Litaba pata
1 CISCO SD-WAN Lokisa Liparamente tsa Tšireletso
2 Lokisa Liparamente tsa Tšireletso
3 Lokisa Liparamente tsa Tšireletso ea Sefofane
4 Lokisa DTLS ho Cisco SD-WAN Manager
5 Lokisa li-Parameters tsa Tšireletso ea Data Plane
6 Lokisa Mefuta e Amoheletsoeng ea Tiiso
7 Fetola Sebali sa Rekeying
8 Fetola Boholo ba Fesetere ea Anti-Replay
9 Lokisa IPsec Static Route
10 Lokisa IPsec Tunnel Parameters
11 Fetola IKE Dead-Detection ea Lithaka
12 Lokisa Lisebelisoa tse ling tsa Sehokelo
13 Tlosa Li-Algorithms tsa Encryption tse fokolang ho Cisco SD-WAN Manager
14 Litokomane / Lisebelisoa
14.1 Litšupiso

CISCO-LOGO

CISCO SD-WAN Lokisa Liparamente tsa Tšireletso

CISCO-SD-WAN-Configure-Security-Parameters-PRODUCT

Lokisa Liparamente tsa Tšireletso

Hlokomela

Ho fihlela ho nolofatsa le ho tsitsisa, tharollo ea Cisco SD-WAN e rehiloe lebitso hape e le Cisco Catalyst SD-WAN. Ho phaella moo, ho tloha Cisco IOS XE SD-WAN Release 17.12.1a le Cisco Catalyst SD-WAN Release 20.12.1, liphetoho tse latelang tsa likarolo li sebetsa: Cisco vManage ho Cisco Catalyst SD-WAN Manager, Cisco vAnalytics ho Cisco Catalyst SD-WAN Litlhahlobo, Cisco vBond ho Cisco Catalyst SD-WAN Validator, le Cisco vSmart ho Cisco Catalyst SD-WAN Controller. Sheba Lintlha tsa Phatlalatso tsa morao-rao bakeng sa lenane le felletseng la liphetoho tsa mabitso a mofuta oa karolo. Ha re ntse re fetohela ho mabitso a macha, ho ka 'na ha e-ba le ho se lumellane ho itseng litokomaneng tse behiloeng ka lebaka la mokhoa o fokolang oa lintlafatso tsa sebopeho sa basebelisi ba sehlahisoa sa software.

Karolo ena e hlalosa mokhoa oa ho fetola mekhoa ea ts'ireletso bakeng sa sefofane sa taolo le sefofane sa data ho Cisco Catalyst SD-WAN marang-rang.

  • Lokisa Liparamente tsa Tšireletso ea Sefofane sa Taolo, ho
  • Lokisa Liparamente tsa Tšireletso ea Sefofane sa Data, ho
  • Lokisa lithanele tsa IPsec tse lumelletsoeng ke IKE, butle
  • Tlosa Li-Algorithms tsa Encryption tse fokolang tsa SSH ho Cisco SD-WAN Manager, ho

Lokisa Liparamente tsa Tšireletso ea Sefofane

Ka nako e sa lekanyetsoang, sefofane sa taolo se sebelisa DTLS e le protocol e fanang ka lekunutu ho lithanele tsohle tsa eona. DTLS e feta UDP. U ka fetola protocol ea ts'ireletso ea sefofane ho ea ho TLS, e fetang TCP. Lebaka le ka sehloohong la ho sebelisa TLS ke hore, haeba u nka Cisco SD-WAN Controller e le seva, li-firewall li sireletsa lisebelisoa tsa TCP ho feta li-server tsa UDP. U lokisa kotopo ea sefofane sa taolo ho Cisco SD-WAN Controller: vSmart(config)# security control protocol tls Ka phetoho ena, lithanele tsohle tsa lifofane tse laolang lipakeng tsa Cisco SD-WAN Controller le li-routers le lipakeng tsa Cisco SD-WAN Controller. le Cisco SD-WAN Manager sebelisa TLS. Laola lithanele tsa sefofane ho Cisco Catalyst SD-WAN Validator kamehla sebelisa DTLS, hobane likhokahano tsena li tlameha ho sebetsoa ke UDP. Sebakeng se nang le Balaoli ba bangata ba Cisco SD-WAN, ha u lokisa TLS ho e 'ngoe ea Cisco SD-WAN Controllers, lithanele tsohle tsa lifofane tse laolang ho tloha ho molaoli eo ho ea ho balaoli ba bang li sebelisa TLS. Ho boletse ka tsela e 'ngoe, TLS e lula e tla pele ho DTLS. Leha ho le joalo, ho ea ka pono ea Cisco SD-WAN Controllers, haeba ha u so lokise TLS ho bona, ba sebelisa TLS ka kotopo ea sefofane sa taolo feela ho Cisco SD-WAN Controller, 'me ba sebelisa lithanele tsa DTLS ho tse ling kaofela. Cisco SD-WAN Controllers le ho li-routers tsohle tsa bona tse hokahaneng. Ho etsa hore balaoli bohle ba Cisco SD-WAN ba sebelise TLS, e lokisetse ho tsona kaofela. Ka ho sa feleng, Cisco SD-WAN Controller e mamela ho port 23456 bakeng sa likopo tsa TLS. Ho fetola sena: vSmart(config)# taolo ea ts'ireletso tls-port number Boema-kepe e ka ba nomoro ho tloha ho 1025 ho ea ho 65535. Ho bonts'a tlhahisoleseding ea tšireletso ea sefofane sa taolo, sebelisa taelo ea li-show control controller ho Cisco SD-WAN Controller. Bakeng sa mohlalaample: vSmart-2# bonts'a likhokahano tsa taolo

CISCO-SD-WAN-Configure-Security-Parameters-FIG-1

Lokisa DTLS ho Cisco SD-WAN Manager

Haeba o lokisa Cisco SD-WAN Manager hore a sebelise TLS e le protocol ea ts'ireletso ea sefofane sa taolo, o tlameha ho lumella ho fetisa koung ho NAT ea hau. Haeba u sebelisa DTLS joalo ka protocol ea ts'ireletso ea sefofane, ha ho hlokahale hore u etse letho. Palo ea likou tse romelloang ho latela palo ea lits'ebetso tsa vdaemon tse sebetsang ho Cisco SD-WAN Manager. Ho bonts'a tlhahisoleseling mabapi le lits'ebetso tsena le mabapi le palo ea likou tse romelloang, sebelisa taelo ea kakaretso ea taolo e bonts'a hore lits'ebetso tse 'ne tsa daemon lia sebetsa:CISCO-SD-WAN-Configure-Security-Parameters-FIG-2

Ho bona likou tse mameloang, sebelisa taelo ea taolo ea libaka tsa lehae: vManage# show control local-properties.

CISCO-SD-WAN-Configure-Security-Parameters-FIG-3

Sehlahisoa sena se bontša hore kou ea TCP e mamelang ke 23456. Haeba u ntse u tsamaisa Cisco SD-WAN Manager ka mor'a NAT, u lokela ho bula likou tse latelang ho sesebelisoa sa NAT:

  • 23456 (motheo - mohlala 0 koung)
  • 23456 + 100 (motheo + 100)
  • 23456 + 200 (motheo + 200)
  • 23456 + 300 (motheo + 300)

Hlokomela hore palo ea liketsahalo e tšoana le palo ea li-cores tseo u li abetseng Cisco SD-WAN Manager, ho fihlela boholo ba 8.

Lokisa Liparamente tsa Tšireletso U sebelisa Sebopeho sa Tšireletso ea Tšireletso

Sebelisa thempleite ea tšobotsi ea Tšireletso bakeng sa lisebelisoa tsohle tsa Cisco vEdge. Ho li-routers tse ka thōko le ho Cisco SD-WAN Validator, sebelisa template ena ho lokisa IPsec bakeng sa tšireletso ea sefofane sa data. Ho Cisco SD-WAN Manager le Cisco SD-WAN Controller, sebelisa Sebopeho sa Tšireletso template ho lokisa DTLS kapa TLS bakeng sa ho laola tšireletso ea sefofane.

Lokisa Liparamente tsa Tšireletso

  1. Ho tswa ho Cisco SD-WAN Manager menu, khetha Configuration > Templates.
  2. Tobetsa Feature Templates ebe o tobetsa Add Template.
    Hlokomela Ho Cisco vManage Release 20.7.1 le litokollo tsa pejana, Feature Templates e bitsoa Feature.
  3. Ho tsoa lethathamong la Lisebelisoa karolong e ka ho le letšehali, khetha sesebelisoa. Lithempleite tse sebetsang ho sesebelisoa se khethiloeng li hlaha fenstereng e nepahetseng.
  4. Tobetsa Security ho bula thempleite.
  5. Lefapheng la Lebitso la Template, kenya lebitso la thempleite. Lebitso le ka ba le litlhaku tse 128 'me le ka ba le litlhaku tsa alphanumeric feela.
  6. Lefapheng la Tlhaloso ea Template, kenya tlhaloso ea thempleite. Tlhaloso e ka ba litlhaku tse 2048 'me e ka ba le litlhaku tsa alphanumeric feela.

Ha u qala ho bula thempleite ea sebopeho, bakeng sa paramethara e 'ngoe le e 'ngoe e nang le boleng ba kamehla, scope e setiloe ho Default (e bonts'itsoeng ka lets'oao), 'me ho bonts'oa litlhophiso tsa kamehla kapa boleng. Ho fetola ntho e sa lekanyetsoang kapa ho kenya boleng, tobetsa menu e theoha ka lehlakoreng le letšehali la sebaka sa parameter ebe u khetha e 'ngoe ea tse latelang:

Lethathamo la 1:

Paramethara Sebaka Tlhaloso ea Sebaka
Sesebediswa se Khethehileng (se bonts'itsoeng ke letšoao la moamoheli) Sebelisa boleng bo ikhethileng ba sesebelisoa bakeng sa paramethara. Bakeng sa liparamente tse ikhethileng tsa sesebelisoa, u ke ke ua kenya boleng ho thempleite ea sebopeho. O kenya boleng ha o hokela sesebelisoa sa Viptela ho template ea sesebelisoa.

Ha o tobetsa Device Specific, lebokose la Enter Key le tla buleha. Lebokose lena le hlahisa senotlolo, e leng khoele e ikhethang e khethollang paramethara ho CSV file tseo o di bopang. Sena file ke spreadsheet ea Excel e nang le kholomo e le 'ngoe bakeng sa senotlolo ka seng. Mola oa lihlooho o na le mabitso a bohlokoa (senotlolo se le seng ka kholomo), 'me mola o mong le o mong ka mor'a moo o lumellana le sesebelisoa' me o hlalosa boleng ba linotlolo tsa sesebelisoa seo. O kenya CSV file ha o hokela sesebelisoa sa Viptela ho template ea sesebelisoa. Ho fumana lintlha tse ling, sheba Theha Sephutheloana sa Liphetoho tsa Template.

Ho fetola senotlolo sa kamehla, thaepa khoele e ncha 'me u tlose cursor ka ntle ho lebokose la Enter Key.

ExampLintlha tse ling tsa lisebelisoa tse ikhethileng ke aterese ea IP ea sistimi, lebitso la moamoheli, sebaka sa GPS, le ID ea sebaka.
Paramethara Sebaka Tlhaloso ea Sebaka
Global (e bonts'itsoeng ke lets'oao la lefats'e) Kenya boleng bakeng sa paramethara, 'me u sebelise boleng boo ho lisebelisoa tsohle.

ExampLintlha tse ling tseo u ka li sebelisang lefatšeng ka bophara ho sehlopha sa lisebelisoa ke seva sa DNS, seva sa syslog, le li-MTU tsa interface.

Lokisa Ts'ireletso ea Sefofane sa Taolo

Hlokomela
Karolo ea Configure Control Plane Security e sebetsa ho Cisco SD-WAN Manager le Cisco SD-WAN Controller feela.Ho lokisa protocol ea khokahano ea sefofane ka mohlala oa Cisco SD-WAN Manager kapa Cisco SD-WAN Controller, khetha sebaka sa Basic Configuration. 'me u hlophise li-parameter tse latelang:

Lethathamo la 2:

Paramethara Lebitso Tlhaloso
Protocol Khetha protocol eo u ka e sebelisang ho lihokelo tsa sefofane sa taolo ho Cisco SD-WAN Controller:

• DTLS (Datagpheleu Transport Layer Security). Sena ke sa kamehla.

• TLS (Transport Layer Security)
Laola TLS Port Haeba u khethile TLS, lokisa nomoro ea boema-kepe eo u tla e sebelisa:Sebaka: 1025 ho isa ho 65535Ea kamehla: 23456

Tobetsa Boloka

Lokisa Tšireletso ea Sefofane sa Data
Ho lokisa ts'ireletso ea sefofane sa data ho Cisco SD-WAN Validator kapa router ea Cisco vEdge, khetha li-tab tsa Mofuta oa Tlhophiso ea Motheo, 'me u lokise liparamente tse latelang:

Lethathamo la 3:

Paramethara Lebitso Tlhaloso
Rekey Nako Hlalosa hore na router ea Cisco vEdge e fetola hangata senotlolo sa AES se sebelisoang khokahanyong ea eona e sireletsehileng ea DTLS ho Cisco SD-WAN Controller. Haeba OMP e qala bocha ka bokhabane e lumelletsoe, nako ea ho kenya hape e tlameha ho ba bonyane habeli boleng ba sebali sa nako se setle sa OMP.Sebaka: 10 ho isa ho 1209600 metsotsoana (matsatsi a 14)Ea kamehla: 86400 metsotsoana (lihora tse 24)
Fesetere ea ho bapala hape Hlalosa boholo ba fensetere e thellang.

Litekanyetso: 64, 128, 256, 512, 1024, 2048, 4096, 8192 lipaketeEa kamehla: 512 liphutheloana
IPsec

pairwise-keying

 Sena se tingoa ke kamehla. Tobetsa On ho e bulela.
Paramethara Lebitso Tlhaloso
Mofuta oa netefatso Khetha mefuta ea netefatso ho tsoa ho Netefatso Lenane, ebe o tobetsa motsu o supang ka ho le letona ho isa mefuta ea netefatso ho Lethathamo le Khethiloeng kholomo.

Mefuta ea netefatso e tšehetsoeng ke Cisco SD-WAN Release 20.6.1:

•  esp: E nolofalletsa Encapsulating Security Payload (ESP) encryption le ho hlahloba botšepehi holim'a sehlooho sa ESP.

•  ip-udp-esp: E nolofaletsa ESP encryption. Ntle le ho hlahloba botšepehi holim'a hlooho ea ESP le moputso, licheke li boetse li kenyelletsa lihlooho tse ka ntle tsa IP le tsa UDP.

•  ip-udp-esp-no-id: E hlokomoloha tšimo ea ID ho hlooho ea IP e le hore Cisco Catalyst SD-WAN e ka sebetsa hammoho le lisebelisoa tse seng tsa Cisco.

•  ha ho letho: E tima ho hlahloba botšepehi ho lipakete tsa IPSec. Ha re khothaletse ho sebelisa khetho ena.

 

Mefuta ea netefatso e tšehelitsoeng ho Cisco SD-WAN Release 20.5.1 le pejana:

•  ah-ha ho-id: Numella mofuta o ntlafalitsoeng oa AH-SHA1 HMAC le ESP HMAC-SHA1 tse iphapanyetsang karolo ea ID ho hlooho ea IP e ka ntle ea pakete.

•  ah-sha1-hmac: Numella AH-SHA1 HMAC le ESP HMAC-SHA1.

•  ha ho letho: Khetha ha ho netefatso.

•  sha1-hmac: Numella ESP HMAC-SHA1.

 

Hlokomela              Bakeng sa sesebelisoa se haufi se sebetsang ho Cisco SD-WAN Release 20.5.1 kapa pejana, e kanna eaba u hlophisitse mefuta ea netefatso u sebelisa Tshireletso template. Ha o ntlafatsa sesebelisoa ho Cisco SD-WAN Release 20.6.1 kapa hamorao, ntlafatsa mefuta e khethiloeng ea netefatso ho Tshireletso thempleite ho mefuta netefatso tshehetswa ho tloha Cisco SD-WAN Release 20.6.1. Ho ntlafatsa mefuta ea netefatso, etsa se latelang:

1.      Ho tswa ho Cisco SD-WAN Manager menu, khetha Tlhophiso >

Lithempleite.

2.      Tobetsa Lithempleite tsa Tšobotsi.

3.      Fumana Tshireletso template ho ntlafatsa le ho tobetsa ... ebe o tobetsa Fetola.

4.      Tobetsa Nchafatso. Se ke oa fetola tlhophiso efe kapa efe.

Mookameli oa Cisco SD-WAN o ntlafatsa Tshireletso template ho hlahisa mefuta ea netefatso e tšehetsoeng.

Tobetsa Boloka.

Lokisa li-Parameters tsa Tšireletso ea Data Plane

Sefofaneng sa data, IPsec e nolofalloa ka ho sa feleng ho li-routers tsohle, 'me ka ho sa feleng lihokelo tsa tunnel tsa IPsec li sebelisa mofuta o ntlafalitsoeng oa protocol ea Encapsulating Security Payload (ESP) bakeng sa netefatso ho lithanele tsa IPsec. Ho li-routers, u ka fetola mofuta oa netefatso, nako ea ho khutlisa ea IPsec, le boholo ba fensetere ea anti-replay ea IPsec.

Lokisa Mefuta e Amoheletsoeng ea Tiiso

Mefuta ea netefatso ho Cisco SD-WAN Release 20.6.1 le Hamorao
Ho tsoa ho Cisco SD-WAN Release 20.6.1, mefuta e latelang ea botšepehi e tšehetsoa:

  • esp: Khetho ena e nolofalletsa encapsulating Security Payload (ESP) encryption le ho hlahloba botšepehi holim'a hlooho ea ESP.
  • ip-udp-esp: Khetho ena e thusa ho kenyelletsa ESP. Ntle le ho hlahloba botšepehi holim'a hlooho ea ESP le moputso, licheke li boetse li kenyelletsa lihlooho tsa IP le UDP tse ka ntle.
  • ip-udp-esp-no-id: Khetho ena e tšoana le ip-udp-esp, leha ho le joalo, tšimo ea ID ea hlooho ea ka ntle ea IP e hlokomolohuoa. Lokisa khetho ena lethathamong la mefuta ea botšepehi ho etsa hore software ea Cisco Catalyst SD-WAN e hlokomolohe tšimo ea ID ho sehlooho sa IP e le hore Cisco Catalyst SD-WAN e ka sebetsa hammoho le lisebelisoa tseo e seng tsa Cisco.
  • ha ho letho: Khetho ena e fetola ho hlahloba botšepehi ho lipakete tsa IPSec. Ha re khothaletse ho sebelisa khetho ena.

Ka linako tsohle, likhokahano tsa kotopo ea IPsec li sebelisa mofuta o ntlafalitsoeng oa protocol ea Encapsulating Security Payload (ESP) bakeng sa netefatso. Ho fetola mefuta ea interity eo ho buisanoeng ka eona kapa ho tima tlhahlobo ea botšepehi, sebelisa taelo e latelang: botšepehi-mofuta {ha ho letho | ip-udp-esp | ip-udp-esp-no-id | esp }

Mefuta ea Bopaki Pele Cisco SD-WAN Release 20.6.1
Ka linako tsohle, likhokahano tsa kotopo ea IPsec li sebelisa mofuta o ntlafalitsoeng oa protocol ea Encapsulating Security Payload (ESP) bakeng sa netefatso. Ho fetola mefuta ea netefatso eo ho buisanoeng ka eona kapa ho tima netefatso, sebelisa taelo e latelang: Sesebelisoa(config)# security ipsec authentication-type (ah-sha1-hmac | ah-no-id | sha1-hmac | | none) Ka kamehla, IPsec likhokahano tsa kotopo li sebelisa AES-GCM-256, e fanang ka encryption le netefatso. Lokisa mofuta o mong le o mong oa netefatso ka taelo e arohaneng ea ts'ireletso ea mofuta oa netefatso ea ipsec. 'Mapa oa likhetho tsa litaelo ho mefuta e latelang ea netefatso, e thathamisitsoeng ka tatellano ho tloha ho tse matla ho isa ho tse matla haholo:

Hlokomela
Sha1 likhethong tsa tlhophiso e sebelisoa ka mabaka a nalane. Likhetho tsa netefatso li bonts'a hore na tlhahlobo ea botšepehi ba pakete e etsoa hakae. Ha ba hlakise algorithm e hlahlobang botšepehi. Ntle le ts'ebeliso ea sephethephethe sa multicast, li-algorithms tsa netefatso tse tšehetsoeng ke Cisco Catalyst SD WAN ha li sebelise SHA1. Leha ho le joalo ho Cisco SD-WAN Release 20.1.x le ho ea pele, ka bobeli unicast le multicast ha ba sebelise SHA1.

  • ah-sha1-hmac e nolofalletsa encryption le encapsulation ho sebelisa ESP. Leha ho le joalo, ntle le ho hlahloba botšepehi holim'a hlooho ea ESP le moputso, licheke li boetse li kenyelletsa lihlooho tse ka ntle tsa IP le tsa UDP. Kahoo, khetho ena e tšehetsa cheke ea botšepehi ba pakete e ts'oanang le protocol ea Authentication Header (AH). Botšepehi bohle le encryption li etsoa ho sebelisoa AES-256-GCM.
  • ah-no-id e nolofalletsa mokhoa o tšoanang le ah-sha1-hmac, leha ho le joalo, tšimo ea ID ea hlooho ea IP e ka ntle e hlokomolohuoa. Khetho ena e amohela lisebelisoa tse ling tseo e seng tsa Cisco Catalyst SD-WAN, ho kenyeletsoa Apple AirPort Express NAT, e nang le kokoanyana e etsang hore sebaka sa ID se hloohong ea IP, e leng sebaka se sa fetoheng, se fetoloe. Lokisa khetho ea ah-no-id lethathamong la mefuta ea ho netefatsa hore software ea Cisco Catalyst SD-WAN AH e hlokomoloha tšimo ea ID ho hlooho ea IP e le hore Cisco Catalyst SD-WAN software e ka sebetsa hammoho le lisebelisoa tsena.
  • sha1-hmac e thusa ESP encryption le ho hlahloba botšepehi.
  • ha ho limmapa tse sa netefatseng. Khetho ena e lokela ho sebelisoa ha feela e hlokahala bakeng sa ho lokisa bothata ba nakoana. U ka boela ua khetha khetho ena maemong ao ho ona bopaki ba sefofane sa data le botšepehi li sa tšoenyeheng. Cisco ha e khothaletse ho sebelisa khetho ena bakeng sa marang-rang a tlhahiso.

Ho fumana leseli mabapi le hore na ke libaka life tsa pakete ea data tse anngoeng ke mefuta ena ea netefatso, bona Data Plane Integrity. Lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN le lisebelisoa tsa Cisco vEdge li phatlalatsa mefuta ea tsona ea netefatso e hlophisitsoeng ka thepa ea bona ea TLOC. Li-routers tse peli ka mahlakoreng a mabeli a khokahano ea kotopo ea IPsec li buisana ka netefatso e tla sebelisoa mabapi le khokahano lipakeng tsa tsona, li sebelisa mofuta o matla oa netefatso o lokiselitsoeng ho li-routers ka bobeli. Bakeng sa mohlalaample, haeba router e le 'ngoe e bapatsa mefuta ea ah-sha1-hmac le ah-no-id, 'me router ea bobeli e bapatsa mofuta oa ah-no-id, li-routers tse peli li buisana ka ho sebelisa ah-no-id mabapi le khokahano ea kotopo ea IPsec lipakeng. bona. Haeba ho se na mefuta e tloaelehileng ea netefatso e hlophisitsoeng ho lithaka tse peli, ha ho kotopo ea IPsec e thehiloeng lipakeng tsa tsona. Algorithm ea encryption mabapi le likhokahano tsa kotopo ea IPsec e ipapisitse le mofuta oa sephethephethe:

  • Bakeng sa sephethephethe sa unicast, algorithm ea encryption ke AES-256-GCM.
  • Bakeng sa sephethephethe sa multicast:
  • Cisco SD-WAN Release 20.1.x le hamorao– algorithm ea encryption ke AES-256-GCM
  • Litokollo tse fetileng- algorithm ea encryption ke AES-256-CBC e nang le SHA1-HMAC.

Ha mofuta oa netefatso oa IPsec o fetoloa, senotlolo sa AES bakeng sa tsela ea data sea fetoloa.

Fetola Sebali sa Rekeying

Pele lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN le lisebelisoa tsa Cisco vEdge li ka fapanyetsana sephethephethe sa data, li theha mocha o sireletsehileng oa puisano o tiisitsoeng pakeng tsa bona. Li-routers li sebelisa lithanele tsa IPSec lipakeng tsa tsona joalo ka mocha, le AES-256 cipher ho etsa encryption. Router e 'ngoe le e' ngoe e hlahisa senotlolo se secha sa AES bakeng sa tsela ea eona ea data nako le nako. Ka linako tsohle, senotlolo se sebetsa bakeng sa metsotsoana e 86400 (lihora tse 24), 'me sebaka sa nako ke metsotsoana e 10 ho isa ho metsotsoana e 1209600 (matsatsi a 14). Ho fetola boleng ba nako ea rekey: Sesebelisoa(config)# tshireletso ipsec rekey metsotsoana Tokiso e shebahala tjena:

  • tshireletso ipsec rekey metsotsoana !

Haeba u batla ho hlahisa linotlolo tse ncha tsa IPsec hang-hang, u ka etsa joalo ntle le ho fetola tlhophiso ea router. Ho etsa sena, fana ka taelo ea ts'ireletso ea kopo ea ipsecrekey ho router e senyehileng. Bakeng sa mohlalaample, tlhahiso e latelang e bontša hore SA ea lehae e na le Security Parameter Index (SPI) ea 256:CISCO-SD-WAN-Configure-Security-Parameters-FIG-4

Senotlolo se ikhethileng se amahanngoa le SPI ka 'ngoe. Haeba senotlolo sena se senyehile, sebelisa kopo ea ts'ireletso ea ipsec-rekey ho hlahisa senotlolo se secha hang-hang. Taelo ena e eketsa SPI. Ho ex ea ronaample, SPI e fetoha 257 mme senotlolo se amanang le eona se se se sebelisoa:

  • Sesebelisoa# kopa tshireletso ipsecrekey
  • Sesebelisoa # se bonts'a ipsec local-sa

CISCO-SD-WAN-Configure-Security-Parameters-FIG-5

Ka mor'a hore senotlolo se secha se hlahisoe, router e e romella hang-hang ho Cisco SD-WAN Controllers ho sebelisa DTLS kapa TLS. Batsamaisi ba Cisco SD-WAN ba romella senotlolo ho li-routers tsa lithaka. Li-routers li qala ho e sebelisa hang ha li e amohela. Hlokomela hore senotlolo se amanang le SPI ea khale (256) se tla tsoela pele ho sebelisoa ka nako e khutšoanyane ho fihlela e fela. Ho emisa ho sebelisa senotlolo sa khale hanghang, fana ka taelo ea ts'ireletso ea ipsec-rekey habeli, ka tatellano e potlakileng. Tatelano ena ea litaelo e tlosa SPI 256 le 257 ka bobeli ebe e beha SPI ho 258. Joale router e sebelisa senotlolo se amanang le SPI 258. Leha ho le joalo, hlokomela hore lipakete tse ling li tla theoha ka nako e khutšoanyane ho fihlela li-routers tsohle tse hōle li ithuta. senotlolo se secha.CISCO-SD-WAN-Configure-Security-Parameters-FIG-6

Fetola Boholo ba Fesetere ea Anti-Replay

Netefatso ea IPsec e fana ka ts'ireletso ea anti-replay ka ho fana ka nomoro e ikhethileng ea tatellano ho pakete e 'ngoe le e' ngoe ea data. Nomoro ena ea tatelano e sireletsa khahlanong le mohlaseli ea kopitsang lipakete tsa data. Ka ts'ireletso e khahlanong le ho bapala hape, motho ea romelang o fana ka linomoro tsa tatelano tse ntseng li eketseha, 'me sebaka seo se eang ho sona se hlahloba linomoro tsena tsa tatellano ho fumana tse kopitsoang. Hobane lipakete hangata ha li fihle ka tatellano, sebaka seo u eang ho sona se boloka fensetere e thellang ea linomoro tsa tatellano eo e tla e amohela.CISCO-SD-WAN-Configure-Security-Parameters-FIG-7

Lipakete tse nang le tatellano ea linomoro tse oelang ka letsohong le letšehali la fensetere e thellang li nkuoa e le tsa khale kapa li kopitsoa, ​​'me sebaka seo u eang ho sona sea li theola. Sebaka se latela nomoro e phahameng ka ho fetisisa ea tatelano eo e e fumaneng, 'me e lokisa fensetere e thellang ha e amohela pakete e nang le boleng bo holimo.CISCO-SD-WAN-Configure-Security-Parameters-FIG-8

Ka kamehla, fensetere e thellang e behiloe ho lipakete tse 512. E ka behoa ho boleng leha e le bofe pakeng tsa 64 le 4096 eo e leng matla a 2 (ke hore, 64, 128, 256, 512, 1024, 2048, kapa 4096). Ho fetola boholo ba fensetere ea anti-replay, sebelisa taelo ea replay-fensetere, e hlalosang boholo ba fensetere:

Sesebelisoa(config)# nomoro ea fensetere ea ts'ireletso ea IPsec replay

Sebopeho se shebahala tjena:
tshireletso ipsec replay-fensetere nomoro! !

Ho thusa ka QoS, lifensetere tse arohaneng tsa replay li bolokiloe bakeng sa e 'ngoe le e' ngoe ea litsela tse robeli tsa pele tsa sephethephethe. Boholo bo hlophisitsoeng ba fensetere ea replay bo arotsoe ka tse robeli bakeng sa mocha ka mong. Haeba QoS e hlophisitsoe ho router, router eo e ka 'na ea e-ba le palo e kholo ho feta e neng e lebeletsoe ea marotholi a pakete ka lebaka la mochine oa IPsec oa anti-replay,' me lipakete tse ngata tse lahliloeng ke tse nepahetseng. Sena se etsahala hobane QoS e hlophisa lipakete hape, e fana ka lipakete tsa pele-pele kalafo e khethehileng le ho liehisa liphutheloana tse tlang pele pele. Ho fokotsa kapa ho thibela boemo bona, o ka etsa tse latelang:

  • Eketsa boholo ba fensetere ea anti-replay.
  • Sephethephethe sa boenjiniere likanaleng tse robeli tsa pele tsa sephethephethe ho netefatsa hore sephethephethe ka har'a mocha ha se hlophisoe bocha.

Lokisa lithanele tsa IPsec tse nolofalitsoeng ke IKE
Ho fetisetsa sephethephethe ka mokhoa o sireletsehileng ho tloha marang-rang a holim'a marang-rang ho ea ho netweke ea litšebeletso, u ka lokisa lithanele tsa IPsec tse tsamaisang protocol ea Internet Key Exchange (IKE). Lithapo tsa IPsec tse nolofalitsoeng ke IKE li fana ka netefatso le encryption ho netefatsa lipalangoang tse sireletsehileng tsa lipakete. U theha kotopo ea IPsec e lumelletsoeng ke IKE ka ho hlophisa sebopeho sa IPsec. IPsec interfaces ke lihokelo tse utloahalang, 'me u li hlophisa joalo ka sebopeho se seng sa' mele. U lokisa liparamente tsa protocol tsa IKE ho sehokelo sa IPsec, 'me u ka hlophisa lisebelisoa tse ling tsa sebopeho.

Hlokomela Cisco e khothalletsa ho sebelisa IKE Version 2. Ho tloha ho Cisco SD-WAN 19.2.x ho ea pele, senotlolo se arolelanoang pele se lokela ho ba bonyane li-byte tse 16 ka bolelele. Ho thehwa ha kotopo ya IPsec ho hloleha haeba boholo ba senotlolo bo ka tlase ho litlhaku tse 16 ha router e ntlafatsoa ho mofuta oa 19.2.

Hlokomela
Software ea Cisco Catalyst SD-WAN e tšehetsa IKE Version 2 joalokaha e hlalositsoe ho RFC 7296. Tšebeliso e le 'ngoe bakeng sa lithanele tsa IPsec ke ho lumella maemo a vEdge Cloud router VM a sebetsang ho Amazon AWS ho hokela ho Amazon virtual private cloud (VPC). U tlameha ho lokisa IKE Version 1 ho li-routers tsena. Lisebelisoa tsa Cisco vEdge li ts'ehetsa feela li-VPN tse thehiloeng tseleng ho tlhophiso ea IPSec hobane lisebelisoa tsena ha li khone ho hlalosa bakhethoa ba sephethephethe sebakeng sa encryption.

Lokisa Tunnel ea IPsec
Ho lokisa sebopeho sa kotopo sa IPsec bakeng sa sephethephethe se sireletsehileng sa lipalangoang ho tsoa marang-rang a lits'ebeletso, o theha sebopeho se hlakileng sa IPsec:CISCO-SD-WAN-Configure-Security-Parameters-FIG-9

U ka theha kotopo ea IPsec ho lipalangoang VPN (VPN 0) le ts'ebeletso efe kapa efe VPN (VPN 1 ho isa ho 65530, ntle le 512). Sehokelo sa IPsec se na le lebitso ka sebopeho sa ipsecnumber, moo palo e ka tlohang ho 1 ho isa ho 255. Sehokelo se seng le se seng sa IPsec se tlameha ho ba le aterese ea IPv4. Aterese ena e tlameha ho ba sehlongoapele /30. Sephethephethe sohle sa VPN se ka har'a prefix ena ea IPv4 se lebisitsoe ho sebopeho sa 'mele ho VPN 0 ho romelloa ka mokhoa o sireletsehileng holim'a kotopo ea IPsec. sebopeho sa 'mele (taelong ea mohloli oa kotopo) kapa lebitso la sebopeho sa 'mele (taelong ea "tunnel-source-interface). Netefatsa hore sebopeho sa 'mele se hlophisitsoe ho VPN 0. Ho lokisa sebaka sa IPsec tunnel, bolela aterese ea IP ea sesebelisoa se hole ka taelo ea sebaka sa ho ea. Motsoako oa aterese ea mohloli (kapa lebitso la sebopeho sa mohloli) le aterese ea moo u eang teng e hlalosa kotopo e le 'ngoe ea IPsec. Ho ka ba le kotopo e le 'ngoe feela ea IPsec e sebelisang aterese e itseng ea mohloli (kapa lebitso la sebopeho) le aterese ea moo e eang.

Lokisa IPsec Static Route

Ho tsamaisa sephethephethe ho tloha litšebeletsong tsa VPN ho ea kotopong ea IPsec ho lipalangoang VPN (VPN 0), o lokisa tsela e khethehileng ea IPsec ho tšebeletso ea VPN (VPN ntle le VPN 0 kapa VPN 512) :

  • vEdge(config)# vpn vpn-id
  • vEdge(config-vpn)# ip ipsec-route prefix/bolelele vpn 0 interface
  • ipsecnumber [ipsecnumber2]

ID ea VPN ke ea tšebeletso leha e le efe ea VPN (VPN 1 ho ea ho 65530, ntle le 512). sehlongwapele/bolelele ke aterese ya IP kapa sehlongwapele, ka mongolo wa matheba a matheba a mane, le bolelele ba sehlongwapele sa tsela e kgethehileng ya IPsec. Sehokelo ke IPsec tunnel interface ho VPN 0. O ka lokisa e le 'ngoe kapa tse peli IPsec tunnel interfaces. Haeba u lokisa tse peli, ea pele ke kotopo ea mantlha ea IPsec, 'me ea bobeli ke bekapo. Ka li-interfaces tse peli, lipakete tsohle li romeloa feela kotopong ea mantlha. Haeba kotopo eo e hloleha, lipakete tsohle li romeloa kotopong ea bobeli. Haeba kotopo ea mantlha e khutla, sephethephethe sohle se khutlisetsoa kotopong ea mantlha ea IPsec.

Numella IKE Version 1
Ha o theha kotopo ea IPsec ho router ea vEdge, IKE Version 1 e nolofalloa ka ho sa feleng ho sebopeho sa kotopo. Thepa e latelang e boetse e nolofalitsoe ke kamehla bakeng sa IKEv1:

  • Netefatso le encryption—AES-256 encryption e tsoetseng pele ea CBC encryption ka HMAC-SHA1 keyed-hash khoutu ea netefatso algorithm bakeng sa botšepehi
  • Nomoro ea sehlopha sa Diffie-Hellman-16
  • Nako ea ho phomola - lihora tse 4
  • Mokhoa oa ho theha SA-Main

Ka mokhoa o ikhethileng, IKEv1 e sebelisa mokhoa oa mantlha oa IKE ho theha IKE SAs. Mokgweng ona, dipakete tse tsheletseng tsa ditherisano di a fapanyetsanwa ho theha SA. Ho fapanyetsana lipakete tse tharo feela tsa lipuisano, lumella mokhoa o mabifi:

Hlokomela
Mokhoa o mabifi oa IKE o nang le linotlolo tse arolelanoang esale pele o lokela ho qojoa hohle moo ho khonehang. Ho seng joalo ho lokela ho khethoa senotlolo se matla se arolelanoeng esale pele.

  • vEdge(config)# vpn vpn-id interface ipsec nomoro ike
  • vEdge(config-ike)# mokhoa o mabifi

Ka mokhoa o ikhethileng, IKEv1 e sebelisa sehlopha sa Diffie-Hellman 16 phapanyetsanong ea senotlolo sa IKE. Sehlopha sena se sebelisa sehlopha sa 4096-bit more modular exponential (MODP) nakong ea phapanyetsano ea senotlolo sa IKE. O ka fetola nomoro ea sehlopha ho 2 (bakeng sa 1024-bit MODP), 14 (2048-bit MODP), kapa 15 (3072-bit MODP):

  • vEdge(config)# vpn vpn-id interface ipsec nomoro ike
  • vEdge(config-ike)# nomoro ea sehlopha

Ka nako e sa lekanyetsoang, phapanyetsano ea senotlolo sa IKE e sebelisa AES-256 encryption e tsoetseng pele ea CBC encryption ka HMAC-SHA1 keyed-hash khoutu ea netefatso algorithm bakeng sa botšepehi. O ka fetola netefatso:

  • vEdge(config)# vpn vpn-id interface ipsec nomoro ike
  • vEdge(config-ike)# cipher-suite suite

Sebaka sa netefatso e ka ba se seng sa tse latelang:

  • aes128-cbc-sha1—AES-128 encryption e tsoetseng pele ea CBC encryption ka HMAC-SHA1 keyed-hash khoutu ea netefatso algorithm bakeng sa botšepehi
  • aes128-cbc-sha2—AES-128 encryption e tsoetseng pele ea CBC encryption ka HMAC-SHA256 keyed-hash khoutu ea netefatso algorithm bakeng sa botšepehi
  • aes256-cbc-sha1—AES-256 e tsoetseng pele ea encryption standard CBC encryption ka HMAC-SHA1 keyed-hash molaetsa oa netefatso algorithm bakeng sa botšepehi; sena ke sa kamehla.
  • aes256-cbc-sha2—AES-256 encryption e tsoetseng pele ea CBC encryption ka HMAC-SHA256 keyed-hash khoutu ea netefatso algorithm bakeng sa botšepehi

Ka mokhoa o ikhethileng, linotlolo tsa IKE li nchafatsoa lihora tse ling le tse ling tse 1 (metsotsoana e 3600). O ka fetola nako ea ho khutlisa ho boleng ho tloha metsotsoana e 30 ho isa matsatsing a 14 (metsotsoana e 1209600). Ho khothalletsoa hore nako ea ho khutlisa e be bonyane hora e le 1.

  • vEdge(config)# vpn vpn-id segokanyimmediamentsi sa sebolokigolo IPsec nomoro joaloka
  • vEdge(config-ike)# rekey metsotsoana

Ho qobella tlhahiso ea linotlolo tse ncha bakeng sa seboka sa IKE, fana ka taelo ea ipsec ike-rekey.

  • vEdge(config)# vpn vpn-id interfaceipisec nomoro ike

Bakeng sa IKE, o ka hlophisa netefatso ea senotlolo sa preshared (PSK):

  • vEdge(config)# vpn vpn-id interface ipsec nomoro ike
  • vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret password ke phasewete eo u ka e sebelisang le senotlolo se arolelanoang esale pele. E ka ba ASCII kapa khoele ea hexadecimal ho tloha ho 1 ho ea ho litlhaku tse 127 ka bolelele.

Haeba thaka ea IKE e hole e hloka ID ea lehae kapa e hole, o ka lokisa sekhetho sena:

  • vEdge(config)# vpn vpn-id interface ipsec nomoro ike netefatso-mofuta
  • vEdge(config-authentication-mofuta)# ID ea lehae
  • vEdge(config-authentication-type)# id-remote-id

Sesupo e ka ba aterese ea IP kapa khoele efe kapa efe ea mongolo ho tloha ho 1 ho isa ho 63 litlhaku ka bolelele. Ka linako tsohle, ID ea lehae ke aterese ea IP ea mohloli 'me ID e hole ke aterese ea IP ea kotopo.

Numella IKE Version 2
Ha o lokisa kotopo ea IPsec ho sebelisa IKE Version 2, thepa e latelang e boetse e lumelloa ka ho sa feleng bakeng sa IKEv2:

  • Netefatso le encryption—AES-256 encryption e tsoetseng pele ea CBC encryption ka HMAC-SHA1 keyed-hash khoutu ea netefatso algorithm bakeng sa botšepehi
  • Nomoro ea sehlopha sa Diffie-Hellman-16
  • Nako ea ho phomola - lihora tse 4

Ka mokhoa o ikhethileng, IKEv2 e sebelisa sehlopha sa Diffie-Hellman 16 phapanyetsanong ea senotlolo sa IKE. Sehlopha sena se sebelisa sehlopha sa 4096-bit more modular exponential (MODP) nakong ea phapanyetsano ea senotlolo sa IKE. O ka fetola nomoro ea sehlopha ho 2 (bakeng sa 1024-bit MODP), 14 (2048-bit MODP), kapa 15 (3072-bit MODP):

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# nomoro ea sehlopha

Ka nako e sa lekanyetsoang, phapanyetsano ea senotlolo sa IKE e sebelisa AES-256 encryption e tsoetseng pele ea CBC encryption ka HMAC-SHA1 keyed-hash khoutu ea netefatso algorithm bakeng sa botšepehi. O ka fetola netefatso:

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# cipher-suite suite

Sebaka sa netefatso e ka ba se seng sa tse latelang:

  • aes128-cbc-sha1—AES-128 encryption e tsoetseng pele ea CBC encryption ka HMAC-SHA1 keyed-hash khoutu ea netefatso algorithm bakeng sa botšepehi
  • aes128-cbc-sha2—AES-128 encryption e tsoetseng pele ea CBC encryption ka HMAC-SHA256 keyed-hash khoutu ea netefatso algorithm bakeng sa botšepehi
  • aes256-cbc-sha1—AES-256 e tsoetseng pele ea encryption standard CBC encryption ka HMAC-SHA1 keyed-hash molaetsa oa netefatso algorithm bakeng sa botšepehi; sena ke sa kamehla.
  • aes256-cbc-sha2—AES-256 encryption e tsoetseng pele ea CBC encryption ka HMAC-SHA256 keyed-hash khoutu ea netefatso algorithm bakeng sa botšepehi

Ka mokhoa o ikhethileng, linotlolo tsa IKE li nchafatsoa lihora tse ling le tse ling tse 4 (metsotsoana e 14,400). O ka fetola nako ea ho khutlisa ho boleng ho tloha metsotsoana e 30 ho isa matsatsing a 14 (metsotsoana e 1209600):

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# rekey metsotsoana

Ho qobella tlhahiso ea linotlolo tse ncha bakeng sa seboka sa IKE, fana ka taelo ea ipsec ike-rekey. Bakeng sa IKE, o ka hlophisa netefatso ea senotlolo sa preshared (PSK):

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret password ke phasewete eo u ka e sebelisang le senotlolo se arolelanoang esale pele. E ka ba ASCII kapa khoele ea hexadecimal, kapa e ka ba senotlolo sa AES-encrypted. Haeba thaka ea IKE e hole e hloka ID ea lehae kapa e hole, o ka lokisa sekhetho sena:
  • vEdge(config)# vpn vpn-id interface ipsecnumber ike authentication-mofuta
  • vEdge(config-authentication-mofuta)# ID ea lehae
  • vEdge(config-authentication-type)# id-remote-id

Sesupo e ka ba aterese ea IP kapa khoele efe kapa efe ea mongolo ho tloha ho 1 ho isa ho 64 litlhaku ka bolelele. Ka linako tsohle, ID ea lehae ke aterese ea IP ea mohloli 'me ID e hole ke aterese ea IP ea kotopo.

Lokisa IPsec Tunnel Parameters

Letlapa la 4: Histori ea Sebopeho

Sebopeho Lebitso Phatlalatso Boitsebiso Tlhaloso
Cryptographic e eketsehileng Phatlalatso ea Cisco SD-WAN 20.1.1 Karolo ena e eketsa tšehetso bakeng sa
Tšehetso ea Algorithmic bakeng sa IPSec   HMAC_SHA256, HMAC_SHA384, le
Lithanele   HMAC_SHA512 dikgatotharabololo tsa
    tšireletseho e ntlafetseng.

Ka ho sa feleng, ho sebelisoa liparamente tse latelang kotopong ea IPsec e tsamaisang sephethephethe sa IKE:

  • Netefatso le encryption — AES-256 algorithm ho GCM (Galois/counter mode)
  • Nako ea ho phomola - lihora tse 4
  • Fesetere ea ho bapala hape - lipakete tse 32

O ka fetola encryption ho kotopo ea IPsec ho AES-256 cipher ho CBC (cipher block chaining mode, HMAC e sebelisa SHA-1 kapa SHA-2 keyed-hash molaetsa oa netefatso kapa ho hlakola HMAC u sebelisa SHA-1 kapa SHA-2 keyed-hash molaetsa oa netefatso, hore o se ke oa patala kotopo ea IPsec e sebelisoang bakeng sa sephethephethe sa phapanyetsano ea senotlolo sa IKE:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# cipher-suite (aes256-gcm | aes256-cbc-sha1 | aes256-cbc-sha256 |aes256-cbc-sha384 | aes256-cbc-sha512 | aes256-null-1sha256 aes256-null-sha256 | | aes384-null-sha256 | aes512-null-shaXNUMX)

Ka mokhoa o ikhethileng, linotlolo tsa IKE li nchafatsoa lihora tse ling le tse ling tse 4 (metsotsoana e 14,400). O ka fetola nako ea ho khutlisa ho boleng ho tloha metsotsoana e 30 ho isa matsatsing a 14 (metsotsoana e 1209600):

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# rekey metsotsoana

Ho qobella tlhahiso ea linotlolo tse ncha bakeng sa kotopo ea IPsec, fana ka taelo ea ipsec ipsec-rekey. Ka nako e sa lekanyetsoang, sephiri se phethahetseng sa pele (PFS) se nolofalitsoe ho lithapo tsa IPsec, ho netefatsa hore linako tse fetileng ha li amehe haeba linotlolo tsa kamoso li ka senyeha. PFS e qobella phapanyetsano e ncha ea senotlolo sa Diffie-Hellman, ka ho sebelisa sehlopha sa mantlha sa 4096-bit Diffie-Hellman. U ka fetola litlhophiso tsa PFS:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# e phethahetseng-pele-sekunutu pfs-setting

pfs-setting e ka ba e 'ngoe ea tse latelang:

  • sehlopha-2—Sebelisa sehlopha se seholo sa 1024-bit Diffie-Hellman.
  • sehlopha-14—Sebelisa sehlopha se seholo sa 2048-bit Diffie-Hellman.
  • sehlopha-15—Sebelisa sehlopha se seholo sa 3072-bit Diffie-Hellman.
  • sehlopha-16—Sebelisa 4096-bit Diffie-Hellman prime modulus sehlopha. Sena ke sa kamehla.
  • ha ho letho - Tlosa PFS.

Ka nako e sa lekanyetsoang, fensetere ea IPsec e bapalang kotopo ea IPsec ke li-byte tse 512. U ka beha boholo ba fensetere ea replay ho lipakete tse 64, 128, 256, 512, 1024, 2048, kapa 4096:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# nomoro ea fensetere ea ho bapala hape

Fetola IKE Dead-Detection ea Lithaka

IKE e sebelisa mokhoa oa ho lemoha lithaka tse shoeleng ho fumana hore na khokahano le thaka ea IKE e sebetsa ebile e ka fumaneha. Ho kenya ts'ebetsong mochine ona, IKE e romela pakete ea Hello ho thaka ea eona, 'me thaka e romela kananelo ho arabela. Ka nako e sa lekanyetsoang, IKE e romella lipakete tsa Hello metsotsoana e meng le e meng e 10, 'me ka mor'a lipakete tse tharo tse sa tsejoeng, IKE e phatlalatsa moahelani hore o shoele' me e heletsa kotopo ho lithaka. Kamora moo, IKE nako le nako e romela pakete ea Hello ho thaka, 'me e theha kotopo hape ha mothaka e khutlela inthaneteng. U ka fetola nako ea ho lemoha bophelo ho boleng ho tloha ho 0 ho ea ho 65535, 'me u ka fetola palo ea ho leka hape ho boleng ho tloha ho 0 ho isa ho 255.

Hlokomela

Bakeng sa li-VPN tsa lipalangoang, nako ea ho lemoha bophelo e fetoleloa ho metsotsoana ka ho sebelisa mokhoa o latelang: Nako ea teko ea ho fetisa nomoro N = nako * 1.8N-1 For ex.ample, haeba nako e behiloe ho 10 mme e leka hape ho 5, nako ea ho lemoha e eketseha ka tsela e latelang:

  • Boiteko ba 1: 10 * 1.81-1= metsotsoana e 10
  • Boiteko 2: 10 * 1.82-1= metsotsoana e 18
  • Boiteko 3: 10 * 1.83-1= metsotsoana e 32.4
  • Boiteko 4: 10 * 1.84-1= metsotsoana e 58.32
  • Boiteko 5: 10 * 1.85-1= metsotsoana e 104.976

vEdge(config-interface-ipsecnumber)# nomoro ea nako e lekang hape ea ho lemoha lithaka

Lokisa Lisebelisoa tse ling tsa Sehokelo

Bakeng sa li-interface tsa IPsec, o ka hlophisa feela lisebelisoa tse latelang tsa sehokelo:

  • vEdge(config-interface-ipsec)# mtu byte
  • vEdge(config-interface-ipsec)# tcp-mss-adjust bytes

Tlosa Li-Algorithms tsa Encryption tse fokolang ho Cisco SD-WAN Manager

Letlapa la 5: Lethathamo la Histori ea Litšobotsi

Sebopeho Lebitso Phatlalatso Boitsebiso Sebopeho Tlhaloso
Tlosa Li-Algorithms tsa Encryption tse fokolang ho Cisco SD-WAN Manager Cisco vManage Release 20.9.1 Karolo ena e u lumella ho tima li-algorithms tsa SSH tse fokolang ho Cisco SD-WAN Manager tse ka 'nang tsa se ke tsa latela litekanyetso tse itseng tsa ts'ireletso ea data.

Tlhahisoleseding e Mabapi le Ho Thibela Li-algorithms tsa Encryption tse fokolang tsa SSH ho Cisco SD-WAN Manager
Cisco SD-WAN Manager e fana ka moreki oa SSH bakeng sa puisano le likarolo tsa marang-rang, ho kenyeletsoa balaoli le lisebelisoa tsa bohale. Moreki oa SSH o fana ka khokahano e patiloeng bakeng sa phetiso e sireletsehileng ea data, e ipapisitseng le li-algorithms tse fapaneng tsa encryption. Mekhatlo e mengata e hloka encryption e matla ho feta e fanoeng ke SHA-1, AES-128, le AES-192. Ho tsoa ho Cisco vManage Release 20.9.1, o ka tima li-algorithms tse latelang tse fokolang e le hore moreki oa SSH a se ke a sebelisa li-algorithms tsena:

  • SHA-1
  • AES-128
  • AES-192

Pele o tima li-algorithms tsena tsa encryption, etsa bonnete ba hore lisebelisoa tsa Cisco vEdge, haeba li teng, marang-rang, li sebelisa tokollo ea software hamorao ho feta Cisco SD-WAN Release 18.4.6.

Melemo ea ho Thibela Li-algorithms tsa Encryption tse fokolang tsa SSH ho Cisco SD-WAN Manager
Ho thibela li-algorithms tse fokolang tsa SSH ho ntlafatsa ts'ireletso ea puisano ea SSH, 'me ho netefatsa hore mekhatlo e sebelisang Cisco Catalyst SD-WAN e latela melao e thata ea tšireletso.

Tlosa Li-Algorithms tsa Encryption tse fokolang ho Cisco SD-WAN Manager U sebelisa CLI

  1. Ho tsoa ho menu ea Cisco SD-WAN Manager, khetha Lisebelisoa> SSH Terminal.
  2. Khetha sesebelisoa sa Cisco SD-WAN Manager seo u lakatsang ho tima li-algorithms tse fokolang tsa SSH.
  3. Kenya lebitso la mosebedisi le phasewete ho kena ho sesebelisoa.
  4. Kenya mokhoa oa seva sa SSH.
    • vmanage(config)# sistimi
    • vmanage(config-system)# ssh-server
  5. Etsa e 'ngoe ea tse latelang ho tima algorithm ea SSH encryption:
    • Thibela SHA-1:
  6. laola(config-ssh-server)# ha ho kex-algo sha1
  7. laola(config-ssh-server)# itlama
    Molaetsa o latelang oa temoso o hlahisitsoe: Litemoso tse latelang li entsoe: 'system ssh-server kex-algo sha1': TLHOKOMELISO: Ka kopo netefatsa hore likarolo tsohle tsa hau li tsamaisa mofuta oa khoutu > 18.4.6 e buisanang hantle ho feta SHA1 le vManage. Ho seng joalo, mahlakore ao a ka fetoha offline. Tsoela pele? [e, che] ho joalo
    • Netefatsa hore lisebelisoa life kapa life tsa Cisco vEdge marang-rang li sebelisa Cisco SD-WAN Release 18.4.6 kapa hamorao ebe u kenya e.
    • Tlosa AES-128 le AES-192:
    • vmanage(config-ssh-server)# ha ho cipher aes-128-192
    • vmanage(config-ssh-server)# itlama
      Molaetsa o latelang oa temoso oa hlaha:
      Litemoso tse latelang li entsoe:
      'system ssh-server cipher aes-128-192': TLHOKOMELISO: Ka kopo netefatsa hore likarolo tsohle tsa hau li tsamaisa mofuta oa khoutu> 18.4.6 e buisanang hantle ho feta AES-128-192 le vManage. Ho seng joalo, mahlakore ao a ka fetoha offline. Tsoela pele? [e, che] ho joalo
    • Netefatsa hore lisebelisoa life kapa life tsa Cisco vEdge marang-rang li sebelisa Cisco SD-WAN Release 18.4.6 kapa hamorao ebe u kenya e.

Netefatsa hore Li-algorithms tsa Encryption tse fokolang tsa SSH li holofetse ho Cisco SD-WAN Manager U sebelisa CLI

  1. Ho tsoa ho menu ea Cisco SD-WAN Manager, khetha Lisebelisoa> SSH Terminal.
  2. Khetha sesebelisoa sa Cisco SD-WAN Manager seo u lakatsang ho se netefatsa.
  3. Kenya lebitso la mosebedisi le phasewete ho kena ho sesebelisoa.
  4. Etsa taelo e latelang: bonts'a ssh-server e sebetsang
  5. Netefatsa hore tlhahiso e bonts'a taelo e le 'ngoe kapa tse ngata tse timang li-algorithms tse fokolang tsa encryption:
    • ha ho cipher aes-128-192
    • ha ho kex-algo sha1

Litokomane / Lisebelisoa

CISCO SD-WAN Lokisa Liparamente tsa Tšireletso [pdf] Bukana ea Mosebelisi
SD-WAN Lokisa Liparamente tsa Ts'ireletso, SD-WAN, Lokisa Liparamente tsa Ts'ireletso, Liparamente tsa Ts'ireletso.

Litšupiso

Tlohela maikutlo

Aterese ea hau ea lengolo-tsoibila e ke ke ea phatlalatsoa. Libaka tse hlokahalang li tšoailoe *