I-CISCO SD-WAN Lungiselela Ipharamitha Yokuphepha Umhlahlandlela Womsebenzisi

Ukuze kuzuzwe ukwenziwa lula nokuvumelana, isixazululo se-Cisco SD-WAN siqanjwe kabusha njenge-Cisco Catalyst SD-WAN. Ngaphezu kwalokho, kusukela ku-Cisco IOS XE SD-WAN Release 17.12.1a kanye neCisco Catalyst SD-WAN Release 20.12.1, izinguquko zengxenye elandelayo ziyasebenza: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Izibalo, i-Cisco vBond kuya kuCisco Catalyst SD-WAN Validator, kanye neCisco vSmart kuya kuCisco Catalyst SD-WAN Controller. Bona Amanothi Okukhishwa akamuva ukuze uthole uhlu olubanzi lwazo zonke izinguquko zengxenye yegama lomkhiqizo. Ngenkathi sishintshela emagameni amasha, okunye ukungqubuzana kungase kube khona kusethi yemibhalo ngenxa yendlela ehlukaniswa ngezigaba yokubuyekezwa kokusetshenziswa kubonwa komkhiqizo wesofthiwe.

Lesi sigaba sichaza indlela yokushintsha amapharamitha okuphepha endiza elawulayo kanye nendiza yedatha kunethiwekhi yembondela ye-Cisco Catalyst SD-WAN.

Lungiselela Ipharamitha Yokuphepha Kwendiza, kuvuliwe

Lungiselela Amapharamitha Wokuphepha Kwedatha Yedatha, kuvuliwe
Lungiselela i-IKE-Enabled IPsec Tunnels, ivuliwe

Khubaza Ama-Algorithms Wokubethela We-SSH Obuthakathaka Kumphathi we-Cisco SD-WAN, kuvuliwe

Lungiselela Amapharamitha Wokuphepha Kwendiza Yokulawula

Ngokuzenzakalelayo, indiza elawulayo isebenzisa i-DTLS njengephrothokholi ehlinzeka ngobumfihlo kuwo wonke amathaneli ayo. I-DTLS isebenzisa i-UDP. Ungashintsha iphrothokholi yokuvikela yendiza ibe yi-TLS, esebenzisa i-TCP. Isizathu esiyinhloko sokusebenzisa i-TLS ukuthi, uma ubheka Isilawuli se-Cisco SD-WAN njengeseva, izindonga zomlilo zivikela amaseva e-TCP kangcono kunamaseva e-UDP. Ulungiselela iphrothokholi yendiza yokulawula kumhubhe we-Cisco SD-WAN Controller: vSmart(config)# security control protocol tls Ngalolu shintsho, wonke amathaneli endiza alawula phakathi kwesilawuli se-Cisco SD-WAN namarutha naphakathi kwesilawuli se-Cisco SD-WAN kanye ne-Cisco SD-WAN Manager zisebenzisa i-TLS. Lawula imigudu yendiza kuCisco Catalyst SD-WAN Validator njalo usebenzisa i-DTLS, ngoba lokhu kuxhumana kufanele kusingathwe yi-UDP. Esizindeni esinabalawuli abaningi be-Cisco SD-WAN, lapho ulungiselela i-TLS kwesinye sezilawuli ze-Cisco SD-WAN, wonke alawula amathaneli endiza ukusuka kuleso silawuli kuya kwabanye abalawuli asebenzisa i-TLS. Washo enye indlela, i-TLS ihlezi ifika kuqala kune-DTLS. Kodwa-ke, ngokombono wabanye abalawuli be-Cisco SD-WAN, uma ungazange ulungiselele i-TLS kubo, basebenzisa i-TLS emhubheni wendiza yokulawula kuphela kulowo mlawuli we-Cisco SD-WAN, futhi basebenzisa imigudu ye-DTLS kubo bonke abanye. Izilawuli ze-Cisco SD-WAN kanye nawo wonke amarutha azo axhunyiwe. Ukuze ube nazo zonke Izilawuli ze-Cisco SD-WAN zisebenzise i-TLS, zilungiselele kuzo zonke. Ngokuzenzakalelayo, Isilawuli se-Cisco SD-WAN silalela ku-port 23456 ngezicelo ze-TLS. Ukuze ushintshe lokhu: i-vSmart(config)# control control tls-port number Imbobo ingaba inombolo esuka ku-1025 ukuya ku-65535. Ukuze ubonise ulwazi lwezokuphepha lwendiza yokulawula, sebenzisa umyalo wokuxhumanisa isilawuli sombukiso kusilawuli se-Cisco SD-WAN. Okwesiboneloample: vSmart-2# show control uxhumano

Lungiselela i-DTLS kumphathi we-Cisco SD-WAN

Uma ulungiselela I-Cisco SD-WAN Manager ukuthi isebenzise i-TLS njengephrothokholi yokuphepha yendiza yokulawula, kufanele unike amandla ukudlulisela ngembobo ku-NAT yakho. Uma usebenzisa i-DTLS njengephrothokholi yokuphepha yendiza, awudingi ukwenza lutho. Inombolo yezimbobo ezidlulisiwe incike enanini lezinqubo ze-vdaemon ezisebenza Kumphathi we-Cisco SD-WAN. Ukuze ubonise ulwazi mayelana nalezi zinqubo kanye nenani lezimbobo ezidluliswayo, sebenzisa umyalo wesifinyezo sokulawula ubonisa ukuthi izinqubo ezine ze-daemon ziyasebenza:

Ukuze ubone izimbobo ezilalelayo, sebenzisa umyalo wokulawula izakhiwo zasendaweni: vManage# show control local-properties

Lokhu okukhiphayo kubonisa ukuthi imbobo ye-TCP elalele ingu-23456. Uma usebenzisa Isiphathi se-Cisco SD-WAN ngemuva kwe-NAT, kufanele uvule izimbobo ezilandelayo kudivayisi ye-NAT:

23456 (isisekelo - isibonelo 0 port)

23456 + 100 (isisekelo + 100)
23456 + 200 (isisekelo + 200)

23456 + 300 (isisekelo + 300)

Qaphela ukuthi inani lezimo liyafana nenani lama-cores owabele Isiphathi se-Cisco SD-WAN, kufika kubukhulu obungu-8.

Lungiselela Amapharamitha Wokuvikela Usebenzisa Isifanekiso Sesici Sokuvikela

Sebenzisa isifanekiso sesici Sokuphepha kuwo wonke amadivayisi we-Cisco vEdge. Kumarutha asemaphethelweni kanye naku-Cisco SD-WAN Validator, sebenzisa lesi sifanekiso ukuze ulungiselele i-IPsec ukuze uthole ukuphepha kwendiza yedatha. Kumphathi we-Cisco SD-WAN kanye nesilawuli se-Cisco SD-WAN, sebenzisa isifanekiso sesici sokuvikeleka ukuze ulungiselele i-DTLS noma i-TLS ukuze ulawule ukuphepha kwendiza.

Lungiselela Amapharamitha Okuphepha

Kusuka kumenyu ye-Cisco SD-WAN Manager, khetha Ukucushwa > Izifanekiso.

Chofoza Izifanekiso Zesici bese uchofoza Engeza Isifanekiso.
Qaphela Ku-Cisco vManage Release 20.7.1 kanye nokukhishwa kwangaphambilini, Izifanekiso Zesici zibizwa ngokuthi Isici.
Kuhlu lwamadivayisi kufasitelana elingakwesokunxele, khetha idivayisi. Izifanekiso ezisebenza kudivayisi ekhethiwe zivela kufasitelana elingakwesokudla.

Chofoza Ezokuphepha ukuze uvule isifanekiso.
Kunkambu Yegama Lesifanekiso, faka igama lesifanekiso. Igama lingaba nezinhlamvu ezifika ku-128 futhi lingaqukatha izinhlamvu ze-alphanumeric kuphela.

Kwinkambu Yencazelo Yesifanekiso, faka incazelo yesifanekiso. Incazelo ingaba yizinhlamvu ezifika kwezi-2048 futhi ingaqukatha izinhlamvu ze-alphanumeric kuphela.

Uma uqala ukuvula isifanekiso sesici, kupharamitha ngayinye enenani elimisiwe, ububanzi busethwa ukuze kube Okumisiwe (okuboniswa uphawu lokuhlola), futhi ukusetha okumisiwe noma inani liyaboniswa. Ukuze ushintshe okuzenzakalelayo noma ukufaka inani, chofoza imenyu yokudonsela phansi yobubanzi kwesokunxele senkambu yepharamitha bese ukhetha okukodwa kokulandelayo:

Ithebula 1:

Ipharamitha Ububanzi

Incazelo Yobubanzi

Ukucaciswa Kwedivayisi (kuboniswa isithonjana somsingathi)

Sebenzisa inani eliqondene nedivayisi kupharamitha. Ngamapharamitha aqondene nedivayisi, awukwazi ukufaka inani kusifanekiso sesici. Ufaka inani uma unamathisela idivayisi ye-Viptela kusifanekiso sedivayisi.

Uma uchofoza Ukucaciswa Kwedivayisi, ibhokisi elithi Faka ukhiye liyavuleka. Leli bhokisi libonisa ukhiye, okuwuchungechunge oluhlukile olukhomba ipharamitha ku-CSV file ukuthi uyakha. Lokhu file iyispredishithi se-Excel esiqukethe ikholomu eyodwa yokhiye ngamunye. Umugqa kanhlokweni unamagama angukhiye (ukhiye owodwa ngekholomu ngayinye), futhi umugqa ngamunye ngemva kwalokho uhambisana nedivayisi futhi uchaza amanani okhiye baleyo divayisi. Ulayisha i-CSV file uma unamathisela idivayisi ye-Viptela kusifanekiso sedivayisi. Ukuze uthole ulwazi olwengeziwe, bheka Dala Ispredishithi Sezinto Eziguquguqukayo zesifanekiso.

Ukuze ushintshe ukhiye ozenzakalelayo, thayipha iyunithi yezinhlamvu entsha bese ususa ikhesa ebhokisini elithi Faka ukhiye.

ExampOkumbalwa kwamapharamitha aqondene nedivayisi ikheli le-IP lesistimu, igama lomethuleli, indawo ye-GPS, ne-ID yesayithi.

Ipharamitha Ububanzi	Incazelo Yobubanzi
Umhlaba jikelele (okuboniswa isithonjana sembulunga)	Faka inani lepharamitha, futhi usebenzise lelo nani kuwo wonke amadivayisi. ExampImingcele ethile ongayisebenzisa emhlabeni wonke eqenjini lamadivayisi iseva ye-DNS, iseva ye-syslog, kanye ne-MTU yesixhumi esibonakalayo.

Lungiselela Ukuphepha Kwendiza Yokulawula

Qaphela
Isigaba se-Configure Control Plane Security sisebenza kumphathi we-Cisco SD-WAN kanye nesilawuli se-Cisco SD-WAN kuphela.Ukumisa iphrothokholi yoxhumano lwendiza esibonelweni se-Cisco SD-WAN Manager noma ku-Cisco SD-WAN Controller, khetha indawo Yokucushwa Okuyisisekelo. futhi ulungiselele amapharamitha alandelayo:

Ithebula 2:

Ipharamitha Igama

Incazelo

Iphrothokholi

Khetha iphrothokholi ozoyisebenzisa ekuxhumekeni kwendiza yokulawula kusilawuli se-Cisco SD-WAN:

• I-DTLS (Datagram Transport Layer Security). Lokhu okuzenzakalelayo.

• I-TLS (Ukuphepha Kwesendlalelo Sezokuthutha)

Lawula Imbobo ye-TLS

Uma ukhethe i-TLS, lungiselela inombolo yembobo ozoyisebenzisa:Ibanga: 1025 kuya ku-65535Okuzenzakalelayo: 23456

Chofoza Londoloza

Lungiselela Ukuphepha Kwendiza Yedatha
Ukuze ulungiselele ukuphepha kwendiza yedatha kusiqinisekisi se-Cisco SD-WAN noma irutha ye-Cisco vEdge, khetha amathebhu ohlobo lokucushwa okuyisisekelo, bese ulungisa amapharamitha alandelayo:

Ithebula 3:

Ipharamitha Igama	Incazelo
Isikhathi Sokubuyisela	Cacisa ukuthi irutha ye-Cisco vEdge iwushintsha kangaki ukhiye we-AES osetshenziswa ekuxhumekeni kwayo okuvikelekile kwe-DTLS kusilawuli se-Cisco SD-WAN. Uma ukuqalisa kabusha okunomusa kwe-OMP kunikwe amandla, isikhathi sokuphinda ukhiye kufanele sibe okungenani kabili inani lesibali sikhathi sokuqalisa kabusha esinomusa se-OMP.Ibanga: Imizuzwana eyi-10 kuye ku-1209600 (izinsuku eziyi-14)Okuzenzakalelayo: 86400 imizuzwana (amahora angu-24)
Dlala kabusha Iwindi	Cacisa usayizi wewindi lokudlala futhi elislayidayo. Amanani: 64, 128, 256, 512, 1024, 2048, 4096, 8192 amaphaketheOkuzenzakalelayo: 512 amaphakethe
IPsec ukubhanqa-keying	Lokhu kuvalwa ngokuzenzakalelayo. Chofoza On ukuyivula.

Ipharamitha Igama

Incazelo

Uhlobo lokuqinisekisa

Khetha izinhlobo zokuqinisekisa kusukela ku- Ukuqinisekisa Uhlu, bese uchofoza umcibisholo okhomba kwesokudla ukuze uhambise izinhlobo zokufakazela ubuqiniso kokuthi Uhlu Olukhethiwe ikholomu.

Izinhlobo zokuqinisekisa ezisekelwe ku-Cisco SD-WAN Release 20.6.1:

• esp: Inika amandla ukubethela kwe-Encapsulating Security Payload (ESP) nokuhlola ubuqotho kunhlokweni ye-ESP.

• ip-udp-esp: Inika amandla ukubethela kwe-ESP. Ngokungeziwe ekuhlolweni kobuqotho kunhlokweni ye-ESP nokulayisha okukhokhelwayo, amasheke ahlanganisa nezihloko ze-IP zangaphandle ne-UDP.

• ip-udp-esp-no-id: Iziba inkambu ye-ID kunhlokweni ye-IP ukuze i-Cisco Catalyst SD-WAN ikwazi ukusebenza ngokuhlanganyela namadivayisi okungewona awe-Cisco.

• akukho: Ivala ukuhlola ubuqotho kumaphakethe e-IPSec. Asincomi ukusebenzisa le nketho.

Izinhlobo zokuqinisekisa ezisekelwa ku-Cisco SD-WAN Release 20.5.1 nangaphambilini:

• ah-no-id: Nika amandla inguqulo ethuthukisiwe ye-AH-SHA1 HMAC ne-ESP HMAC-SHA1 eshaya indiva inkambu ye-ID kunhlokweni ye-IP engaphandle yephakethe.

• ah-sha1-hmac: Nika amandla i-AH-SHA1 HMAC ne-ESP HMAC-SHA1.

• akukho: Khetha ukungagunyazi.

• sha1-hmac: Nika amandla i-ESP HMAC-SHA1.

Qaphela Ngedivayisi esemaphethelweni esebenza ku-Cisco SD-WAN Release 20.5.1 noma ngaphambili, kungenzeka ukuthi ulungise izinhlobo zokuqinisekisa usebenzisa i- Ezokuphepha isifanekiso. Uma uthuthukisela idivayisi ku-Cisco SD-WAN Release 20.6.1 noma kamuva, buyekeza izinhlobo zokuqinisekisa ezikhethiwe ku- Ezokuphepha isifanekiso sezinhlobo zokuqinisekisa ezisekelwa ku-Cisco SD-WAN Release 20.6.1. Ukuze ubuyekeze izinhlobo zokuqinisekisa, yenza okulandelayo:

1. Kusukela Cisco SD-WAN Manager imenyu, khetha Ukucushwa >

Izifanekiso.

2. Chofoza Izifanekiso zesici.

3. Thola i- Ezokuphepha isifanekiso ukuze ubuyekeze futhi uchofoze ... bese uchofoza Hlela.

4. Chofoza Buyekeza. Ungaguquli noma yikuphi ukucushwa.

Umphathi we-Cisco SD-WAN ubuyekeza ifayela le- Ezokuphepha isifanekiso sokubonisa izinhlobo zokuqinisekisa ezisekelwayo.

Chofoza Londoloza.

Lungiselela Imingcele Yokuphepha Kwendiza Yedatha

Endizeni yedatha, i-IPsec inikwa amandla ngokuzenzakalela kuwo wonke amarutha, futhi ngokuzenzakalelayo ukuxhumeka kumhubhe we-IPsec kusebenzisa inguqulo ethuthukisiwe yephrothokholi ye-Encapsulating Security Payload (ESP) ukuze kuqinisekiswe ubuqiniso emigudu ye-IPsec. Kumarutha, ungashintsha uhlobo lokufakazela ubuqiniso, isibali sikhathi se-IPsec sokubuyisela kabusha, kanye nosayizi wewindi le-IPsec lokulwa nokudlala futhi.

Lungiselela Izinhlobo Zokuqinisekisa Ezivunyelwe

Izinhlobo Zokuqinisekisa Ku-Cisco SD-WAN Ukukhishwa 20.6.1 kanye Nakamuva
Kusukela ku-Cisco SD-WAN Release 20.6.1, izinhlobo ezilandelayo zobuqotho ziyasekelwa:

esp: Le nketho inika amandla ukubethela kwe-Encapsulating Security Payload (ESP) nokuhlola ubuqotho kunhlokweni ye-ESP.
ip-udp-esp: Le nketho inika amandla ukubethela kwe-ESP. Ngokungeziwe ekuhlolweni kobuqotho kunhlokweni ye-ESP nomthwalo okhokhelwayo, amasheke ahlanganisa nezihloko ze-IP zangaphandle ne-UDP.
ip-udp-esp-no-id: Le nketho iyafana ne-ip-udp-esp, nokho, inkambu ye-ID yesihloko se-IP sangaphandle ayinakwa. Lungiselela le nketho ohlwini lwezinhlobo zobuqotho ukuze isofthiwe ye-Cisco Catalyst SD-WAN izibe inkambu ye-ID kunhlokweni ye-IP ukuze i-Cisco Catalyst SD-WAN ikwazi ukusebenza ngokuhlanganyela namadivayisi okungewona awe-Cisco.
akukho: Le nketho ivala ukuhlola ubuqotho kumaphakethe e-IPSec. Asincomi ukusebenzisa le nketho.

Ngokuzenzakalela, ukuxhumeka komhubhe we-IPsec kusebenzisa inguqulo ethuthukisiwe yephrothokholi ye-Encapsulating Security Payload (ESP) ukuze kuqinisekiswe. Ukuze ulungise izinhlobo ze-interity okuxoxiswene ngazo noma ukukhubaza ukuhlola ubuqotho, sebenzisa umyalo olandelayo: uhlobo lobuqotho { none | ip-udp-esp | ip-udp-esp-no-id | esp }

Izinhlobo Zokuqinisekisa Ngaphambi Kokukhishwa Kwe-Cisco SD-WAN 20.6.1
Ngokuzenzakalela, ukuxhumeka komhubhe we-IPsec kusebenzisa inguqulo ethuthukisiwe yephrothokholi ye-Encapsulating Security Payload (ESP) ukuze kuqinisekiswe. Ukuze ulungise izinhlobo zokuqinisekisa okuxoxiswene ngazo noma ukukhubaza ukufakazela ubuqiniso, sebenzisa umyalo olandelayo: Idivayisi(config)# ukuphepha kwe-ipsec-uhlobo lokuqinisekisa (ah-sha1-hmac | ah-no-id | sha1-hmac | | none) Ngokuzenzakalelayo, IPsec ukuxhumeka komhubhe kusebenzisa i-AES-GCM-256, ehlinzeka kokubili ukubethela nokuqinisekisa. Lungiselela uhlobo ngalunye lokuqinisekisa ngomyalo ohlukile wokuphepha we-ipsec wohlobo lokufakazela ubuqiniso. Imephu yezinketho zomyalo ezinhlotsheni zokufakazela ubuqiniso ezilandelayo, ezihlelwe ngokulandelana kwazo ukusuka kokuqine kakhulu kuye kokuqine kancane:

Qaphela
I-sha1 kuzinketho zokucushwa isetshenziselwa izizathu zomlando. Izinketho zokuqinisekisa zibonisa ukuthi kungakanani ukuhlolwa kobuqotho kwephakethe okwenziwe. Abayicacisi i-algorithm ehlola ubuqotho. Ngaphandle kokubethela kwethrafikhi yokusakaza okuningi, ama-algorithms wokuqinisekisa asekelwa i-Cisco Catalyst SD WAN awasebenzisi i-SHA1. Nokho ku-Cisco SD-WAN Release 20.1.x kuya phambili, kokubili i-unicast ne-multicast akusebenzisi i-SHA1.

i-ah-sha1-hmac inika amandla ukubethela kanye ne-encapsulation kusetshenziswa i-ESP. Nokho, ngaphezu kokuhlolwa kobuqotho kunhlokweni ye-ESP nomthwalo okhokhelwayo, amasheke ahlanganisa nezihloko zangaphandle ze-IP ne-UDP. Ngakho, le nketho isekela ukuhlolwa kobuqotho kwephakethe okufana nephrothokholi Yesihloko Sokuqinisekisa (AH). Konke ubuqotho nokubethela kwenziwa kusetshenziswa i-AES-256-GCM.
ah-no-id inika amandla imodi efana ne-ah-sha1-hmac, nokho, inkambu ye-ID yesihloko se-IP yangaphandle ayinakwa. Le nketho ivumela amadivayisi we-SD-WAN okungewona awe-Cisco Catalyst, okuhlanganisa i-Apple AirPort Express NAT, anesiphazamisi esibangela inkambu ye-ID kunhlokweni ye-IP, inkambu engaguquleki, ukuthi ilungiswe. Lungiselela inketho ye-ah-no-id ohlwini lwezinhlobo zokuqinisekisa ukuze ube nesofthiwe ye-Cisco Catalyst SD-WAN AH indibe inkambu ye-ID kunhlokweni ye-IP ukuze isofthiwe ye-Cisco Catalyst SD-WAN isebenze ngokuhambisana nalawa madivayisi.

I-sha1-hmac inika amandla ukubethela kwe-ESP nokuhlola ubuqotho.
awekho amamephu angakugunyazi. Le nketho kufanele isetshenziswe kuphela uma idingeka ukulungisa iphutha lesikhashana. Ungaphinda ukhethe le nketho ezimeni lapho ukuqinisekiswa kwendiza yedatha nobuqotho kungekona okukhathazayo. I-Cisco ayincomi ukusebenzisa le nketho kumanethiwekhi okukhiqiza.

Ukuze uthole ulwazi mayelana nokuthi yiziphi izinkambu zephakethe ledatha ezithintwa yilezi zinhlobo zokuqinisekisa, bheka I-Data Plane Integrity. Amadivayisi we-Cisco IOS XE Catalyst SD-WAN kanye namadivayisi we-Cisco vEdge akhangisa izinhlobo zawo zokuqinisekisa ezimisiwe ezindaweni zawo ze-TLOC. Amarutha amabili nhlangothi zombili zoxhumano lwe-IPsec emhubheni axoxisana ngokugunyaza ukuze asetshenziswe ekuxhumekeni phakathi kwawo, esebenzisa uhlobo lokuqinisekisa oluqine kakhulu olulungiselelwe kuwo womabili amarutha. Okwesiboneloample, uma irutha eyodwa ikhangisa izinhlobo ze-ah-sha1-hmac kanye ne-ah-no-id, futhi irutha yesibili ikhangisa uhlobo lwe-ah-no-id, amarutha amabili axoxisana ukuze asebenzise i-ah-no-id ekuxhumekeni komhubhe we-IPsec phakathi bona. Uma zingekho izinhlobo zokuqinisekisa ezijwayelekile ezilungiselelwe kontanga ababili, awukho umhubhe we-IPsec osungulwa phakathi kwazo. I-algorithm yokubethela ekuxhumekeni komhubhe we-IPsec incike ohlotsheni lwethrafikhi:

Ngethrafikhi ye-unicast, i-algorithm yokubethela i-AES-256-GCM.
Ngethrafikhi yokusakaza okuningi:
Ukukhishwa kwe-Cisco SD-WAN okungu-20.1.x futhi kamuva– i-algorithm yokubethela ithi AES-256-GCM

Ukukhishwa kwangaphambilini– i-algorithm yokubethela i-AES-256-CBC ene-SHA1-HMAC.

Uma uhlobo lokuqinisekisa lwe-IPsec lushintshwa, ukhiye we-AES wendlela yedatha uyashintshwa.

Shintsha Isikhathi Sokufaka kabusha

Ngaphambi kokuthi amadivayisi we-Cisco IOS XE Catalyst SD-WAN kanye namadivayisi we-Cisco vEdge akwazi ukushintshanisa ithrafikhi yedatha, asetha isiteshi sokuxhumana esiqinisekisiwe esivikelekile phakathi kwawo. Amarutha asebenzisa imigudu ye-IPSec phakathi kwawo njengeshaneli, kanye ne-AES-256 cipher ukwenza ukubethela. Irutha ngayinye ikhiqiza ukhiye omusha we-AES wendlela yayo yedatha ngezikhathi ezithile. Ngokuzenzakalelayo, ukhiye usebenza amasekhondi angu-86400 (amahora angu-24), futhi ububanzi besikhathi ngamasekhondi angu-10 ukuya kumasekhondi angu-1209600 (izinsuku ezingu-14). Ukushintsha inani lesibali sikhathi sokhiye: Idivayisi(config)# ukuphepha isekhondi le-ipsec rekey Ukucushwa kubukeka kanje:

ukuphepha kwe-ipsec rekey seconds !

Uma ufuna ukukhiqiza okhiye abasha be-IPsec ngokushesha, ungakwenza lokho ngaphandle kokuguqula ukucushwa komzila. Ukuze wenze lokhu, khipha umyalo wokuphepha wesicelo se-ipsecrekey ku-router eyonakalisiwe. Okwesiboneloample, okuphumayo okulandelayo kubonisa ukuthi i-SA yendawo ine-Security Parameter Index (SPI) engu-256:

Ukhiye oyingqayizivele uhlotshaniswa ne-SPI ngayinye. Uma lo khiye usengozini, sebenzisa umyalo wokuphepha we-ipsec-rekey wesicelo ukuze ukhiqize ukhiye omusha ngokushesha. Lo myalo ukhulisa i-SPI. Ku-ex yethuample, i-SPI ishintshela ku-257 futhi ukhiye ohlotshaniswa nayo manje ususetshenziswa:

Idivayisi# icela i-ipsecrekey yokuphepha
Idivayisi# ibonisa i-ipsec local-sa

Ngemva kokuthi ukhiye omusha ukhiqizwe, umzila uwuthumela ngokushesha ku-Cisco SD-WAN Controllers usebenzisa i-DTLS noma i-TLS. Izilawuli ze-Cisco SD-WAN zithumela ukhiye kumarutha ontanga. Amarutha aqala ukuyisebenzisa ngokushesha nje lapho eyithola. Qaphela ukuthi ukhiye ohlotshaniswa ne-SPI endala (256) uzoqhubeka nokusetshenziswa isikhathi esifushane uze uphele. Ukuze uyeke ukusebenzisa ukhiye omdala ngokushesha, khipha umyalo wokuphepha we-ipsec-rekey wesicelo kabili, ngokulandelana okusheshayo. Lokhu kulandelana kwemiyalelo kususa kokubili i-SPI 256 kanye no-257 futhi kusethe i-SPI ku-258. Umzila ube ususebenzisa ukhiye ohlotshaniswayo we-SPI 258. Qaphela, nokho, ukuthi amanye amaphakethe azokwehliswa isikhathi esifushane kuze kube yilapho wonke amarutha akude efunda. ukhiye omusha.

Shintsha Usayizi Wewindi Lokulwa Nokudlala kabusha

Ukuqinisekiswa kwe-IPsec kunikeza isivikelo esingadlali futhi ngokunikeza inombolo ehlukile yokulandelana ephaketheni ngalinye ekusakazeni kwedatha. Le nombolo yokulandelana ivikela umhlaseli ophinda amaphakethe edatha. Ngokuvikela okungadlalwa, umthumeli unikeza izinombolo zokulandelana ezikhula kancane, futhi indawo ihlola lezi zinombolo zokulandelana ukuze kutholwe izimpinda. Ngenxa yokuthi amaphakethe awavamile ukufika ngokulandelana, indawo okuyiwa kuyo igcina iwindi elislayidayo lezinombolo zokulandelana elizozamukela.

Amaphakethe anezinombolo zokulandelana awela kwesokunxele sobubanzi bewindi elislayidayo athathwa njengamadala noma ayimpinda, futhi indawo okuyiwa kuyo iyawawisa. Indawo ilandelela inombolo ephezulu yokulandelana eyitholile, futhi ilungisa iwindi elislayidayo lapho ithola iphakethe elinevelu ephezulu.

Ngokuzenzakalelayo, iwindi elishelelayo lisethelwe kumaphakethe angama-512. Ingasethwa kunoma yiliphi inani phakathi kuka-64 no-4096 okungamandla angu-2 (okungukuthi, 64, 128, 256, 512, 1024, 2048, noma 4096). Ukuze ulungise usayizi wewindi lokungadlalwa, sebenzisa umyalo wewindi lokudlala futhi, ucacise usayizi wewindi:

Idivayisi(config)# inombolo yewindi lokudlala le-ipsec

Ukucushwa kubukeka kanje:
inombolo yewindi lokuvikeleka le-ipsec! !

Ukuze usize nge-QoS, amafasitela ahlukene okudlala kabusha agcinwa kushaneli ngayinye yethrafikhi yokuqala eyisishiyagalombili. Usayizi wewindi lokudlala futhi omisiwe uhlukaniswa ngabayisishiyagalombili esiteshini ngasinye. Uma i-QoS icushwe ku-router, leyo mzila ingase ihlangabezane nenani elikhulu kunelilindelwe lokwehla kwephakethe ngenxa ye-IPsec anti-replay mechanism, futhi amaphakethe amaningi alahlwayo asemthethweni. Lokhu kwenzeka ngoba i-QoS ihlela kabusha amaphakethe, inikeze amaphakethe abaluleke kakhulu ukwelashwa okukhethekile futhi ilibazise amaphakethe abaluleke kakhulu. Ukuze unciphise noma uvimbele lesi simo, ungenza okulandelayo:

Khulisa usayizi wewindi lokulwa nokudlala.
Ukungena konjiniyela eziteshini zokuqala eziyisishiyagalombili ukuze kuqinisekiswe ukuthi ithrafikhi ngaphakathi kwesiteshi ayihlelwa kabusha.

Lungiselela Imigudu ye-IPsec enikwe amandla i-IKE
Ukuze udlulise ngokuvikelekile ithrafikhi isuka kunethiwekhi eyimbondela iye kunethiwekhi yesevisi, ungamisa amathaneli e-IPsec asebenzisa iphrothokholi ye-Internet Key Exchange (IKE). Imigudu ye-IPsec enikwe amandla i-IKE inikeza ubuqiniso nokubethela ukuze kuqinisekiswe ukuthuthwa kwephakethe okuvikelekile. Udala umhubhe we-IPsec onikwe amandla i-IKE ngokumisa isixhumi esibonakalayo se-IPsec. Izixhumanisi ze-IPsec ziyizindawo zokusebenzelana ezinengqondo, futhi uzilungiselela njenganoma yisiphi esinye isixhumi esibonakalayo. Ulungiselela amapharamitha ephrothokholi ye-IKE kusixhumi esibonakalayo se-IPsec, futhi ungakwazi ukumisa ezinye izici zesixhumi esibonakalayo.

Qaphela I-Cisco incoma ukusebenzisa i-IKE Version 2. Kusukela ekukhishweni kwe-Cisco SD-WAN 19.2.x kuye phambili, ukhiye owabiwe ngaphambilini udinga okungenani ube ngamabhayithi angu-16 ubude. Ukusungulwa komhubhe we-IPsec kwehluleka uma usayizi wokhiye ungaphansi kwezinhlamvu eziyi-16 lapho umzila uthuthukela kunguqulo 19.2.

Qaphela
Isofthiwe ye-Cisco Catalyst SD-WAN isekela i-IKE Version 2 njengoba kuchazwe ku-RFC 7296. Okunye ukusetshenziswa kwemigudu ye-IPsec ukuvumela izimo ze-vEdge Cloud router VM ezisebenza ku-Amazon AWS ukuthi zixhumeke ku-Amazon virtual private cloud (VPC). Kufanele ulungiselele i-IKE Version 1 kulawa ma-routers. Amadivayisi e-Cisco vEdge asekela kuphela ama-VPN asekelwe emzileni ekucushweni kwe-IPSec ngoba lawa madivayisi awakwazi ukuchaza izikhethi zethrafikhi esizindeni sokubethela.

Lungiselela i-IPsec Tunnel
Ukuze ulungiselele isixhumi esibonakalayo somhubhe we-IPsec ukuze uthole ithrafikhi yezokuthutha evikelekile evela kunethiwekhi yesevisi, udala isixhumi esibonakalayo se-IPsec esinengqondo:

Ungakha umhubhe we-IPsec ku-VPN yezokuthutha (VPN 0) nakunoma iyiphi isevisi ye-VPN (VPN 1 kuya ku-65530, ngaphandle kuka-512). Isixhumi esibonakalayo se-IPsec sinegama ngefomethi ipsecnumber, lapho inombolo ingaba ukusuka ku-1 ukuya ku-255. Isixhumanisi ngasinye se-IPsec kufanele sibe nekheli le-IPv4. Leli kheli kufanele libe isiqalo /30. Yonke ithrafikhi ku-VPN engaphakathi kwalesi siqalo se-IPv4 iqondiswe kusixhumi esibonakalayo ku-VPN 0 ukuze ithunyelwe ngokuphephile emhubheni we-IPsec. Ukuze ulungiselele umthombo womhubhe we-IPsec kudivayisi yasendaweni, ungacacisa noma yiliphi ikheli le-IP isixhumi esibonakalayo esibonakalayo (emyalweni womthombo womhubhe) noma igama lesixhumi esibonakalayo esibonakalayo (kumyalo we-tunnel-source-interface). Qinisekisa ukuthi ukuxhumana okubonakalayo kulungiselelwe ku-VPN 0. Ukuze ulungiselele indawo yomhubhe we-IPsec, cacisa ikheli le-IP ledivayisi ekude kumyalo wendawo oya kuyo. Inhlanganisela yekheli lomthombo (noma igama lomthombo wokuxhumana) nekheli lendawo lichaza umhubhe owodwa we-IPsec. Umhubhe owodwa kuphela we-IPsec ongaba khona esebenzisa ikheli elithile lomthombo (noma igama lesixhumi esibonakalayo) kanye nokubhanqwa kwekheli okuyiwa kulo.

Lungiselela umzila omile we-IPsec

Ukuze uqondise ithrafikhi esuka kusevisi ye-VPN iye emhubheni we-IPsec ku-VPN yezokuthutha (VPN 0), ulungiselela umzila oqondile we-IPsec kusevisi ye-VPN (i-VPN ngaphandle kwe-VPN 0 noma i-VPN 512) :

vEdge(config)# vpn vpn-id
vEdge(config-vpn)# ip ipsec-route prefix/ubude vpn 0 interface
ipsecnumber [ipsecnumber2]

I-ID ye-VPN ingeyanoma iyiphi isevisi ye-VPN (VPN 1 kuya ku-65530, ngaphandle kuka-512). isiqalo/ubude yikheli lasesizindeni se-inthanethi noma isiqalo, kumbhalo wedesimali oyingxenye yamachashazi amane, kanye nobude besiqalo somzila omile othize we-IPsec. I-interface iyisixhumi esibonakalayo se-IPsec kumhubhe ku-VPN 0. Ungakwazi ukumisa i-IPsec tunnel interface eyodwa noma ezimbili. Uma umisa okubili, eyokuqala iwumhubhe oyinhloko we-IPsec, kanti eyesibili isipele. Ngezindawo ezimbili zokusebenzelana, wonke amaphakethe athunyelwa kuphela emhubheni oyinhloko. Uma lowo mhubhe wehluleka, wonke amaphakethe abe esethunyelwa emhubheni wesibili. Uma umhubhe oyinhloko ubuya phezulu, yonke ithrafikhi ibuyiselwa emhubheni oyinhloko we-IPsec.

Nika amandla inguqulo 1 ye-IKE
Uma udala umhubhe we-IPsec kumzila we-vEdge, Inguqulo 1 ye-IKE inikwa amandla ngokuzenzakalela kusixhumi esibonakalayo somhubhe. Lezi zakhiwo ezilandelayo nazo zinikwe amandla ngokuzenzakalela ku-IKEv1:

Ukuqinisekisa nokubethela—Ukubethela okuthuthukisiwe kwe-AES-256 kwe-CBC ngekhodi yokuqinisekisa yekhodi ye-HMAC-SHA1 yekhodi yokuqinisekisa ukhiye we-hashi

Inombolo yeqembu lika-Diffie-Hellman—16
Isikhathi sokuphumula - amahora angu-4
Imodi yokusungulwa kwe-SA—Okukhulu

Ngokuzenzakalelayo, i-IKEv1 isebenzisa imodi eyinhloko ye-IKE ukuze isungule i-IKE SAs. Kule modi, amaphakethe ezingxoxo ayisithupha ayashintshaniswa ukuze kusungulwe i-SA. Ukuze ushintshisane ngamaphakethe amathathu kuphela ezingxoxo, nika amandla imodi enolaka:

Qaphela
Imodi enolaka ye-IKE enokhiye ababiwe ngaphambilini kufanele igwenywe noma nini lapho kunokwenzeka khona. Uma kungenjalo kufanele kukhethwe ukhiye oqinile owabiwe kusengaphambili.

vEdge(config)# vpn vpn-id isixhumi esibonakalayo se-ipsec inombolo ike

I-vEdge(config-ike)# imodi enolaka

Ngokuzenzakalelayo, i-IKEv1 isebenzisa iqembu le-Diffie-Hellman 16 ekushintshaneni kokhiye we-IKE. Leli qembu lisebenzisa iqembu le-4096-bit more modular exponential (MODP) phakathi nokushintshisana kokhiye we-IKE. Ungakwazi ukushintsha inombolo yeqembu ibe ngu-2 (ku-1024-bit MODP), 14 (2048-bit MODP), noma 15 (3072-bit MODP):

vEdge(config)# vpn vpn-id isixhumi esibonakalayo se-ipsec inombolo ike

I-vEdge(config-ike)# inombolo yeqembu

Ngokuzenzakalela, ukushintshanisa kokhiye we-IKE kusebenzisa ukubethela okuthuthukile kwe-AES-256 kwe-CBC ngekhodi yokuqinisekisa yekhodi ye-HMAC-SHA1 yekhodi ye-algorithm yokuqinisekisa ubuqotho. Ungashintsha ukufakazela ubuqiniso:

vEdge(config)# vpn vpn-id isixhumi esibonakalayo se-ipsec inombolo ike

vEdge(config-ike)# cipher-suite suite

I-suite yokuqinisekisa ingaba okunye kokulandelayo:

aes128-cbc-sha1—AES-128 ukubethela okuthuthukile okujwayelekile kwe-CBC ngekhodi yokuqinisekisa yekhodi ye-HMAC-SHA1 yekhodi yokuqinisekisa yomlayezo wobuqotho

aes128-cbc-sha2—AES-128 ukubethela okuthuthukile okujwayelekile kwe-CBC ngekhodi yokuqinisekisa yekhodi ye-HMAC-SHA256 yekhodi yokuqinisekisa yomlayezo wobuqotho
aes256-cbc-sha1—AES-256 ukubethela okuthuthukisiwe okujwayelekile kwe-CBC ukubethela nge-HMAC-SHA1 i-algorithm yekhodi yokuqinisekisa ukhiye we-keyed-hash yobuqotho; lokhu okuzenzakalelayo.
aes256-cbc-sha2—AES-256 ukubethela okuthuthukile okujwayelekile kwe-CBC ngekhodi yokuqinisekisa yekhodi ye-HMAC-SHA256 yekhodi yokuqinisekisa yomlayezo wobuqotho

Ngokuzenzakalelayo, okhiye be-IKE bavuselelwa njalo ngehora elingu-1 (imizuzwana engu-3600). Ungashintsha isikhawu sokhiye kabusha sibe inani ukusuka kumasekhondi angama-30 ukuya ezinsukwini eziyi-14 (amasekhondi ayi-1209600). Kunconywa ukuthi isikhawu sokhiye kabusha sibe okungenani ihora elingu-1.

vEdge(config)# vpn vpn-id isikhombimsebenzisi inombolo ye-ipsec efana
vEdge(config-ike)# rekey seconds

Ukuze uphoqelele ukukhiqizwa kokhiye abasha beseshini ye-IKE, khipha isicelo se-ipsec ike-rekey umyalo.

vEdge(config)# vpn vpn-id interfaceipisec inombolo ike

Ku-IKE, ungaphinda ulungiselele ukuqinisekiswa kokhiye owabiwe ngaphambili (PSK):

vEdge(config)# vpn vpn-id isixhumi esibonakalayo se-ipsec inombolo ike
I-vEdge(config-ike)# uhlobo lokufakazela ubuqiniso-ukhiye-ukhiye owabiwe ngaphambilini iphasiwedi yephasiwedi eyimfihlo iphasiwedi ukusetshenziswa nokhiye owabiwe ngaphambilini. Kungaba i-ASCII noma iyunithi yezinhlamvu ye-hexadecimal ukusuka kuzinhlamvu ezi-1 kuye kweziyi-127 ubude.

Uma intanga ye-IKE ekude idinga i-ID yendawo noma yesilawuli kude, ungalungiselela lesi sihlonzi:

vEdge(config)# vpn vpn-id isixhumi esibonakalayo inombolo ye-ike yokuqinisekisa-uhlobo
vEdge(config-authentication-type)# i-id yendawo
vEdge(config-authentication-type)# i-id-remote-id

Isihlonzi singaba ikheli le-IP nanoma iyiphi iyunithi yezinhlamvu zombhalo ukusuka kuzinhlamvu ezi-1 kuye kwezingu-63 ubude. Ngokuzenzakalela, i-ID yendawo iyikheli lasesizindeni se-inthanethi lomhubhe futhi i-ID yesilawuli kude ikheli lasesizindeni se-inthanethi le-IP yomhubhe.

Nika amandla inguqulo 2 ye-IKE
Uma ulungiselela umhubhe we-IPsec ukuze usebenzise i-IKE Version 2, izici ezilandelayo nazo zinikwa amandla ngokuzenzakalela ku-IKEv2:

Ukuqinisekisa nokubethela—Ukubethela okuthuthukisiwe kwe-AES-256 kwe-CBC ngekhodi yokuqinisekisa yekhodi ye-HMAC-SHA1 yekhodi yokuqinisekisa ukhiye we-hashi

Inombolo yeqembu lika-Diffie-Hellman—16
Isikhathi sokuphumula - amahora angu-4

Ngokuzenzakalelayo, i-IKEv2 isebenzisa iqembu le-Diffie-Hellman 16 ekushintshaneni kokhiye we-IKE. Leli qembu lisebenzisa iqembu le-4096-bit more modular exponential (MODP) phakathi nokushintshisana kokhiye we-IKE. Ungakwazi ukushintsha inombolo yeqembu ibe ngu-2 (ku-1024-bit MODP), 14 (2048-bit MODP), noma 15 (3072-bit MODP):

vEdge(config)# vpn vpn-id interface ipsecnumber ike
I-vEdge(config-ike)# inombolo yeqembu

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# cipher-suite suite

I-suite yokuqinisekisa ingaba okunye kokulandelayo:

aes128-cbc-sha1—AES-128 ukubethela okuthuthukile okujwayelekile kwe-CBC ngekhodi yokuqinisekisa yekhodi ye-HMAC-SHA1 yekhodi yokuqinisekisa yomlayezo wobuqotho
aes128-cbc-sha2—AES-128 ukubethela okuthuthukile okujwayelekile kwe-CBC ngekhodi yokuqinisekisa yekhodi ye-HMAC-SHA256 yekhodi yokuqinisekisa yomlayezo wobuqotho
aes256-cbc-sha1—AES-256 ukubethela okuthuthukisiwe okujwayelekile kwe-CBC ukubethela nge-HMAC-SHA1 i-algorithm yekhodi yokuqinisekisa ukhiye we-keyed-hash yobuqotho; lokhu okuzenzakalelayo.

aes256-cbc-sha2—AES-256 ukubethela okuthuthukile okujwayelekile kwe-CBC ngekhodi yokuqinisekisa yekhodi ye-HMAC-SHA256 yekhodi yokuqinisekisa yomlayezo wobuqotho

Ngokuzenzakalelayo, okhiye be-IKE bavuselelwa njalo emahoreni ama-4 (imizuzwana eyi-14,400). Ungashintsha isikhawu sokhiye kabusha sibe inani ukusuka kumasekhondi angama-30 kuya ezinsukwini eziyi-14 (amasekhondi ayi-1209600):

vEdge(config)# vpn vpn-id interface ipsecnumber ike

vEdge(config-ike)# rekey seconds

Ukuze uphoqelele ukukhiqizwa kokhiye abasha beseshini ye-IKE, khipha isicelo se-ipsec ike-rekey umyalo. Ku-IKE, ungaphinda ulungiselele ukuqinisekiswa kokhiye owabiwe ngaphambili (PSK):

vEdge(config)# vpn vpn-id interface ipsecnumber ike

I-vEdge(config-ike)# uhlobo lokufakazela ubuqiniso-ukhiye-ukhiye owabiwe ngaphambilini iphasiwedi yephasiwedi eyimfihlo iphasiwedi ukusetshenziswa nokhiye owabiwe ngaphambilini. Kungaba i-ASCII noma iyunithi yezinhlamvu ye-hexadecimal, noma kungaba ukhiye obethelwe we-AES. Uma intanga ye-IKE ekude idinga i-ID yendawo noma yesilawuli kude, ungalungiselela lesi sihlonzi:
vEdge(config)# vpn vpn-id interface ipsecnumber ike uhlobo lokuqinisekisa
vEdge(config-authentication-type)# i-id yendawo

vEdge(config-authentication-type)# i-id-remote-id

Isihlonzi singaba ikheli le-IP nanoma iyiphi iyunithi yezinhlamvu zombhalo ukusuka kuzinhlamvu ezi-1 kuye kwezingu-64 ubude. Ngokuzenzakalela, i-ID yendawo iyikheli lasesizindeni se-inthanethi lomhubhe futhi i-ID yesilawuli kude ikheli lasesizindeni se-inthanethi le-IP yomhubhe.

Lungiselela i-IPsec Tunnel Parameters

Ithebula 4: Umlando Wesici

Isici Igama	Khipha Ulwazi	Incazelo
I-Cryptographic eyengeziwe	Ukukhishwa kwe-Cisco SD-WAN 20.1.1	Lesi sici sengeza usekelo lwe
Ukusekela kwe-algorithmic kwe-IPSec		HMAC_SHA256, HMAC_SHA384, kanye
Imigudu		HMAC_SHA512 ama-algorithms we
		ukuphepha okuthuthukisiwe.

Ngokuzenzakalelayo, amapharamitha alandelayo asetshenziswa emhubheni we-IPsec ophethe ithrafikhi ye-IKE:

Ukuqinisekisa nokubethela—i-algorithm ye-AES-256 ku-GCM (imodi ye-Galois/counter)
Isikhathi sokuphumula - amahora angu-4

Iwindi lokudlala futhi—amaphakethe angama-32

Ungashintsha ukubethela emhubheni we-IPsec kuye ku-AES-256 cipher ku-CBC (imodi yokuhlanganisa i-cipher block chaining, ne-HMAC isebenzisa i-SHA-1 noma i-SHA-2 yokuqinisekisa umlayezo we-keyed-hashi noma ukwenza ize nge-HMAC usebenzisa i-SHA-1 noma Ukuqinisekiswa komlayezo we-SHA-2 keyed-hash, ukuze ungabetheli umhubhe we-IPsec osetshenziselwa ithrafikhi yokushintshanisa ukhiye we-IKE:

vEdge(config-interface-ipsecnumber)# ipsec

vEdge(config-ipsec)# cipher-suite (aes256-gcm | aes256-cbc-sha1 | aes256-cbc-sha256 |aes256-cbc-sha384 | aes256-cbc-sha512 | aes256-null-1sha-256 aes256-null-sha256 | | aes384-null-sha256 | aes512-null-shaXNUMX)

vEdge(config-interface-ipsecnumber)# ipsec

vEdge(config-ipsec)# amasekhondi okhiye

Ukuze uphoqelele ukukhiqizwa kokhiye abasha bomhubhe we-IPsec, khipha isicelo se-ipsec ipsec-rekey umyalo. Ngokuzenzakalela, i-perfect forward secrecy (PFS) inikwe amandla kumigudu ye-IPsec, ukuze kuqinisekiswe ukuthi amaseshini adlule awathinteki uma okhiye besikhathi esizayo besengozini. I-PFS iphoqa ukushintshanisa ukhiye omusha we-Diffie-Hellman, ngokuzenzakalelayo kusetshenziswa i-4096-bit Diffie-Hellman prime module group. Ungashintsha isilungiselelo se-PFS:

vEdge(config-interface-ipsecnumber)# ipsec

i-vEdge(config-ipsec)# isilungiselelo se-pfs-eya phambili-eyimfihlo

pfs-setting kungaba okukodwa kokulandelayo:

group-2—Sebenzisa i-1024-bit Diffie-Hellman prime modulus group.

group-14—Sebenzisa i-2048-bit Diffie-Hellman prime modulus group.
group-15—Sebenzisa i-3072-bit Diffie-Hellman prime modulus group.
group-16—Sebenzisa i-4096-bit Diffie-Hellman prime modulus group. Lokhu okuzenzakalelayo.
akukho-Khubaza i-PFS.

Ngokuzenzakalelayo, iwindi lokudlala kabusha le-IPsec emhubheni we-IPsec ngamabhayithi angu-512. Ungasetha usayizi wewindi lokudlala futhi ube amaphakethe angu-64, 128, 256, 512, 1024, 2048, noma angu-4096:

vEdge(config-interface-ipsecnumber)# ipsec
I-vEdge(config-ipsec)# inombolo yewindi lokudlala futhi

Lungisa I-IKE Dead-Peer Detection

I-IKE isebenzisa indlela yokuthola ontanga efile ukuze inqume ukuthi uxhumano kontanga ye-IKE luyasebenza futhi luyafinyeleleka yini. Ukuze usebenzise lo mshini, i-IKE ithumela iphakethe le-Hello kuntanga yayo, futhi untanga uthumela ukuvuma ngempendulo. Ngokuzenzakalelayo, i-IKE ithumela amaphakethe we-Hello njalo ngemizuzwana eyi-10, futhi ngemva kwamaphakethe amathathu angaziwa, i-IKE imemezela ukuthi umakhelwane ufile futhi idiliza umhubhe kontanga. Ngemuva kwalokho, i-IKE ngezikhathi ezithile ithumela iphakethe lika-Sawubona kontanga, futhi iphinde imise umhubhe lapho untanga ebuya ku-inthanethi. Ungashintsha isikhawu sokuthola ukuphila sibe yinani ukusuka ku-0 kuye ku-65535, futhi ungashintsha inombolo yokuzama futhi ibe yinani ukusuka ku-0 ukuya ku-255.

Qaphela

Kuma-VPN ezokuthutha, isikhawu sokuthola ukuphila siguqulwa sibe imizuzwana ngokusebenzisa ifomula elandelayo: Isikhawu somzamo wokudlulisela kabusha inombolo N = isikhawu * 1.8N-1Ngokwangaphambiliample, uma isikhawu sisethelwe ku-10 bese sizama futhi ku-5, isikhawu sokuthola sikhuphuka ngendlela elandelayo:

Umzamo 1: 10 * 1.81-1= 10 imizuzwana
Umzamo 2: 10 * 1.82-1= 18 imizuzwana
Umzamo 3: 10 * 1.83-1= 32.4 imizuzwana
Umzamo 4: 10 * 1.84-1= 58.32 imizuzwana
Umzamo 5: 10 * 1.85-1= 104.976 imizuzwana

I-vEdge(config-interface-ipsecnumber)# inombolo yesikhawu sokutholwa kontanga iphinda izame

Lungiselela Ezinye izici zesixhumi esibonakalayo

Ku-IPsec tunnel interfaces, ungalungiselela kuphela izici zesixhumi esibonakalayo ezilandelayo:

vEdge(config-interface-ipsec)# mtu amabhayithi
vEdge(config-interface-ipsec)# tcp-mss-adjust bytes

Khubaza Ama-Algorithms Wokubethela We-SSH Obuthakathaka Kumphathi we-Cisco SD-WAN

Ithebula 5: Ithebula Lomlando Wesici

Isici Igama	Khipha Ulwazi	Isici Incazelo
Khubaza Ama-Algorithms Wokubethela We-SSH Obuthakathaka Kumphathi we-Cisco SD-WAN	Ukukhishwa kweCisco vManage 20.9.1	Lesi sici sikuvumela ukuthi ukhubaze ama-algorithms e-SSH abuthakathaka kumphathi we-Cisco SD-WAN okungenzeka angathobeli izindinganiso ezithile zokuphepha kwedatha.

Ulwazi Mayelana Nokukhubaza Ama-Algorithms Wokubethela We-SSH Ebuthakathaka Kumphathi we-Cisco SD-WAN
Umphathi we-Cisco SD-WAN unikeza iklayenti le-SSH ukuxhumana nezingxenye kunethiwekhi, okuhlanganisa abalawuli namadivayisi asemaphethelweni. Iklayenti le-SSH lihlinzeka ngoxhumano olubethelwe ukuze kudluliswe idatha evikelekile, ngokusekelwe ezinhlobonhlobo zama-algorithms wokubethela. Izinhlangano eziningi zidinga ukubethela okuqinile kunalokho okunikezwa i-SHA-1, AES-128, ne-AES-192. Kusuka ku-Cisco vManage Release 20.9.1, ungakhubaza ama-algorithms alandelayo okubethela abuthaka ukuze iklayenti le-SSH lingasebenzisi lawa ma-algorithms:

I-SHA-1
I-AES-128
I-AES-192

Ngaphambi kokukhubaza lawa ma-algorithms wokubethela, qinisekisa ukuthi amadivayisi we-Cisco vEdge, uma ekhona, kunethiwekhi, asebenzisa ukukhishwa kwesofthiwe ngemva kwesikhathi kunokukhishwa kwe-Cisco SD-WAN 18.4.6.

Izinzuzo Zokukhubaza Ama-Algorithms Wokubethela We-SSH Ebuthakathaka Kumphathi We-Cisco SD-WAN
Ukukhubaza ama-algorithms okubethela e-SSH abuthaka kuthuthukisa ukuphepha kokuxhumana kwe-SSH, futhi kuqinisekisa ukuthi izinhlangano ezisebenzisa i-Cisco Catalyst SD-WAN zithobela imithetho eqinile yezokuphepha.

Khubaza Ama-Algorithms Wokubethela We-SSH Obuthakathaka Kumphathi we-Cisco SD-WAN Usebenzisa i-CLI

Kusuka kumenyu ye-Cisco SD-WAN Manager, khetha Amathuluzi > Isikhumulo se-SSH.
Khetha idivayisi ye-Cisco SD-WAN Manager ofisa ukukhubaza kuyo ama-algorithms e-SSH abuthaka.
Faka igama lomsebenzisi nephasiwedi ukuze ungene ngemvume kudivayisi.
Faka imodi yeseva ye-SSH.
- vmanage(config)# uhlelo
- vmanage(config-system)# ssh-server
Yenza okukodwa kokulandelayo ukuze ukhubaze i-algorithm yokubethela ye-SSH:
- Khubaza i-SHA-1:
phatha(config-ssh-server)# no kex-algo sha1
phatha(config-ssh-server)# bophezela
Umlayezo oyisixwayiso olandelayo uyavezwa: Izixwayiso ezilandelayo zakhiqizwa: 'isistimu ye-ssh-server kex-algo sha1': ISEXWAYISO: Sicela uqinisekise ukuthi wonke amaphethelo akho asebenzisa inguqulo yekhodi > 18.4.6 exoxisana kangcono kune-SHA1 ne-vManage. Uma kungenjalo lawo maphethelo angase angaxhumekile ku-inthanethi. Qhubeka? [yebo, cha] yebo
- Qinisekisa ukuthi noma imaphi amadivaysi e-Cisco vEdge kunethiwekhi asebenzisa i-Cisco SD-WAN Release 18.4.6 noma kamuva bese ufaka u-yebo.
- Khubaza i-AES-128 ne-AES-192:
- vmanage(config-ssh-server)# no cipher aes-128-192
- vmanage(config-ssh-server)# commit
  Umlayezo oyisixwayiso olandelayo uyavezwa:
  Izixwayiso ezilandelayo zenziwe:
  'system ssh-server cipher aes-128-192': ISEXWAYISO: Sicela uqinisekise ukuthi wonke amaphethelo akho asebenzisa inguqulo yekhodi > 18.4.6 exoxisana kangcono kune-AES-128-192 ne-vManage. Uma kungenjalo lawo maphethelo angase angaxhumekile ku-inthanethi. Qhubeka? [yebo, cha] yebo
- Qinisekisa ukuthi noma imaphi amadivaysi e-Cisco vEdge kunethiwekhi asebenzisa i-Cisco SD-WAN Release 18.4.6 noma kamuva bese ufaka u-yebo.

Qinisekisa ukuthi I-Algorithms Yokubethela Ebuthakathaka Ye-SSH Ikhutshaziwe Kumphathi We-Cisco SD-WAN Usebenzisa i-CLI

Kusuka kumenyu ye-Cisco SD-WAN Manager, khetha Amathuluzi > Isikhumulo se-SSH.
Khetha idivayisi ye-Cisco SD-WAN Manager ofisa ukuyiqinisekisa.
Faka igama lomsebenzisi nephasiwedi ukuze ungene ngemvume kudivayisi.
Qalisa umyalo olandelayo: bonisa uhlelo olusebenzayo lwe-ssh-server
Qinisekisa ukuthi okukhiphayo kubonisa umyalo owodwa noma eminingi ekhubaza ama-algorithms okubethela abuthaka:
- akukho cipher aes-128-192
- akukho kex-algo sha1

Amadokhumenti / Izinsiza

I-CISCO SD-WAN Lungisa Amapharamitha Wokuphepha [pdf] Umhlahlandlela Womsebenzisi
I-SD-WAN Lungiselela Amapharamitha Okuphepha, i-SD-WAN, Lungiselela Amapharamitha Okuphepha, Amapharamitha Okuphepha

Izithenjwa

Imaniwali yosebenzisayo

I-CISCO SD-WAN Lungisa Amapharamitha Wokuphepha

Lungiselela Amapharamitha Okuphepha