I-CISCO SD-WAN Qwalasela iiParameters zoKhuseleko Isikhokelo somsebenzisi

Ukufezekisa ukulula kunye nokuhambelana, isisombululo seCisco SD-WAN siye sabizwa ngokuba yiCisco Catalyst SD-WAN. Ukongeza, ukusuka kuCisco IOS XE SD-WAN Release 17.12.1a kunye neCisco Catalyst SD-WAN Release 20.12.1, olu tshintsho lwamacandelo lusebenzayo: Cisco vManage kuCisco Catalyst SD-WAN Manager, Cisco vAnalytics kwiCisco Catalyst SD-WAN I-Analytics, iCisco vBond ukuya kwiCisco Catalyst SD-WAN Validator, kunye neCisco vSmart kuCisco Catalyst SD-WAN Controller. Bona iiNqaku zoKhupho zamva nje zoluhlu olubanzi lwazo zonke iinguqu zecandelo legama lebhrendi. Ngelixa sitshintshela kumagama amatsha, okunye ukungangqinelani kusenokubakho kuxwebhu olusetiweyo ngenxa yendlela yokufikelela kujongano lomsebenzisi uhlaziyo lwemveliso yesoftware.

Eli candelo lichaza indlela yokutshintsha iiparameters zokhuseleko kwinqwelomoya yolawulo kunye nenqwelomoya yedatha kwiCisco Catalyst SD-WAN yokwaleka kwenethiwekhi.

Qwalasela iiParameters zoKhuseleko lwePlanethi yoLawulo, kwi

Qwalasela iiParameters zoKhuseleko lwePlanethi yeDatha, kwi
Qwalasela i-IKE-Enebled IPsec Tunnels, on

Khubaza i-Eak SSH Encryption Algorithms kwiCisco SD-WAN Manager, on

Qwalasela iiParameters zoKhuseleko lwePlanethi yoLawulo

Ngokungagqibekanga, inqwelomoya yolawulo isebenzisa i-DTLS njengeprotocol ebonelela ngobumfihlo kuzo zonke iitonela zayo. I-DTLS ibaleka ngaphezulu kwe-UDP. Ungatshintsha iprotocol yokhuseleko lwenqwelomoya kwi-TLS, ehamba phezu kwe-TCP. Isizathu esiphambili sokusebenzisa i-TLS kukuba, ukuba ucinga ukuba uMlawuli we-Cisco SD-WAN ube ngumncedisi, i-firewall ikhusela iiseva ze-TCP ezingcono kunamaseva e-UDP. Uqwalasela iprothokholi yetonela yenqwelomoya kwiCisco SD-WAN Controller: vSmart(config)# iprotocol yolawulo lokhuseleko tls Ngolu tshintsho, zonke iitonela zolawulo lwenqwelomoya phakathi koMlawuli weCisco SD-WAN kunye neerouters naphakathi koMlawuli weCisco SD-WAN kunye Cisco SD-WAN Manager sebenzisa TLS. Lawula iitonela zenqwelomoya kwiCisco Catalyst SD-WAN Validator soloko usebenzisa i-DTLS, kuba olu nxibelelwano kufuneka luphathwe yi-UDP. Kwi-domain enabalawuli abaninzi be-Cisco SD-WAN, xa uqwalasela i-TLS kwenye ye-Cisco SD-WAN Controllers, zonke iitonela zendiza zokulawula ukusuka kuloo mlawuli ukuya kwabanye abalawuli basebenzisa i-TLS. Yathi enye indlela, i-TLS ihlala iphambili kune-DTLS. Nangona kunjalo, ngokwembono yabanye abalawuli beCisco SD-WAN, ukuba awuzange uqwalasele i-TLS kubo, basebenzisa i-TLS kwitonela yokulawula inqwelomoya kuphela kuloo Cisco SD-WAN Controller, kwaye basebenzisa iitonela zeDTLS kuzo zonke ezinye. Abalawuli beCisco SD-WAN nakuzo zonke iirotha zabo eziqhagamshelweyo. Ukuze bonke Cisco SD-WAN Controllers sebenzisa TLS, uqwalasele kuzo zonke. Ngokungagqibekanga, iCisco SD-WAN Controller imamele kwi-port 23456 yezicelo zeTLS. Ukutshintsha oku: vSmart(config)# ulawulo lokhuseleko tls-port inombolo Izibuko ingaba yinombolo esuka kwi-1025 nge-65535. Ukubonisa ulwazi lokhuseleko lwenqwelomoya yolawulo, sebenzisa umyalelo woqhagamshelwano wolawulo lomboniso kwiCisco SD-WAN Controller. Umzekeloample: vSmart-2# bonisa ulawulo imidibaniso

Qwalasela i-DTLS kwiCisco SD-WAN Manager

Ukuba uqwalasela i Cisco SD-WAN Manager ukusebenzisa TLS njengolawulo plane yokhuseleko protocol, kufuneka uvule izibuko ugqithiso kwi NAT yakho. Ukuba usebenzisa i-DTLS njengomgaqo wokhuseleko wenqwelomoya, akukho mfuneko yokuba wenze nantoni na. Inani lamazibuko agqithiselweyo lixhomekeke kwinani leenkqubo ze-vdaemon ezisebenza kuMphathi weCisco SD-WAN. Ukubonisa ulwazi malunga nezi nkqubo kwaye malunga kunye nenani lezibuko ezithunyelwa phambili, sebenzisa isishwankathelo solawulo lomboniso umyalelo obonisa ukuba iinkqubo ezine zedaemon ziyasebenza:

Ukubona izibuko ezimamelayo, sebenzisa umboniso wolawulo lweepropati zobulali umyalelo: vManage# bonisa ulawulo lwasekuhlaleni-iipropati.

Le mveliso ibonisa ukuba i-port ye-TCP yokuphulaphula yi-23456. Ukuba usebenzisa i-Cisco SD-WAN Manager emva kwe-NAT, kufuneka uvule ezi zibuko zilandelayo kwisixhobo se-NAT:

23456 (isiseko - umzekelo 0 izibuko)

23456 + 100 (isiseko + 100)
23456 + 200 (isiseko + 200)

23456 + 300 (isiseko + 300)

Qaphela ukuba inani leemeko lifana nenani lee-cores ozinike uMphathi weCisco SD-WAN, ukuya kuthi ga kwi-8.

Qwalasela iiParameters zoKhuseleko usebenzisa iSakhelo seMpahla yoKhuseleko

Sebenzisa Ukhuseleko isici template kuzo zonke izixhobo Cisco vEdge. Kwii-router zomda kunye neCisco SD-WAN Validator, sebenzisa le template ukuqwalasela i-IPsec yokhuseleko lwendiza yedatha. KuMphathi weCisco SD-WAN kunye noMlawuli weCisco SD-WAN, sebenzisa itemplate yesici soKhuseleko ukuqwalasela i-DTLS okanye iTLS yokhuseleko lwenqwelomoya.

Qwalasela iiParameters zoKhuseleko

Ukusuka kwimenyu yoMphathi weCisco SD-WAN, khetha Uqwalaselo> Iitemplates.

Cofa iitemplates zeFeature kwaye emva koko ucofe Yongeza itemplate.
Phawula Kwi-Cisco vManage Release 20.7.1 kunye nokukhutshwa kwangaphambili, i-Feature Templates ibizwa ngokuba yi-Feature.
Kuluhlu lweZixhobo kwipheyini esekhohlo, khetha isixhobo. Iitemplates ezisebenzayo kwisixhobo esikhethiweyo zivela kwipheyini ekunene.

Cofa uKhuseleko ukuze uvule ithempleyithi.
Kwindawo yeGama leSifanekiso, ngenisa igama letemplate. Igama linokuba nonobumba be-128 kwaye lingaqulatha kuphela oonobumba bealphanumeric.

Kwindawo yeNkcazelo yeSifanekiso, ngenisa inkcazo yethemplethi. Inkcazo inokufikelela kuma-2048 oonobumba kwaye inokuqulatha kuphela oonobumba bealphanumeric.

Xa uqala uvula itemplate yomsebenzi, kwiparameter nganye enexabiso elingagqibekanga, umda usetelwe Ukumiyo (okuboniswa ngophawu lokukhangela), kunye nolungiselelo olungagqibekanga okanye ixabiso liyaboniswa. Ukutshintsha okungagqibekanga okanye ukufaka ixabiso, cofa umda wokuhla kwimenyu ekhohlo kwibala lepharamitha kwaye ukhethe enye yezi zilandelayo:

Uluhlu 1:

Ipharamitha Ububanzi

Inkcazo yoMda

Isixhobo Esicacisiweyo (esibonakaliswe ngumfanekiso wamamkeli)

Sebenzisa ixabiso elikhethekileyo kwisixhobo separamitha. Ngeeparamitha ezingqale kwisixhobo, awukwazi ukufaka xabiso kwithempleyithi yesici. Ufaka ixabiso xa uncamathisela isixhobo seViptela kwitemplate yesixhobo.

Xa ucofa iDivaysi eKhethekileyo, i-Enter Key box iyavula. Le bhokisi ibonisa iqhosha, elingumtya owodwa ochonga iparamitha kwi CSV file ukuba udale. Oku file yi-Excel spreadsheet equlethe ikholamu enye kwiqhosha ngalinye. Umqolo weheader unamagama aphambili (iqhosha elinye kwikholamu nganye), kwaye umqolo ngamnye emva koko uhambelana nesixhobo kwaye uchaza amaxabiso amaqhosha eso sixhobo. Ulayisha i-CSV file xa uncamathisela isixhobo Viptela kwi template isixhobo. Ngolwazi oluthe vetshe, jonga Yenza iSipredishithi seZiguquguquko zeSifanekiso.

Ukutshintsha iqhosha elingagqibekanga, chwetheza umtya omtsha kwaye uhambise ikhesa ngaphandle kweNgenisa Isitshixo ibhokisi.

Exampiiparamitha ezingqale kwisixhobo yidilesi ye-IP yenkqubo, igama lomamkeli, indawo yeGPS, kunye nesiza sesazisi.

Ipharamitha Ububanzi	Inkcazo yoMda
Ihlabathi jikelele (iboniswe ngumfanekiso weglowubhu)	Ngenisa ixabiso leparameter, kwaye usebenzise elo xabiso kuzo zonke izixhobo. Exampiiparameters onokuthi uzifake kwihlabathi jikelele kwiqela lezixhobo ziyiseva yeDNS, iseva yesyslog, kunye nojongano lweMTUs.

Qwalasela uKhuseleko lweNdlela yoLawulo

Phawula
Qwalasela icandelo loKhuseleko lwePlane yoLawulo lusebenza kuMphathi weCisco SD-WAN kunye noMlawuli weCisco SD-WAN kuphela.Ukuqwalasela iprothokholi yoqhagamshelwano lwenqwelomoya kumzekelo weCisco SD-WAN yoMphathi okanye Cisco SD-WAN Controller, khetha indawo yoqwalaselo oluSisiseko. kwaye uqwalasele ezi parameters zilandelayo:

Uluhlu 2:

Ipharamitha Igama

Inkcazo

Umgaqo-nkqubo

Khetha iprothokholi oza kuyisebenzisa kuqhagamshelwano lwenqwelomoya yolawulo ukuya kuMlawuli weCisco SD-WAN:

• DTLS (Dataginkunzi yegusha yoKhuseleko loMaleko woThutho). Oku kumiselweyo.

• I-TLS (uKhuseleko lweNqanaba lezoThutho)

Lawula i-TLS Port

Ukuba ukhethe i-TLS, qwalasela inombolo yezibuko oza kuyisebenzisa:Uluhlu: 1025 ukuya 65535Ukuhlala kukho: 23456

Cofa Gcina

Qwalasela uKhuseleko lweNdlela yeDatha
Ukuqwalasela ukhuseleko lwenqwelomoya yedatha kwiCisco SD-WAN Validator okanye iCisco vEdge router, khetha Uqwalaselo oluSisiseko kunye neethebhu zoNxibelelaniso, kwaye uqwalasele ezi parameters zilandelayo:

Uluhlu 3:

Ipharamitha Igama	Inkcazo
Ixesha leRekey	Cacisa ukuba kukangaphi na umzila weCisco vEdge utshintsha isitshixo se-AES esisetyenziswe kuqhagamshelwano lwayo olukhuselekileyo lwe-DTLS kuMlawuli weCisco SD-WAN. Ukuba i-OMP iphinda iqale ngobubele yenziwe, ixesha lokuphinda litshixiwe kufuneka libe liphinda kabini ixabiso le-OMP ebabazekayo yokuqalisa kwakhona isibali-xesha.Uluhlu: 10 ukuya 1209600 imizuzwana (14 iintsuku)Ukuhlala kukho: 86400 imizuzwana (24 iiyure)
Phinda udlale ifestile	Chaza ubungakanani befestile etyibilikayo yokudlala kwakhona. Amaxabiso: 64, 128, 256, 512, 1024, 2048, 4096, 8192 iipakethiUkuhlala kukho: 512 iipakethi
IPsec i-pairwise-keying	Oku kucinywa ngokungagqibekanga. Cofa On ukuyivula.

Ipharamitha Igama

Inkcazo

Uhlobo loQinisekiso

Khetha iintlobo zoqinisekiso kwi Uqinisekiso Uluhlu, kwaye nqakraza utolo olukhomba ekunene ukusa iintlobo zoqinisekiso kwi Uluhlu olukhethiweyo ikholam.

Iindidi zokuqinisekisa ezixhaswa kwiCisco SD-WAN Release 20.6.1:

• esp: Yenza i-Ecapsulating Security Payload (ESP) iguqulelwe kwi-encryption kunye nokujonga ingqibelelo kwi-header ye-ESP.

• ip-udp-esp: Yenza uguqulelo oluntsonkothileyo lwe-ESP. Ukongeza kwingqibelelo yokuhlola kwi-header ye-ESP kunye nokuhlawula, iitshekhi nazo zibandakanya i-IP yangaphandle kunye neentloko ze-UDP.

• ip-udp-esp-no-id: Ayinakwa intsimi ye-ID kwi-header ye-IP ukwenzela ukuba i-Cisco Catalyst SD-WAN isebenze ngokubambisana nezixhobo ezingezizo zeCisco.

• akukho nanye: Ujika ukukhangela ingqibelelo kwiipakethi ze-IPSec. Asicebisi ukusebenzisa olu khetho.

Iindidi zokuqinisekisa ezixhaswa kwiCisco SD-WAN Release 20.5.1 nangaphambili:

• ah-hayi-id: Yenza inguqulelo eyomeleziweyo ye-AH-SHA1 HMAC kunye ne-ESP HMAC-SHA1 engahoyi indawo ye-ID kwi-header ye-IP yangaphandle yepakethi.

• ah-sha1-hmac: Nika amandla i-AH-SHA1 HMAC kunye ne-ESP HMAC-SHA1.

• akukho nanye: Khetha akukho siqinisekiso.

• isha1-hmac: Nika amandla i-ESP HMAC-SHA1.

Phawula Kwisixhobo somda esisebenza kwiCisco SD-WAN Release 20.5.1 okanye ngaphambili, usenokuba uqwalasele iintlobo zoqinisekiso usebenzisa i Ukhuseleko ithempleyithi. Xa uphucula isixhobo kwiCisco SD-WAN Release 20.6.1 okanye kamva, hlaziya iintlobo zoqinisekiso ezikhethiweyo kwi Ukhuseleko template kwiindidi zokuqinisekisa inkxaso evela Cisco SD-WAN Release 20.6.1. Ukuhlaziya iintlobo zoqinisekiso, yenza oku kulandelayo:

1. Ukusuka kwimenyu yoMphathi weCisco SD-WAN, khetha Uqwalaselo >

Izempleyithi.

2. Cofa Iimpawu zeSakhelo.

3. Fumana i Ukhuseleko itemplate yokuhlaziya kwaye ucofe ... kwaye ucofe Hlela.

4. Cofa Hlaziya. Musa ukuguqula naluphi na uqwalaselo.

Cisco SD-WAN Manager uhlaziya i Ukhuseleko itemplate yokubonisa iintlobo zoqinisekiso oluxhaswayo.

Cofa Gcina.

Qwalasela iiParameters zoKhuseleko lwePlanethi yeDatha

Kwinqwelomoya yedatha, i-IPsec inikwe amandla ngokungagqibekanga kuzo zonke ii-routers, kwaye ngokungagqibekanga i-IPsec uxhulumaniso lwetonela lusebenzisa uguqulelo oluphuculweyo lwe-Encapsulating Security Payload (ESP) protocol ukwenzela ukuqinisekiswa kwiitonela ze-IPsec. Kwii-routers, unokutshintsha uhlobo lokuqinisekisa, i-IPsec rekeying timer, kunye nobukhulu befestile ye-IPsec yokuchasana nokudlala kwakhona.

Qwalasela Iindidi zoQinisekiso ezivunyiweyo

Iintlobo zoQinisekiso kwiCisco SD-WAN Release 20.6.1 kwaye Kamva
Ukusuka kwiCisco SD-WAN Release 20.6.1, ezi ntlobo zilandelayo zemfezeko ziyaxhaswa:

esp: Olu khetho lwenza i-Ecapsulating Security Payload (ESP) iguqulelwe ngokuntsonkothileyo kunye nokujonga ingqibelelo kwisihloko se-ESP.
ip-udp-esp: Olu khetho lwenza ufihlo lwe ESP. Ngaphandle kokuhlolwa kwengqibelelo kwi-header ye-ESP kunye nomthwalo wokuhlawula, iitshekhi nazo zibandakanya i-IP yangaphandle kunye neentloko ze-UDP.
ip-udp-esp-no-id: Olu khetho luyafana ne-ip-udp-esp, nangona kunjalo, indawo ye-ID yeheader ye-IP yangaphandle ayinanzwa. Qwalasela olu khetho kuluhlu lweentlobo zengqibelelo ukuba isoftware yeCisco Catalyst SD-WAN ingayihoyi intsimi ye-ID kwi-header ye-IP ukuze iCisco Catalyst SD-WAN isebenze ngokubambisana nezixhobo ezingezizo zeCisco.
Akukho nanye: Olu khetho lujika ingqibelelo ijongiwe kwiipakethi ze IPSec. Asicebisi ukusebenzisa olu khetho.

Ngokungagqibekanga, uqhagamshelo lwetonela ye-IPsec lusebenzisa uguqulelo olongeziweyo lweprotocol ye-Ecapsulating Security Payload (ESP) yokuqinisekisa. Ukulungisa iintlobo zothethathethwano ze interity okanye ukuvala ingqibelelo, sebenzisa lo myalelo ulandelayo: imfezeko-uhlobo { nanye | ip-udp-esp | ip-udp-esp-no-id | esp }

Iintlobo zoQinisekiso Phambi kokuba Cisco SD-WAN Release 20.6.1
Ngokungagqibekanga, uqhagamshelo lwetonela ye-IPsec lusebenzisa uguqulelo olongeziweyo lweprotocol ye-Ecapsulating Security Payload (ESP) yokuqinisekisa. Ukulungisa iintlobo zoqinisekiso ekuvunyelwene ngazo okanye ukuvala ungqinisiso, sebenzisa lo myalelo ulandelayo: Icebo(config)# ukhuseleko ipsec uqinisekiso-uhlobo (ah-sha1-hmac | ah-no-id | sha1-hmac | | akukho) Ngokungagqibekanga, IPsec unxibelelwano lwetonela lisebenzisa i-AES-GCM-256, ebonelela ngokufihlwa kunye nokuqinisekisa. Qwalasela uhlobo ngalunye loqinisekiso ngokhuseleko olwahlukileyo ipsec yohlobo lobhalo lomyalelo. Iinketho zomyalelo imephu kwezi ntlobo zilandelayo zoqinisekiso, ezidweliswe ngokoluhlu ukusuka kwezona zinamandla ukuya kowona anamandla:

Phawula
I-sha1 kwiinketho zokumisela isetyenziselwa izizathu zembali. Iinketho zokungqinisisa zibonisa ukuba kungakanani ukujongwa kwemfezeko yepakethi eyenziweyo. Abayichazi i-algorithm ejonga ingqibelelo. Ngaphandle kwe-encryption ye-traffic multicast, i-algorithms yokuqinisekisa exhaswa yi-Cisco Catalyst SD WAN ayisebenzisi i-SHA1. Nangona kunjalo kwiCisco SD-WAN Release 20.1.x kwaye ukuya phambili, zombini i-unicast kunye ne-multicast ayisebenzisi i-SHA1.

ah-sha1-hmac yenza uguqulelo oluntsonkothileyo kunye ne-encapsulation usebenzisa i-ESP. Nangona kunjalo, ngaphezu kokuhlolwa kwengqibelelo kwi-header ye-ESP kunye nokuhlawula, iitshekhi nazo zibandakanya i-IP yangaphandle kunye ne-UDP headers. Ngoko ke, olu khetho luxhasa uqwalaselo lwengqibelelo lwepakethi efana neNqanaba loQinisekiso (AH) protocol. Yonke ingqibelelo kunye ne-encryption yenziwa ngokusebenzisa i-AES-256-GCM.
ah-no-id yenza imo efana ne-ah-sha1-hmac, nangona kunjalo, intsimi ye-ID ye-header ye-IP yangaphandle ayinakwa. Olu khetho luhlalisa ezinye izixhobo ze-SD-WAN ezingezo-Cisco Catalyst, kuquka i-Apple AirPort Express NAT, ene-bug ebangela ukuba indawo ye-ID kwi-header ye-IP, intsimi engaguqukiyo, iguqulwe. Qwalasela ukhetho lwe-ah-no-id kuluhlu lweentlobo zokuqinisekisa ukuba i-software ye-Cisco Catalyst SD-WAN AH ingayihoyi intsimi ye-ID kwi-header ye-IP ukwenzela ukuba i-software ye-Cisco Catalyst SD-WAN isebenze ngokubambisana nezi zixhobo.

I-sha1-hmac yenza ukuba i-ESP iguqulelwe kwi-encryption kunye nokujonga ingqibelelo.
akukho mephu akukho bungqina. Olu khetho kufuneka lusetyenziswe kuphela ukuba luyafuneka kulungiso lweempazamo lwexeshana. Unokukhetha kwakhona olu khetho kwiimeko apho uqinisekiso lwendiza yedatha kunye nengqibelelo ayiyongxaki. I-Cisco ayicebisi ukusebenzisa olu khetho kuthungelwano lwemveliso.

Ngolwazi malunga nokuba yeyiphi imimandla yepakethi yedatha echatshazelwayo kwezi ntlobo zongqinisiso, jonga iNdawo yeDatha Integrity. I-Cisco IOS XE Catalyst izixhobo ze-SD-WAN kunye neCisco vEdge izixhobo zibhengeza iindidi zabo zokuqinisekisa eziqwalaselweyo kwiipropati zabo ze-TLOC. Iirotha ezimbini ngapha nangapha kuqhagamshelo lwetonela ye-IPsec zithethathethana ngoqinisekiso lokusebenzisa kumdibaniso phakathi kwazo, zisebenzisa olona hlobo loqinisekiso oluluqilima oluqwalaselwe kuzo zombini iirutha. UmzekeloampLe, ukuba i-router enye ithengisa iintlobo ze-ah-sha1-hmac kunye ne-ah-no-id, kwaye i-router yesibini ibhengeza uhlobo lwe-ah-no-id, i-router ezimbini zithethathethana ukusebenzisa i-ah-no-id kuqhagamshelwano lwetonela ye-IPsec phakathi. bona. Ukuba akukho ntlobo zongqinisiso eziqhelekileyo ziqwalaselwe kwintanga ezimbini, akukho tonela ye-IPsec isekiweyo phakathi kwabo. I-algorithm yoguqulelo oluntsonkothileyo kuqhagamshelo lwetonela ye-IPsec ixhomekeke kuhlobo lwetrafikhi:

Kwitrafikhi ye-unicast, i-algorithm ye-encryption yi-AES-256-GCM.
Ngetrafikhi yosasazo oluninzi:
I-Cisco SD-WAN Khupha i-20.1.x kwaye kamva- i-algorithm yoguqulelo oluntsonkothileyo yi-AES-256-GCM

Ukukhutshwa kwangaphambili- i-algorithm yoguqulelo oluntsonkothileyo yi-AES-256-CBC ene-SHA1-HMAC.

Xa uhlobo lokuqinisekiswa kwe-IPsec lutshintshiwe, iqhosha le-AES lendlela yedatha itshintshiwe.

Guqula iSibali-xesha sokuQhuba kwakhona

Ngaphambi kokuba izixhobo ze-Cisco IOS XE Catalyst SD-WAN kunye neCisco vEdge zitshintshe i-traffic data, ziseta ijelo lonxibelelwano eliqinisekisiweyo phakathi kwabo. Ii-routers zisebenzisa iitonela ze-IPSec phakathi kwazo njengetshaneli, kunye ne-AES-256 cipher ukwenza ufihlo. Umzila ngamnye uvelisa iqhosha elitsha le-AES kwindlela yayo yedatha ngamaxesha. Ngokungagqibekanga, isitshixo sisebenza kwimizuzwana eyi-86400 (iiyure ezingama-24), kwaye uluhlu lwexesha yimizuzwana eyi-10 ukuya kwimizuzwana eyi-1209600 (iintsuku eziyi-14). Ukutshintsha ixabiso lexesha lerekey: Icebo(config)# ukhuseleko ipsec rekey imizuzwana Uqwalaselo lujongeka ngolu hlobo:

ukhuseleko ipsec rekey imizuzwana !

Ukuba ufuna ukuvelisa izitshixo ezintsha ze-IPsec ngokukhawuleza, unokwenza oko ngaphandle kokuguqula uqwalaselo lomzila. Ukwenza oku, khupha umyalelo wokhuseleko we-ipsecrekey kwi-router ephazamisekileyo. UmzekeloampLe, le mveliso ilandelayo ibonisa ukuba i-SA yasekhaya ine-Security Parameter Index (SPI) ye-256:

Iqhosha elilodwa linxulunyaniswa neSPI nganye. Ukuba eli qhosha lisengozini, sebenzisa isicelo sokhuseleko ipsec-rekey umyalelo ukwenza isitshixo esitsha ngoko nangoko. Lo myalelo wongeza iSPI. Kwi-ex yethuampLe, i-SPI itshintshela ku-257 kwaye isitshixo esihambelana nayo siyasetyenziswa ngoku:

Isixhobo# cela ukhuseleko ipsecrekey
Isixhobo# bonisa ipsec local-sa

Emva kokuba isitshixo esitsha senziwa, i-router iyithumela ngokukhawuleza kwi-Cisco SD-WAN Controllers usebenzisa i-DTLS okanye i-TLS. Abalawuli beCisco SD-WAN bathumela isitshixo kwiirotha zoontanga. Iirotha ziqala ukuyisebenzisa ngokukhawuleza nje ukuba zifumene. Qaphela ukuba isitshixo esinxulumene ne-SPI endala (256) iya kuqhubeka isetyenziswa ixesha elifutshane de iphele. Ukuyeka ukusebenzisa iqhosha elidala ngoko nangoko, khupha isicelo sokhuseleko ipsec-rekey umyalelo kabini, ngokulandelelana ngokukhawuleza. Olu landelelwano lwemiyalelo lususa zombini i-SPI 256 kunye ne-257 kwaye luseta i-SPI ukuya ku-258. I-router ke isebenzisa isitshixo esihambelanayo se-SPI 258. Qaphela, nangona kunjalo, ukuba ezinye iipakethi ziya kuchithwa ixesha elifutshane de zonke ii-router ezikude zifunde. iqhosha elitsha.

Guqula ubungakanani befestile ye-Anti-Replay

Ukuqinisekiswa kwe-IPsec kunika ukhuseleko lokulwa ne-replay ngokunikezela inombolo eyodwa yokulandelelana kwipakethi nganye kumjelo wedatha. Le nombolo yolandelelwano ikhusela ngokuchasene nomhlaseli ophinda iipakethi zedatha. Ngokhuseleko oluchasene ne-replay, umthumeli unika amanani olandelelwano anyukayo, kwaye indawo ekuyiwa kuyo ijonga la manani olandelelwano ukufumana impinda. Ngenxa yokuba iipakethi kaninzi azifiki ngocwangco, indawo ekuyiwa kuyo igcina ifestile etyibilikayo yamanani olandelelwano eya kuyamkela.

Iipakethi ezinamanani olandelelwano awela ngasekhohlo kuluhlu lwefestile etyibilikayo zithathwa njengezindala okanye ziphindwe kabini, kwaye indawo ekuyiwa kuyo iyawawisa. Indawo ekuyiwa kuyo ilandelela elona nani liphezulu lolandelelwano ilifumeneyo, kwaye ihlengahlengisa ifestile etyibilikayo xa ifumana ipakethi enexabiso eliphezulu.

Ngokungagqibekanga, ifestile etyibilikayo imiselwe kwiipakethi ezingama-512. Inokuthi ibekwe kulo naliphi na ixabiso phakathi kwe-64 kunye ne-4096 elingamandla e-2 (oko kukuthi, 64, 128, 256, 512, 1024, 2048, okanye 4096). Ukuguqula ubungakanani befestile echasene nomdlalo kwakhona, sebenzisa umyalelo wokuphinda-phinda, uchaza ubungakanani befestile:

Isixhobo(config)# inombolo yokhuseleko ipsec replay-window

Ubumbeko bujongeka ngolu hlobo:
inombolo yokhuseleko ipsec replay-window ! !

Ukunceda ngeQoS, iifestile ezihlukeneyo zokuphinda zigcinwe zigcinwa nganye yeendlela ezisibhozo zokuqala. Ubungakanani befestile obuphinda buqwalaselwe bahlulwe ngesibhozo kwitshaneli nganye. Ukuba i-QoS iqwalaselwe kwi-router, loo mzila unokufumana inani elikhulu kunelilindelekileyo leepakethi zehla ngenxa yendlela ye-IPsec yokulwa ne-replay, kwaye ezininzi iipakethi eziwa phantsi zisemthethweni. Oku kwenzeka ngenxa yokuba iipakethi ze-QoS ziphinda zi-oda, zinika iipakethi eziphambili ngonyango olukhethekileyo kunye nokulibazisa iipakethi eziphantsi. Ukunciphisa okanye ukuthintela le meko, ungenza oku kulandelayo:

Yandisa ubungakanani befestile ye-anti-replay.
I-traffic yeNjineli kwiitshaneli zokuqala ezisibhozo zetrafikhi ukuqinisekisa ukuba i-traffic kwitshaneli ayicwangciswanga ngokutsha.

Qwalasela i-IKE-Enebled IPsec Tunnels
Ukuhambisa ngokukhuselekileyo itrafikhi ukusuka kuthungelwano olungaphezulu ukuya kwinethiwekhi yenkonzo, ungaqwalasela iitonela ze-IPsec ezisebenzisa i-Internet Key Exchange (IKE) protocol. I-IKE-enabled IPsec tunnels ibonelela ngokuqinisekiswa kunye nokufihlwa ukuqinisekisa ukuthuthwa kwepakethi ekhuselekileyo. Uyila itonela ye-IPsec eyenziwe i-IKE ngokuqwalasela i-IPsec interface. Ujongano lwe-IPsec lujongano olunengqiqo, kwaye uluqwalasela njengalo naluphi na olunye ujongano lomzimba. Uqwalasela i IKE protocol parameters kujongano lwe IPsec, kwaye ungaqwalasela ezinye iipropati zojongano.

Phawula I-Cisco incoma ukusebenzisa i-IKE Version 2. Ukususela kwi-Cisco SD-WAN 19.2.x ukukhululwa ukuya phambili, isitshixo ekwabelwana ngaso kwangaphambili kufuneka sibe ubuncinane be-bytes ezili-16 ubude. Ukusekwa kwetonela ye-IPsec kuyasilela ukuba ubukhulu beqhosha bungaphantsi kweempawu ze-16 xa i-router iphuculwa kwi-version 19.2.

Phawula
I-software ye-Cisco Catalyst SD-WAN isekela i-IKE Version 2 njengoko ichazwe kwi-RFC 7296. Enye yokusetyenziswa kweetonela ze-IPsec kukuvumela i-vEdge Cloud router VM iimeko eziqhuba kwi-Amazon AWS ukuxhuma kwi-Amazon virtual cloud yangasese (VPC). Kufuneka uqwalasele i-IKE Version 1 kwezi routers. Izixhobo zeCisco vEdge zixhasa kuphela iiVPNs ezisekelwe kumzila kuqwalaselo lwe-IPSec kuba ezi zixhobo azikwazi ukuchaza abakhethi bezithuthi kwisizinda sofihlo.

Qwalasela IPsec Itonela
Ukumisela ujongano lwetonela ye-IPsec yothutho olukhuselekileyo olusuka kuthungelwano lwenkonzo, wenza ujongano lwe-IPsec olusengqiqweni:

Unokwenza i-IPsec tunnel kwi-VPN yezothutho (VPN 0) kunye nakweyiphi na inkonzo ye-VPN (VPN 1 nge-65530, ngaphandle kwe-512). I-interface ye-IPsec inegama kwi-ifomathi ipsecnumber, apho inani linokuba ukusuka ku-1 ukuya ku-255. Ujongano ngalunye lwe-IPsec kufuneka lube nedilesi ye-IPv4. Le dilesi kufuneka ibe yi/30 isimaphambili. Yonke i-traffic kwi-VPN engaphakathi kwesi simaphambili se-IPv4 ijoliswe kujongano olubonakalayo kwi-VPN 0 ukuze ithunyelwe ngokukhuselekileyo phezu kwetonela ye-IPsec. Ukuqwalasela umthombo wetonela ye-IPsec kwisixhobo sendawo, ungakhankanya nokuba idilesi ye-IP ye ujongano olubonakalayo (kumyalelo wetonela-umthombo) okanye igama lojongano olubonakalayo (kwitonela-umthombo-ujongano lomyalelo). Qinisekisa ukuba ujongano olubonakalayo luqwalaselwe kwi-VPN 0. Ukuqwalasela indawo ekuyiwa kuyo itonela ye-IPsec, khankanya idilesi ye-IP yesixhobo esikude kumyalelo wendawo yetonela. Indibaniselwano yedilesi yomthombo (okanye igama lojongano lomthombo) kunye nedilesi yendawo ekuyiwa kuyo ichaza itonela enye ye-IPsec. Inye kuphela itonela ye-IPsec enokubakho esebenzisa idilesi yomthombo othile (okanye igama lojongano) kunye nedilesi yendawo ekuyiwa kuyo.

Qwalasela i-IPsec Indlela engatshintshiyo

Ukuqondisa i-traffic kwinkonzo ye-VPN ukuya kwitonela ye-IPsec kwi-VPN yezothutho (VPN 0), uqwalasela indlela ye-IPsec-specific static kwinkonzo VPN (i-VPN ngaphandle kwe-VPN 0 okanye i-VPN 512) :

vEdge(config)# vpn vpn-id
vEdge(config-vpn)# ip ipsec-route prefix/ubude vpn 0 interface
ipsecnumber [ipsecnumber2]

I-ID ye-VPN yiyo nayiphi na inkonzo ye-VPN (VPN 1 nge-65530, ngaphandle kwe-512). isimaphambili/ubude yidilesi ye-IP okanye isimaphambili, kwidesimali enamachokoza amane, kunye nobude besimaphambili sendlela engatshintshiyo ye-IPsec ethile. I-interface yi-IPsec tunnel interface kwi-VPN 0. Ungaqwalasela enye okanye ezimbini i-IPsec tunnel interfaces. Ukuba uqwalasela ezimbini, eyokuqala yitonela ephambili ye-IPsec, kwaye eyesibini lugcino. Ngonxibelelwano olubini, zonke iipakethi zithunyelwa kuphela kwitonela ephambili. Ukuba loo tonela ayiphumeleli, zonke iipakethi zithunyelwa kwitonela yesibini. Ukuba itonela ephambili ibuyela phezulu, zonke iitrafikhi zibuyiselwa umva kwitonela ephambili ye-IPsec.

Nika amandla i-IKE Version 1
Xa usenza itonela ye-IPsec kwi-vEdge router, i-IKE Version 1 yenziwe ngokungagqibekanga kujongano lwetonela. Ezi propati zilandelayo zenziwe zenziwe ngokungagqibekanga kwi-IKEv1:

Uqinisekiso kunye noguqulelo oluntsonkothileyo-AES-256 ekumgangatho ophezulu woguqulelo oluntsonkothileyo olukwinqanaba eliphezulu le-CBC yoguqulelo oluntsonkothileyo kunye ne-HMAC-SHA1 ye-keyed-hash yekhowudi yokuqinisekisa ikhowudi yealgorithm yokuthembeka.

Inombolo yeqela likaDiffie-Hellman-16
Ikhefu lexesha lokubuyisela kwakhona-iiyure ezi-4
Imo yokusekwa kwe-SA-Engundoqo

Ngokungagqibekanga, i-IKEv1 isebenzisa imowudi ephambili ye-IKE ukuseka i-IKE SAs. Kule ndlela, iipakethe zothethathethwano ezintandathu ziyatshintshwa ukuseka uMzantsi Afrika. Ukutshintshana kuphela iipakethi ezintathu zothethathethwano, vula imo endlongo:

Phawula
Imowudi ye-IKE endlongondlongo enamaqhosha ekwabelwana ngawo kwangaphambili kufuneka iphetshwe naphi na apho kunokwenzeka. Kungenjalo kufuneka kukhethwe isitshixo esomeleleyo ekwabelwana ngaso kwangaphambili.

vEdge(config)# vpn vpn-id ujongano ipsec inombolo ike

vEdge(config-ike)# indlela ndlongo

Ngokungagqibekanga, i-IKEv1 isebenzisa iqela le-Diffie-Hellman 16 kutshintshiselwano oluphambili lwe-IKE. Eli qela lisebenzisa i-4096-bit ngaphezulu kwe-modular exponential (MODP) iqela ngexesha lokutshintshiselana okungundoqo kwe-IKE. Ungatshintsha inombolo yeqela ukuya ku-2 (ye-MODP ye-1024-bit), 14 (2048-bit MODP), okanye 15 (3072-bit MODP):

vEdge(config)# vpn vpn-id ujongano ipsec inombolo ike

vEdge(config-ike)# inombolo yeqela

Ngokungagqibekanga, utshintshiselwano olungundoqo lwe-IKE lusebenzisa i-AES-256 yoguqulelo oluntsonkothileyo olukumgangatho ophezulu we-CBC ufihlo kunye ne-HMAC-SHA1 ye-keyed-hash yekhowudi yokuqinisekisa ikhowudi yealgorithm yokuthembeka. Ungalutshintsha uqinisekiso:

vEdge(config)# vpn vpn-id ujongano ipsec inombolo ike

vEdge(config-ike)# cipher-suite suite

Indawo yokuqinisekisa inokuba yenye yezi zilandelayo:

I-aes128-cbc-sha1—AES-128 ekumgangatho ophezulu woguqulelo oluntsonkothileyo olukumgangatho ophezulu we-CBC kunye ne-HMAC-SHA1 ye-keyed-hash yekhowudi yokuqinisekisa ikhowudi yealgorithm yokuthembeka.

I-aes128-cbc-sha2—AES-128 ekumgangatho ophezulu woguqulelo oluntsonkothileyo olukumgangatho ophezulu we-CBC kunye ne-HMAC-SHA256 ye-keyed-hash yekhowudi yokuqinisekisa ikhowudi yealgorithm yokuthembeka.
aes256-cbc-sha1—AES-256 ephuculweyo ekumgangatho ophezulu woguqulelo oluntsonkothileyo lwe-CBC kunye ne-HMAC-SHA1 ye-keyed-hash yomyalezo wokuqinisekisa ikhowudi yealgorithm yokuthembeka; oku akugqibekanga.
I-aes256-cbc-sha2—AES-256 ekumgangatho ophezulu woguqulelo oluntsonkothileyo olukumgangatho ophezulu we-CBC kunye ne-HMAC-SHA256 ye-keyed-hash yekhowudi yokuqinisekisa ikhowudi yealgorithm yokuthembeka.

Ngokungagqibekanga, izitshixo ze-IKE ziyahlaziywa rhoqo ngeyure enye (1 imizuzwana). Ungatshintsha isithuba sokuphinda ube kwixabiso ukusuka kwimizuzwana engama-3600 ukuya kwiintsuku ezili-30 (imizuzwana eyi-14). Kucetyiswa ukuba ikhefu lokuphinda libe yiyure enye ubuncinane.

vEdge(config)# vpn vpn-id ujongano ipsec inombolo efana
vEdge(config-ike)# rekey imizuzwana

Ukunyanzela ukuveliswa kwezitshixo ezitsha zeseshoni ye-IKE, khupha isicelo ipsec ike-rekey umyalelo.

vEdge(config)# vpn vpn-id interfaceipisec inombolo ike

Kwi-IKE, ungaqwalasela kwakhona isitshixo ekwabelwana ngaso kwangaphambili (PSK) uqinisekiso:

vEdge(config)# vpn vpn-id ujongano ipsec inombolo ike
vEdge(config-ike)# uqinisekiso-uhlobo-iqhosha ekwabelwana-ngaphambili-ekwabelwana ngalo-eliyimfihlo lokugqitha igama lokugqithisa elinokusetyenziswa kunye nesitshixo ekwabelwana ngaso kwangaphambili. Ingaba yi-ASCII okanye i-hexadecimal string ukusuka kwi-1 ukuya kwi-127 yamagama ubude.

Ukuba i-IKE intanga ekude ifuna i-ID yasekuhlaleni okanye ekude, ungaqwalasela esi sichongi:

vEdge(config)# vpn vpn-id ujongano ipsec inombolo ike uqinisekiso-uhlobo
vEdge(config-uqinisekiso-uhlobo)# local-id id
vEdge(config-uqinisekiso-uhlobo)# i-id-remote-id

Isichongi sinokuba yidilesi ye-IP okanye nawuphi na umtya wokubhaliweyo ukusuka kwi-1 ukuya kwi-63 yamagama ubude. Ngokungagqibekanga, i-ID yasekuhlaleni yidilesi ye-IP yetonela kunye ne-ID ekude yidilesi ye-IP yetonela.

Nika amandla i-IKE Version 2
Xa uqwalasela itonela ye-IPsec ukusebenzisa i-IKE Version 2, ezi mpahla zilandelayo zenziwe ngokungagqibekanga kwi-IKEv2:

Uqinisekiso kunye noguqulelo oluntsonkothileyo-AES-256 ekumgangatho ophezulu woguqulelo oluntsonkothileyo olukwinqanaba eliphezulu le-CBC yoguqulelo oluntsonkothileyo kunye ne-HMAC-SHA1 ye-keyed-hash yekhowudi yokuqinisekisa ikhowudi yealgorithm yokuthembeka.

Inombolo yeqela likaDiffie-Hellman-16
Ikhefu lexesha lokubuyisela kwakhona-iiyure ezi-4

Ngokungagqibekanga, i-IKEv2 isebenzisa iqela le-Diffie-Hellman 16 kutshintshiselwano oluphambili lwe-IKE. Eli qela lisebenzisa i-4096-bit ngaphezulu kwe-modular exponential (MODP) iqela ngexesha lokutshintshiselana okungundoqo kwe-IKE. Ungatshintsha inombolo yeqela ukuya ku-2 (ye-MODP ye-1024-bit), 14 (2048-bit MODP), okanye 15 (3072-bit MODP):

vEdge(config)# vpn vpn-id ujongano ipsecnumber ike
vEdge(config-ike)# inombolo yeqela

vEdge(config)# vpn vpn-id ujongano ipsecnumber ike
vEdge(config-ike)# cipher-suite suite

Indawo yokuqinisekisa inokuba yenye yezi zilandelayo:

I-aes128-cbc-sha1—AES-128 ekumgangatho ophezulu woguqulelo oluntsonkothileyo olukumgangatho ophezulu we-CBC kunye ne-HMAC-SHA1 ye-keyed-hash yekhowudi yokuqinisekisa ikhowudi yealgorithm yokuthembeka.
I-aes128-cbc-sha2—AES-128 ekumgangatho ophezulu woguqulelo oluntsonkothileyo olukumgangatho ophezulu we-CBC kunye ne-HMAC-SHA256 ye-keyed-hash yekhowudi yokuqinisekisa ikhowudi yealgorithm yokuthembeka.
aes256-cbc-sha1—AES-256 ephuculweyo ekumgangatho ophezulu woguqulelo oluntsonkothileyo lwe-CBC kunye ne-HMAC-SHA1 ye-keyed-hash yomyalezo wokuqinisekisa ikhowudi yealgorithm yokuthembeka; oku akugqibekanga.

I-aes256-cbc-sha2—AES-256 ekumgangatho ophezulu woguqulelo oluntsonkothileyo olukumgangatho ophezulu we-CBC kunye ne-HMAC-SHA256 ye-keyed-hash yekhowudi yokuqinisekisa ikhowudi yealgorithm yokuthembeka.

Ngokungagqibekanga, izitshixo ze-IKE ziyahlaziywa rhoqo kwiiyure ezi-4 (14,400 imizuzwana). Ungatshintsha isithuba sokuphinda utshixe kwixabiso ukusuka kwimizuzwana engama-30 ukuya kwiintsuku ezili-14 (imizuzwana eyi-1209600):

vEdge(config)# vpn vpn-id ujongano ipsecnumber ike

vEdge(config-ike)# rekey imizuzwana

Ukunyanzela ukuveliswa kwezitshixo ezitsha zeseshoni ye-IKE, khupha isicelo ipsec ike-rekey umyalelo. Kwi-IKE, ungaqwalasela kwakhona isitshixo ekwabelwana ngaso kwangaphambili (PSK) uqinisekiso:

vEdge(config)# vpn vpn-id ujongano ipsecnumber ike

vEdge(config-ike)# uqinisekiso-uhlobo-iqhosha ekwabelwana-ngaphambili-ekwabelwana ngalo-eliyimfihlo lokugqitha igama lokugqithisa elinokusetyenziswa kunye nesitshixo ekwabelwana ngaso kwangaphambili. Inokuba yi-ASCII okanye umtya we-hexadecimal, okanye inokuba sisitshixo esifihliweyo se-AES. Ukuba i-IKE intanga ekude ifuna i-ID yasekuhlaleni okanye ekude, ungaqwalasela esi sichongi:
vEdge(config)# vpn vpn-id interface ipsecnumber ike uqinisekiso-uhlobo
vEdge(config-uqinisekiso-uhlobo)# local-id id

vEdge(config-uqinisekiso-uhlobo)# i-id-remote-id

Isichongi sinokuba yidilesi ye-IP okanye nawuphi na umtya wokubhaliweyo ukusuka kwi-1 ukuya kwi-64 yamagama ubude. Ngokungagqibekanga, i-ID yasekuhlaleni yidilesi ye-IP yetonela kunye ne-ID ekude yidilesi ye-IP yetonela.

Qwalasela iiParameters zeTunnel ye-IPsec

Itheyibhile 4: Imbali yoMbali

Uphawu Igama	NONE	Inkcazo
ICryptographic eyongezelelweyo	Cisco SD-WAN Khupha 20.1.1	Olu phawu longeza inkxaso ye
Inkxaso ye-algorithmic ye-IPSec		HMAC_SHA256, HMAC_SHA384, kunye
Amatonela		HMAC_SHA512 algorithms ye
		ukhuseleko olongeziweyo.

Ngokungagqibekanga, ezi parameters zilandelayo zisetyenziswa kwitonela ye-IPsec ethwele i-IKE traffic:

Ungqinisiso kunye ne-encryption-AES-256 algorithm kwi-GCM (i-Galois/imo yekhawuntara)
Ikhefu lokubuyisela kwakhona-iiyure ezi-4

Phinda udlale ifestile—iipakethi ezingama-32

Ungalutshintsha uguqulelo oluntsonkothileyo kwitonela ye-IPsec ukuya kwi-AES-256 cipher kwi-CBC (i-cipher block chaining mode, ene-HMAC isebenzisa nokuba yi-SHA-1 okanye i-SHA-2 ye-keyed-hash yokuqinisekisa umyalezo okanye ukucima nge-HMAC usebenzisa nokuba yi-SHA-1 okanye SHA-2 uqinisekiso lomyalezo we-keyed-hash, ukungafihli itonela ye-IPsec esetyenziselwa i-IKE isitshixo sotshintshiselwano lwetrafikhi:

vEdge(config-interface-ipsecnumber)# ipsec

vEdge(config-ipsec)# cipher-suite (aes256-gcm | aes256-cbc-sha1 | aes256-cbc-sha256 |aes256-cbc-sha384 | aes256-cbc-sha512 | aes256-null-1sha-256 | | aes256-null-sha256 | aes384-null-sha256)

vEdge(config-interface-ipsecnumber)# ipsec

vEdge(config-ipsec)# rekey imizuzwana

Ukunyanzela ukuveliswa kwamaqhosha amatsha etonela ye-IPsec, khupha isicelo ipsec ipsec-rekey umyalelo. Ngokungagqibekanga, imfihlo ephambili egqibeleleyo (PFS) inikwe amandla kwiitonela ze-IPsec, ukuqinisekisa ukuba iiseshini ezidlulileyo azichaphazeleki ukuba izitshixo ezizayo zichaphazeleka. I-PFS inyanzelisa utshintshiselwano olutsha lwe-Diffie-Hellman, ngokungagqibekanga usebenzisa i-4096-bit Diffie-Hellman iqela eliphambili lemodyuli. Ungalutshintsha useto lwePFS:

vEdge(config-interface-ipsecnumber)# ipsec

vEdge(config-ipsec)# egqibeleleyo-phambili-imfihlo pfs-seto

pfs-useto lunokuba yenye yezi zilandelayo:

iqela-2—Sebenzisa i-1024-bit Diffie-Hellman ephambili iqela lemodyuli.

iqela-14—Sebenzisa i-2048-bit Diffie-Hellman ephambili iqela lemodyuli.
iqela-15—Sebenzisa i-3072-bit Diffie-Hellman ephambili iqela lemodyuli.
iqela-16—Sebenzisa i-4096-bit Diffie-Hellman ephambili iqela lemodyuli. Oku kumiselweyo.
akukho nanye-Yenza i-PFS.

Ngokungagqibekanga, ifestile ye-IPsec yokuphinda idlale kwitonela ye-IPsec yi-512 bytes. Unokuseta ubungakanani befestile yomdlalo kwakhona ukuya kuma-64, 128, 256, 512, 1024, 2048, okanye 4096 iipakethi:

vEdge(config-interface-ipsecnumber)# ipsec
vEdge(config-ipsec)# phinda-dlala inombolo yefestile

Guqula i-IKE Dead-Peer Detection

I-IKE isebenzisa indlela yokukhangela oontanga abafileyo ukugqiba ukuba uxhulumaniso kwintanga ye-IKE luyasebenza kwaye luyafikeleleka. Ukuphumeza olu matshini, i-IKE ithumela ipakethi ye-Molo kwintanga yayo, kwaye intanga ithumela ukuvuma kwimpendulo. Ngokungagqibekanga, i-IKE ithumela iipakethi zikaMolo rhoqo kwimizuzwana eli-10, kwaye emva kweepakethi ezintathu ezingavunywanga, i-IKE ibhengeza ukuba ummelwane ufile kwaye idiliza itonela kwintanga. Emva koko, i-IKE ngamaxesha athile ithumela ipakethi ye-Molo kwintanga, kwaye iphinde iseke itonela xa intanga ibuyela kwi-intanethi. Ungatshintsha isithuba sokubona ubomi kwixabiso ukusuka ku-0 ukuya ku-65535, kwaye ungatshintsha inani lokuzama kwakhona kwixabiso ukusuka ku-0 ukuya ku-255.

Phawula

KwiiVPNs zothutho, ixesha lokubona ubomi liguqulwa libe yimizuzwana ngokusebenzisa le fomyula ilandelayo: Ikhefu lokuzama ukuhanjiswa kwakhona inombolo N = ikhefu * 1.8N-1For example, ukuba isithuba simiselwe ku-10 kwaye iphinda izame ku-5, ixesha lokubona liyanyuka ngolu hlobo lulandelayo:

Umzamo 1: 10 * 1.81-1= 10 imizuzwana
Umzamo 2: 10 * 1.82-1= 18 imizuzwana
Umzamo 3: 10 * 1.83-1= 32.4 imizuzwana
Umzamo 4: 10 * 1.84-1= 58.32 imizuzwana
Umzamo 5: 10 * 1.85-1= 104.976 imizuzwana

vEdge(config-interface-ipsecnumber)# dead-peer-detection interval number retries number

Qwalasela ezinye iiPropati zoNxibelelwano

Kujongano lwetonela ye-IPsec, ungaqwalasela kuphela ezi mpawu zilandelayo zojongano olongezelelweyo:

vEdge(config-interface-ipsec)# mtu bytes
vEdge(config-interface-ipsec)# tcp-mss-lungisa iibhayithi

Khubaza i-Algorithms yoFihlo ebuthathaka ye-SSH kuMphathi weCisco SD-WAN

Itheyibhile 5: Itheyibhile yeMbali yeFeature

Uphawu Igama	NONE	Uphawu Inkcazo
Khubaza i-Algorithms yoFihlo ebuthathaka ye-SSH kuMphathi weCisco SD-WAN	Cisco vManage Release 20.9.1	Eli nqaku likuvumela ukuba ukhubaze i-algorithms ye-SSH ebuthathaka kuMphathi weCisco SD-WAN enokuthi ingahambelani nemigangatho ethile yokhuseleko lwedatha.

Ulwazi malunga nokuKhubaza i-Eak SSH Encryption Algorithms kwiCisco SD-WAN Manager
Umphathi we-Cisco SD-WAN ubonelela nge-SSH umxhasi wonxibelelwano kunye namacandelo kuthungelwano, kubandakanywa abalawuli kunye nezixhobo zomda. Umxhasi we-SSH ubonelela ngoqhagamshelo oluntsonkothileyo logqithiso lwedatha olukhuselekileyo, olusekwe kwiindlela ezahlukeneyo zokufihlakala. Imibutho emininzi ifuna uguqulelo oluntsonkothileyo kunolo lubonelelwe ngu-SHA-1, AES-128, kunye ne-AES-192. Ukusuka kwiCisco vManage Release 20.9.1, ungakhubaza oku kulandelayo kufihlo olubuthathaka lwealgorithms ukuze umxhasi we-SSH angasebenzisi ezi algorithms:

SHA-1
AES-128
AES-192

Phambi ukukhubaza ezi algorithms ufihlo, qinisekisa ukuba Cisco vEdge izixhobo, ukuba kukho, kuthungelwano, usebenzisa ukukhululwa software emva Cisco SD-WAN Release 18.4.6.

Izibonelelo zokukhubaza ii-Algorithms zoFihlo ezibuthathaka ze-SSH kuMphathi weCisco SD-WAN
Ukukhubaza i-algorithms ye-encryption ebuthathaka ye-SSH iphucula ukhuseleko lonxibelelwano lwe-SSH, kwaye iqinisekisa ukuba imibutho esebenzisa i-Cisco Catalyst SD-WAN ihambelana nemimiselo engqongqo yokhuseleko.

Khubaza i-Algorithms yoFihlo ebuthathaka ye-SSH kuMphathi weCisco SD-WAN usebenzisa i-CLI

Ukusuka kwimenyu yoMphathi weCisco SD-WAN, khetha Izixhobo> Itheminali ye-SSH.
Khetha isixhobo soMphathi weCisco SD-WAN onqwenela ukukhubaza kuso iialgorithms zeSSH ezibuthathaka.
Ngenisa igama lomsebenzisi kunye negama lokugqitha ukuze ungene kwisixhobo.
Ngenisa imo yeseva ye-SSH.
- vmanage(config)# inkqubo
- vmanage(config-system)# ssh-server
Yenza enye yezi zilandelayo ukuvala i-algorithm yoguqulelo oluntsonkothileyo lwe-SSH:
- Khubaza i-SHA-1:
lawula(config-ssh-server)# akukho kex-algo sha1
lawula (config-ssh-server)# zibophelele
Umyalezo wesilumkiso ulandelayo uyavezwa: Ezi zilumkiso zilandelayo zenziwe: 'inkqubo ye-ssh-server kex-algo sha1': ISILUMKISO: Nceda uqinisekise ukuba yonke imiphetho yakho isebenzisa ikhowudi yoguqulelo > 18.4.6 ethethathethana ngcono kune-SHA1 kunye ne-vManage. Kungenjalo loo miphetho inokuba ngaphandle kweintanethi. Qhubeka? [ewe, hayi] ewe
- Qinisekisa ukuba naziphi na izixhobo zeCisco vEdge kuthungelwano zisebenza Cisco SD-WAN Release 18.4.6 okanye kamva kwaye ufake ewe.
- Khubaza i-AES-128 kunye ne-AES-192:
- vmanage(config-ssh-server)# akukho cipher aes-128-192
- vmanage(config-ssh-server)# zibophelele
  Lo myalezo wesilumkiso ulandelayo uyaboniswa:
  Ezi zilumkiso zilandelayo zenziwe:
  'inkqubo ye-ssh-server cipher aes-128-192': ISILUMKISO: Nceda uqinisekise ukuba yonke imiphetho yakho isebenzisa ikhowudi yoguqulelo > 18.4.6 ethethathethana ngcono kune AES-128-192 nge vManage. Kungenjalo loo miphetho inokuba ngaphandle kweintanethi. Qhubeka? [ewe, hayi] ewe
- Qinisekisa ukuba naziphi na izixhobo zeCisco vEdge kuthungelwano zisebenza Cisco SD-WAN Release 18.4.6 okanye kamva kwaye ufake ewe.

Qinisekisa ukuba i-Algorithms yoFihlo ebuthathaka ye-SSH ikhubazekile kuMphathi we-Cisco SD-WAN usebenzisa i-CLI

Ukusuka kwimenyu yoMphathi weCisco SD-WAN, khetha Izixhobo> Itheminali ye-SSH.
Khetha isixhobo soMphathi weCisco SD-WAN onqwenela ukusiqinisekisa.
Ngenisa igama lomsebenzisi kunye negama lokugqitha ukuze ungene kwisixhobo.
Sebenzisa lo myalelo ulandelayo: bonisa inkqubo yoqwalaselo ye-ssh-server
Qinisekisa ukuba imveliso ibonisa umyalelo omnye okanye emininzi evala i-algorithms yofihlo olubuthathaka:
- akukho cipher aes-128-192
- akukho kex-algo sha1

Amaxwebhu / Izibonelelo

I-CISCO SD-WAN Qwalasela iiParameters zoKhuseleko [pdf] Isikhokelo somsebenzisi
I-SD-WAN Qwalasela iiParamitha zoKhuseleko, i-SD-WAN, Qwalasela iiParamitha zoKhuseleko, iiParamitha zoKhuseleko

Iimbekiselo

Incwadi yokusebenzisa

I-CISCO SD-WAN Qwalasela iiParameters zoKhuseleko

Qwalasela iiParameters zoKhuseleko