kana gare gare uye pinda hongu.
    • Dzima AES-128 uye AES-192:
    • vmanage(config-ssh-server)# no cipher aes-128-192
    • vmanage(config-ssh-server)# zvipira
      Inotevera meseji yambiro inoratidzwa:
      Yambiro dzinotevera dzakagadzirwa:
      'system ssh-server cipher aes-128-192': YAMBIRO: Ndokumbira utarise kuti mipendero yako yese inomhanya kodhi vhezheni> 18.4.6 iyo inotaurirana zvirinani pane AES-128-192 ne vManage. Zvikasadaro iwo mipendero inogona kuve isina Indaneti. Proceed? [hongu, kwete] hongu
    • Ita shuwa kuti chero Cisco vEdge zvishandiso mune network iri kumhanya Cisco SD-WAN Release 18.4.6 kana gare gare uye pinda hongu.

Simbisa kuti Weak SSH Encryption Algorithms Yakaremara paCisco SD-WAN Maneja Uchishandisa iyo CLI.

  1. Kubva kuCisco SD-WAN Maneja menyu, sarudza Zvishandiso> SSH Terminal.
  2. Sarudza iyo Cisco SD-WAN Maneja mudziyo waunoda kuratidza.
  3. Pinda zita rekushandisa uye password kuti upinde mukati memudziyo.
  4. Mhanya unotevera kuraira: ratidza inomhanya-config system ssh-server
  5. Simbisa kuti zvinobuda zvinoratidza imwe kana yakawanda yemirairo inodzima isina kusimba encryption algorithms:
    • hapana cipher aes-128-192
    • kwete kex-algo sha1

Zvinyorwa / Zvishandiso

CISCO SD-WAN Gadzira Chengetedzo Paramita [pdf] Bhuku reMushandisi
SD-WAN Gadzira Chengetedzo Paramita, SD-WAN, Gadzirisa Chengetedzo Paramita, Chengetedzo Paramita.

References

Siya mhinduro

Yako email kero haizoburitswa. Nzvimbo dzinodiwa dzakamakwa *