Secure transmission network of campus network base

网友投稿 245 2022-10-06


Secure transmission network of campus network base

Table of content

Introduction. 4 Realization of VPN key technologies 7 Coding to implement VPN network security. 13 The ipsec-VPN is analyzed using WIREWARK. 17 Conclusion and Recommendations 19 References 20

I. Introduction

The basic structure of a main campus and a branch campus is formed, and the network management of multiple campuses is strictly required. It is also a new concept to realize the integration and optimization of college resources, which requires the establishment of instant communication between school headquarters and branch schools. Of course, with the gradual expansion of the network market, students and teachers can become more efficient in their study and study. They need to be able to easily access the network resources of the campus network at any time in the campus network or on remote sites outside the campus, which poses new challenges to the campus network. In this case, the campus network planning and design principles will be subsequently clarified, advanced: advanced planning ideas, network organization structure, development environment tools, the selection of high market coverage, standardization and technology mature software and hardware products; Practicability: When building a network, it is necessary to consider the use and maintenance of existing network resources to fully highlight the benefits of the equipment. Openness: comply with international standards, system design should adopt pluralism, open technology, open organizational structure, open system construction and open user interface, in order to facilitate the maintenance of the network, expansion and upgrade and communication with external information; Flexibility: Adopt building block module coordination and structured planning, make the system configuration become flexible, meet the school gradually in place network construction criteria, make the network with robust growth; Reliability: with fault tolerance effect. The network structure planning, equipment selection, equipment installation, equipment debugging and other key steps of unified planning and analysis; Strong cost performance: do not blindly seek the latest, but also consider the current actual needs, select reasonable equipment collocation, so as to promote excellent performance of the cost performance. Security: includes two aspects: 1. Network user level security; 2.2. Data transmission level security. The user level security of the network should be fully considered in the network operating system, and the security of data transmission must be solved during the network transmission. The application of VPN technology in the construction of campus network makes the campus network break through the limitations of the private network and optimize the management and application of campus network, thus reducing the cost of network operation and maintenance.

VPN technology applied to the campus network, will be able to break through the regional limitations of the private network at the same time may be a good deal with the campus network has existed in the multi-campus, remote access, remote management and other events, but also optimize the campus network governance and use, and have a lot of economic benefits than leased special line, and easy to expand, More importantly, it can better guarantee the confidentiality, security and data integrity of communication, which is also one of the most important standards of campus network construction.

Network technology is widely implemented in the campus local area network is imperative, in the selection of LAN network technology to uphold the open, distributed, safe and reliable, easy to maintain the criteria. The construction of campus network is the most important is to use LAN skills and multimedia technology based various network application technology for a collection. Computer multimedia skills are accompanied by the use of multimedia information to obtain rapid computer application technology, multimedia has become widely accepted by the public to use, and then to obtain more information. At the same time, the campus network has made use of local area network technology and various multimedia technology, and combined with other skills such as Internet application to build. Also makes the campus network to meet the requirements of modern teaching information processing, so that the application of computers to teaching management.

The VPN technology[1] mentioned in this paper is generally a logical network built on the traditional Internet network, ATM and frame-relay. It is characterized by covering the encapsulation, encryption and authentication of the public network and the expansion of the private network and the penetration of the shared network. It uses the public network to establish VPN, which can save a lot of communication costs and save a lot of manpower and material resources to maintain WAN (wide area network) network equipment and remote access to remote devices. Of course, the cost of doing this is that at this time, users only need to pay a certain fee to the Internet Service Provider (ISP) to enjoy all the facilities and services to achieve the purpose of building a VPN logical network. The reason WHY VPN skills are a hot topic is that VPN technology adopts security technologies such as encryption and authentication to ensure user reliability and data confidentiality. In addition, the connecting way of VPN technology is very flexible, as long as the network administrator of the PC is connected to the public on the network, then only need to configure secure connection information and parameters, can be connected to the already exposed to the public network to realize the VPN server, can be achieved on the company's internal network management.

The network era continues to progress, VPN can be applied to the construction of campus network, not only makes the campus network break through the regional limitations of the private network but also optimize the management and use of campus network, which also reduces the cost of network operation and maintenance. The use of VPN in the campus network is due to the need to reach through the Internet in no area of two or more campus, enterprise Intranet communication between the need to establish a special communication line, but through the use of private network there are regional restrictions and economic costs are expensive, not suitable for widespread use in the campus network. VPN can create a special communication line between two or more campuses or Intranet of enterprises located in different places on the Internet through special encryption communication protocol to ensure the privacy of the link.

This paper focuses on the research: using VPN to achieve the interconnection between different districts and deal with the privacy (3DES, AES, RSA)[2], integrity (MD5, SHA) and security of network communication, improve the sharing of resources between the campus and the campus staff office efficiency, and optimize the campus network management.

It is one of the most important modules in this paper to study the advantages and implementation of VPN technology in campus network, because it is also to make a full theoretical preparation for the later experimental simulation. Campus network how to play the function of VPN, which areas to use VPN, how to use VPN, and the use of VPN technology should be considered what aspects of the elements and need to pay attention to what details, such as the use of VPN should be the use of site to site VPN or should use remote access VPN mode, Whether we should use tunnel form or transmission form, and what kind of technology should be adopted to best fit the application in the actual campus network.

The cause of the campus network using VPN is reached through the Internet network located in two or more different parts of the campus and to realize the communication between enterprise Intranet, which need to create a unique communication line, but after renting private networks have a regional limitation and economic costly, economic cost is one of the largest on campus network. However, it can create a unique communication line between two or more campuses and intranets in different places on the Internet through special encrypted communication protocols. VPN, therefore, in the middle of the campus network, it not only can break through private network of regional limitation, are more likely to be very good to deal with in the campus network has been the remnants of the multi-campus, remote access, remote management, and other difficult problems, at the same time also optimize the campus net management and operation, and so the design scheme of manifest more economical than leased line, And extremely easy to expand through the analysis of related cases to try to find VPN technology in the campus network application design of the best scheme to improve the theoretical support.

A Virtual Private Network (VPN) is a Virtual Private Network. The main functions of a virtual private network are to set up a private network on a public network for encrypted communication. This technique is widely used in enterprise networks. The VPN gateway realizes the remote access by encrypting the data packet and changing the destination address of the data packet. There are many types of VPNS, and they can be classified in many different ways, most importantly by protocol. VPN can be implemented in various forms, such as servers, hardware, and software. Another feature is that VPN has low cost and is very easy to use.

IPsec is IP Security. It is not only an important criterion to ensure the secure communication of IP protocol, but also basically implements the encryption and authentication process for IP protocol groups. The IPsec protocol family is composed of the following parts: 1) The protocol that ensures packet flow;2) Key exchange protocol for secure packet flows. The first part can also be divided into two parts: the encapsulation security Payload (ESP)[3] of the encrypted packet flow and the use of a very small authentication header (AH). The authentication header guarantees the authentication of the packet flow and guarantees the integrity of the message, that is, the implementation of confidentiality.

PPTP: Point to Point Tunneling Protocol, a point-to-point Tunneling Protocol. Protocol type for creating an IP VPN tunnel on a public network. LF: Layer 2 Forwarding, which is based on Layer 2. L2TP: Layer 2 Tunneling Protocol, which is also based on Layer 2.Generally, it is created on the PPP architecture of the point-to-point protocol. First, the protocol used is encapsulated in PPP, and then encapsulated into tunnel protocols, such as GRE[4] and General Routing Encapsulation.

The next layer is the last layer 3 protocol type. The protocol may be directly loaded into the tunnel protocol self-aggregation. Compared with layer 2 tunnel protocol, it has excellent performance in scalability, security and reliability. IPsec also provides two types of Security protocols: Authentication Header (AH) protocol and Encapsulation Security Payload (ESP) protocol.

So far, it has been revealed that VPN not only has a very good performance in reducing costs, but also can save a lot of communication costs, so there is no need to prepare a lot of manpower and material to install and maintain WAN[5] (wide area network) equipment and remote access equipment network structure. Users want to join the network with partners, in the absence of a virtual private network, is a very troublesome process, because the danger may be to rent a private line, if the virtual private network is set up, the two parties need to perform some VPN configuration to achieve this secure communication process. Users are making full use of the resources provided by the ISP network. VPNS have the following advantages: 1) Good manageability. VPNS can be managed by carriers and users.2) Security guarantee: encryption technology is used to encrypt the transmitted data to ensure that all the transmitted data process is safe and reliable.3) Flexibility, VPN supports almost all data flows.4) Service quality assurance: VPN can provide different security levels for different levels of users.

II. Realization of VPN key technologies

In order to work more smoothly in the process of simulation, a deep understanding and mining of the technology of ipsec-VPN should be carried out in advance. In this way, the characteristics of ipsec-VPN[6] can be reasonably explained in terms of its own advantages and functional features. The configuration of a complete ipsec-VPN network environment is also verified step by step. Therefore, in order to ensure a rigorous simulation process, an in-depth analysis of the entire technical features of ipsec-VPN in advance is the most important part before the implementation. Topology shown as Figure 1.

Fig. 1. Ipsec-vpn topology design

In order to work more smoothly in the process of simulation, a deep understanding and mining of the technology of ipsec-VPN should be carried out in advance. In this way, the characteristics of ipsec-VPN can be reasonably explained in terms of its own advantages and functional features.The configuration of a complete ipsec-VPN network environment is also verified step by step. Therefore, in order to ensure a rigorous simulation process, an in-depth analysis of the entire technical features of ipsec-VPN in advance is the most important part before the implementation.

The four elements of IPsec VPN for data transmission on the network are as follows:

1.Encryption: symmetric encryption, asymmetric encryption

2.Packet integrity: MD5 check

3.Identify the source: digital signature

4.Non-repudiation: Asks whether the source sends packets

Requirements:

PC1 and PC3 need to provide secure, private, and complete data transmission services, In order to achieve the purpose of this experiment without using dedicated lines, the method adopted is line to line ipsec-VPN.

Before an ipsec-VPN project is implemented, the patibility of the underlying routes is a basic guarantee for the application of the ipsec-VPN on the upper layer. Therefore, it is necessary to connect the routes in time.

The soul of the underlying configuration that comes to mind is the following two pings, one knowing the principle:

(1) Encryption point route: You must know the routes of the communication points of both parties and the encryption points of the other party, and be able to ping through the communication points of both parties and the encryption points of the other party.

(2) Communication point route: know the route of the communication point of the other party

Technical Mining:

First, R1 receives the packet sent by PC. The packet is to request the address of PC2. When R1 receives the packet, it checks the source and destination IP addresses of the packet.PC2 is sent to ISP through F0/0 of R1 by default. So it automatically matches the policy mounted under F0/0 under Dahezi. Of course, Before matching these policies, it also checks whether the source and destination of the packet match the traffic that is of interest to the ACL written by R1. If the packet is found to be of interest, it matches the policy under Dahezi directly. Then it enters the first phase of the strategy negotiation process.

Phase 1 negotiation: The negotiation is conducted through UDP port 500 and six packets are sent.

Package 1: R1 sends its phase 1 configuration to R3 (in clear text), that is, sends the phase 1 configuration to R3

R1 (config) # cry isakmp policy 10

/* Define a policy */

R1 (# config - isakmp) in group 2

/* Put R1 and R3 in one group */

R1 (config - isakmp) # hash md5

/* The HASH algorithm MD5*/ is used for authentication between R1 and R3

R1 (config - isakmp) # encryption des

/* Use DES algorithm to encrypt authentication */

R1 (config - isakmp) # authentication pre - share

/* Use the shared key for authentication */

Packet 2: R3 sends its phase 1 negotiation configuration to R1 (in plaintext), and R3 sends its phase 1 negotiation configuration to R1

3, 4 packages: the public key Q is passed to each other, and from this public key Q three subkeys (plaintext) are derived: A, B, C

A: It is used for the transmission of 5 or 6 packets. It acts as A cipher

B: It is used for the transmission of 5 or 6 packets and plays the role of encryption

C: used for the transmission of real packets. In fact, C also generates two sub-keys: H (cipher) and F (encryption).

5, 6 packages:R1 makes an MD5HASH of the pre-shared KKK configured by itself plus the subkey A derived from its generated public key Q, namely (KKK+A). The HASH value is encrypted with the subkey B derived from the HASH, and then passes the package to R3. Conversely,R3 will do the same to pass its hash value to R1 for troubleshooting:

Show crypto ISakmp SA[7] -- To view, if the QM field is displayed, then consider the 6 packages negotiated successfully after the completion of the first phase, a total of two things have been completed:

(1) The certification has been completed

(2) Generate the shared key and two sub-keys for encrypting the real data packet.

Phase II Negotiation:

To determine how to encapsulate, encrypt, and HASH real data transmission, the following command is passed, which determines all the above policies:

r1(config)#cry ipsec transform-set aaa esp-des esp-md5-hmac

Run the following command to check whether the encapsulation mode, encryption mode, and HASH mode are the same:

Show crypto ipsec sa /* View the result of phase 2 negotiation */

If you want to establish an ipSec-VPN relationship between R3 and R1, you need to set up an ipsec-VPN relationship. If you want to set up an ipsec-VPN relationship between R3 and R1, you need to set up an ipsec-VPN relationship. In this case, the inbound attribute of R3 must be identical to the outbound attribute of R1, and the inbound attribute of R1 must be identical to the outbound attribute of R3. In this case, they establish an ipsec-VPN relationship. If the value of this attribute is different from that of that attribute, the value of the inbound attribute of R3 must be identical to that of R3.Then there's something wrong with the second phase of the negotiations.

Now it is time to transmit the real data, and most importantly, to draw the IP packets after the encapsulation process, and then explain them in detail, as shown in Figure 2.

Fig. 2. Packet encapsulation process

When R3 receives this packet, it will remove the first header of the packet, and then it will see the ESP[8] header. It will check whether the SPI value in the packet is the same as its own inbound SPI. If so, it will directly decrypt the packet in the same way and verify its integrity until the packet is completely unwrapped. Finally, it was found that the destination was destined for 172.16.1.2 and the network segment was directly connected to itself, so it was sent directly to R3.

A stable ipsec-VPN network architecture definitely depends on a stable underlying network architecture. Therefore, one of the first elements to be paid attention to is the establishment of the underlying network. The network environment mentioned in this paper refers to the independent network environment of the two campuses. It is necessary to consider the connection and difference between the internal network construction of the main campus and the internal network construction of the branch campus. However, the ISP (Internet Service Provider) network model between the two is more essential. However, due to the resource limitation of the experimental environment, This article may use an appropriate solution to solve the ISP problem as appropriate. The following is a detailed description of the network architecture between the main campus and the branch campus.

Figure 3 shows the Intranet structure of the main campus.

Fig. 3. Intranet structure of the main campus

The internal network of the main campus adopts the traditional LOCAL area network (LAN) [9]construction method. The switch at the intervention layer connects to the switch at the aggregation layer, and the switch at the aggregation layer connects to the switch at the core layer. After that, the layer 3 switch sends the data packets to the external network. This part of the intervention in exchange layer bottom allied some terminal is not to do a detailed annotation, so, if you can tell, R9 and R10 core exchange between the two is to have a redundant backup mechanism, in this way, whether from which aspect to receive terminal packets, can do a transfer mechanism of load balancing, Even if one piece of equipment is down due to some force majeure, the other one can also make a seamless switch and instantly carry all the current flow. This safe mechanism is the most basic requirement and also a very safe guarantee. Of course, great attention should be paid to the selection of devices at each layer. In this simulation experiment, cisco-3640 series switches are used for the access layer, and Cisco-3745 series ios-centered layer 3 switches are used for the aggregation layer. The devices of the core layer are 3745 and 7200 routers. As a simulation environment is also limited to the selection of devices, considering that the real network environment and simulation can be realized, such IOS is sufficient to support today's experiment, so as to achieve the overall purpose of the final experiment.

Figure 4 shows the DMZ[10]structure on the main campus.

Fig. 4. DMZ structure on the main campus

Figure 5 shows the structure of the core area of the main campus.

Fig. 5. Structure of the core area of the main campus

R5 is the core of the main campus routers, responsible for work is to forward the network packets to the outside network, a network of interconnected nuclear outside, so in today's rapid development of the Internet environment, resulted in a very awkward environment, is not a network environment is absolutely safe, so in the life, A network environment will often be attacked, such as the well-known DOS[11] (Denial of Service) and DDOS (Distributed Denial of Service) attacks. Configure a terminal with unlimited packet sending capability. Through technical means to intervene in a core network, through the infinite packets sent to the server, resulting in the server response to the request ability of the instant paralysis, so that finally can not respond to any customer's request, this is obviously a great threat to a stable network environment. Therefore, it is an inevitable trend to add a firewall inside a strict network environment to resist the basic external network attacks.

Figure 6 shows the ISP area structure.

Fig. 6. ISP area structure

At the core and the core part of the main campus is pretty much the same, the number of devices may be reduced, because inside, in the campus area, the number of servers can be reduced, because of some core server similar to email server, at the zone may go through the public network IPsec VPN - dedicated to the main campus, Access the mail server on the main campus to obtain resources. This saves a lot of resources.

Figure 8 shows the regional network structure.

Fig. 7. Regional network structure

The Intranet structure of the campus area is similar to that of the main campus area, so there is no need to repeat it here. The next task is to deploy a real ipsec-VPN network dedicated line, so that all packets can achieve a real secure communication between R8 and R1.

Figure 8 shows the overall topology design.

In order to more truly simulate the effect of running IPsec VPN in a campus network, the network topology design adopts a topology structure similar to that in the live network. Device access layer switches, terminal access layer switches linked two layer 3 switching, and respectively, and two redundant link layer 3 switching, two layer 3 switching between USES is redundant connections, purpose is to improve the high reliability of the network environment, if a core device due to force majeure cause downtime, The biggest purpose of this design is that the other one can take on the main role of forwarding traffic smoothly. Of course, at Layer 2, QOS[12] technology can also be used to realize the priority of data traffic forwarding. Equivalent load balancing or non-equivalent load balancing can be implemented as required.

Fig. 8. Overall topology design

All in all, a network design with redundant systems is clearly comprehensive, secure, and most practical for customers. Two Layer 3 switches are connected to a core route at the same time. This core route obviously plays a very important role, because all the traffic from the campus network is forwarded through this router. The R6 router emulates a simple ISP environment. Of course, the internal environment of ISP may be very complex, but due to the limitation of the simulator environment, only a limited number of routers and switches can be enabled to achieve the simulation effect. Here, a router is used to play the role of ISP. If there is an environment that requires rich ISP, You can also add several routers, switches, firewalls, IPS or Intrusion Detection Systems (IDS) [14]devices to meet the requirements of the current network. The network structure of the campus is basically the same as that of the main campus. Therefore, in order to optimize the network topology and reduce the difficulty of understanding an optimized network topology, we decided to simply simulate the exchange of a core route and an access layer in the campus. The key point of the topic is to study how IPsec VPN is implemented and what are its technical difficulties. Obviously such a simple physical structure supports the implementation of ipsec-VPN. Figure 8 shows the overall topology design.

III. Coding to implement VPN network security

The principle of implementing ipsec-VPN is as follows: Two can be pinged and one can be pinged. As long as this concept is adhered to, it is the best core idea for the construction of IPsec-VPN, if these two points are not done, then the network architecture of IPsec-VPN is empty talk.

There are two concepts that are encrypted and communication, it is very important in the concept of IPsec VPN - that is, after all, a VPN environment to achieve an encryption and decryption process, there must be a point encryption, the data is a process of encryption, accordingly, in the network environment of the two is the point of communication terminal equipment, In order to be able to communicate between them. Encryption point: You must know the routes of the communication points of the two parties and the encryption points of the other party, and be able to ping through the communication points of the two parties and the encryption points of the other party. Communication point: Knows the route of the communication point of the other party.

To implement the two principles and ensure that the underlying configuration of the ipsec-VPN is guaranteed, the underlying routes must be smooth.

Configure the underlying routes of the ipsec-VPN

Encryption point: R5, R7

Communication points: R1 and R8

An operator runs the Interior Gateway Protocol (IGP) Open Shortest Path First (OSPF). Therefore, the routes between encryption points are correct.

R5:

router ospf 100

The router id 5.5.5.5. -

log-adjacency-changes

redistribute static subnets

Network 5.5.5.5 0.0.0.0 area 0

Network 56.1.1.0 0.0.0.255 area 0

IP route 111.1.1.1 255.255.255.255 fastethernet0/0

IP route 192.168.1.1 255.255.255.255 59.1.1.9

Figure 9 shows the neighbor relationship.

Fig. 9. Neighbor state

R6:

router ospf 100

router-id 6.6.6.6

network 6.6.6.6 0.0.0.0 area 0

network 56.1.1.0 0.0.0.255 area 0

network 67.1.1.0 0.0.0.255 area 0

R7:

router ospf 100

router-id 7.7.7.7

redistribute connected subnets route-map kehu

redistribute static subnets

network 7.7.7.7 0.0.0.0 area 0

network 67.1.1.0 0.0.0.255 area 0

ip route 8.8.8.8 255.255.255.255 FastEthernet0/1

route-map kehu permit 10

match interface FastEthernet0/1

The OSPF in the ISP has been established. Then, it is necessary to analyze whether the encryption point has synchronized the routes of the encryption point and the communication point of the other party, as shown in Figure 10.

Fig. 10. Routing list

R5:

Phase 1 configuration of the ipsec-VPN:

crypto keyring tjpu

// Define a keyring named tjpu

Pre-shared-key address 67.1.1.7 key Cisco

// Define pre-shared key authentication, hope 67.1.1.7 to send a password is Cisco

crypto isakmp profile Mary

// Define a Mary, put in the pre-defined key authentication policy, and specify who is to be authenticated. If the ipsec-VPN request (67.1.1.7) is received, the authentication method is tJPU. Tjpu is the authentication policy defined above

keyring tjpu

// Specifies the name of the predefined policy to be referenced

Match the identity address 67.1.1.7

// Specify whom to authenticate

crypto isakmp policy 10

group 2

hash md5

encryption des

authentication pre-share

// Define the first stage authentication policy, join the same group, share the same P and G parameters in the group, run the DH algorithm, exchange their public keys with each other, and generate the same key Q, and the same key extends three sub-keys, for example: A,B,C,A is used for MD5 encryption of authentication policies, B is used for encryption of authentication information, and C is used for real user data encryption in the second stage. R1 first hashes cisco's key A together with its own key A (password), and then uses key B to encrypt the HASH value. After R3 receives the hashed value,R3 will use to decrypt it generate its own sub-key B, encrypted aside, R3 will take public key cisco plus his son key A, A MD5HASH, to compare the two hash value, if the same, so successful, authentication is successful, will generate the key C in spawned two child keys, H (sign), F (encryption),Md5-hmac: hashes the real file with H, and encrypts it with F (des).

Above simulator R5, the first stage configuration is shown, as shown in Figure 11:

Fig. 11. First stage configuration

On simulator R5, the second phase configuration is shown, as shown in Figure 12:

Fig. 12. Second stage configuration

Show crypto isakmp Policy Figure 13:

// View information about the current ipsec-VPN policy

Fig. 13.IPsec strategy

It can be seen that only R5 has enabled the ipsec-VPN service, while peer R7 has not enabled the ipsec-VPN service. Therefore, the current peer relationship is empty. It also indicates that the ipsec-VPN service has not been established. Now you can test the connectivity between R5 and R7. Since ipsec-VPN is enabled on R5, the sent packets must be encrypted. If VPN is not enabled on R7, the packets sent by R5 cannot be decrypted smoothly. Therefore, the normal effect is that the connectivity between R5 and R7 is down because the ipsec-VPN is enabled in R5.

After the Debug IP icmp and Debug IP packets functions are enabled on R7, the ipsec-VPN connectivity information is displayed, as shown in Figure 14.

Fig. 14. Ipsec-VPN connectivity information

R5 and R7 have been successfully connected through the ipsec-VPN. The ipsec-VPN has been established and is in the ACTIVE state.

IV. The ipsec-VPN is analyzed using WIREWARK

In the following section, the WireShark software is used to conduct a packet capture test on the experimental environment that has been completed. Through the packet capture test, a clear conclusion can be drawn, that is, whether the packets have been encrypted and encapsulated. In this way, it can be more intuitive to see whether the packets sent from R5 encryption point to R7 encryption point are encrypted and encapsulated. The process of packet capture is as follows.

First, associate the WireShark with GNS3, and then enable the WireShark[15]. Then, ping a packet from R5 to test the encryption point in R7, as shown in Figure 15.

Fig. 15. Wireshark analysis

At present, the experimental environment of ipsec-VPN has been set up. In the previous chapter, an emergency solution that can basically solve the VPN failure has been made. But obviously, the experimental environment designed in this paper is not perfect, although the basic communication function of ipsec-VPN has been completed. However, if we look at this experiment from the perspective of a very healthy and safe network environment, it is obviously not very convincing, so we should evaluate and improve such a network environment from many objective perspectives. In study and life, if there are many opportunities to achieve such an environment, then it is very exciting to implement such a challenging experiment with a real machine.

For example, in the process of this experiment, the most regrettable thing is that the actual effects of IPS and IDS devices, firewalls and servers cannot be shown in the experimental results. In order to make the whole policy process more real, a description can only be made in the context of the limitations of the simulator itself. This section describes how the above devices work in a network environment, the important roles they play, and the key devices and services commonly used in a network environment.

On the other hand, the IPsec VPN set up after the success, to simulate the effect of data transmission is encrypted, that is, sending a few ping packets for a test, there is no way to simulate a more image data to simulate an appropriate experimental result, so for this experiment the best pity is due to the limitations of the simulator, There is no way to simulate a mature network environment more realistically. This is in the later study and research process to pay deep attention to.

However, at present, although the experimental environment is applied to a campus network, but if extended to an enterprise network, it is feasible. But of course there are many unsafe factors. Generally speaking, an enterprise network has a center for storing and processing enterprise information. The network has a large number of hosts, large data traffic, high requirements for security and real-time, and very important switching capability, stability and security. The access layer applies layer 2 or Layer 3 switches for aggregation according to the actual situation of the enterprise. Therefore, from a simple campus network, can be directly extended to a mature enterprise network, which the truth and principle is much the same.

V. Conclusion and Recommendations

This article mainly introduces the entire process of building an ipsec-VPN network environment through GNS3 and secure-CRT. Experiment is mainly implemented in a mature campus network environment to deploy a IPsec VPN design train of thought and implementation scheme, and considered the safety of network environment on the one hand, stability, high efficiency, more important is to realize the network engineers can be implemented between different campuses a safe maintenance and operations, the main function of the network environment is complete, It can meet the basic requirements of network engineers. The whole network environment runs well, and no error is reported after the sniffer packet capture tests for many times. The results of all Debug messages and Log messages are normal. It indicates that the overall design of this experiment topology is successful.

VI. References

[1] Richard Deal.Cisco VPN Complete Configuration Guide [M].Beijing: Posts and Telecommunications Press, 2012, 65-90.

[2] Qin Ke.Cisco IPSec VPN Practical Guide [M]. Beijing: Posts and Telecommunications Press: 1st Edition,2012, 23-40.

[3] Jazib Frahim.Cisco ASA Equipment Use Guide [M].Beijing: Posts and Telecommunications Press: 1st Edition,2010, 20-53.

[4] Randy Zhang & B.Micah. Design and Implementation of BGP [M].Beijing: Posts and Telecommunications Press,2012,40-55.

[5] Moy J, RFC 1247. OSPF Protocol Analysis[S]. IETF, 1991,40-66.

[6] Moy j.Rfc 1247.OSPF Protocol Analysis[S].IETF,1991.

[7] Carlton Davis. Securing VPNs in Securing VPNs using IPSec [M]. Osborne/ McGraw-hill,2001,40-55.

[8] Doyle Jeff And J.Carroll.Routing TCP/IP Volume 1[M].2th Ed.US:Cisco Press,2005,45-75.

[9] Randy Zhang and B.Micah. Design and Implementation of BGP [M].Posts and Telecommunications Press, 2012.

[10] Li Y, Li Y, Li Y, et al. Implementing Cisco IP Routing in network networks [J]. Journal of Network Management, 2010, 28 (2) : 286-283.

[11] Liu J, Liu J, Liu J, et al. Troubleshooting IP Routing Protocols [M].

USA: Cisco Press, 2002, to 50.

[12] R. Perrhurst William. Cisco OSPF Command and Configuration Handbook[M]. USA:

Cisco Press, 2008-45.

[13] Doyle Jeff, J.Carroll. Routing TCP/IP Volume 1[M]. 2th Ed. US:Cisco Press, 2005.

[14] Jaxib Frahim1 and H.kiang.SSL and remote access VPN[M].Beijing: Posts and Telecommunications Press: 1st Ed., 2009,65-85.

[15] Wei Luo, P. Arlos and B. Mitry. Layer 2 VPN Architectures[M].Press, 2004, 25 to 30.


版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

上一篇:注意!保护我方密码阵地!
下一篇:Java基础语法:逻辑控制
相关文章

 发表评论

暂时没有评论,来抢沙发吧~