IPsec: IP layer protocol security structure
IPsec provides security services at the IP layer, which enables the system to select security protocols on demand, determine the algorithms used by the service, and place the keys needed to service the required services to the appropriate locations. IPsec is used to protect the path between one or more hosts and hosts, between security gateways and security gateways, and between security gateways and hosts.
The set of security services that IPsec can provide includes access control, connectionless integrity, data source authentication, denial of retransmission (partial sequence integrity), privacy, and limited transport stream privacy. Because these services are available at the IP layer, they can be used by any higher layer protocol, such as TCP, UDP, ICMP, BGP, and so on.
These goals are achieved through the use of two transport security protocols, Header Authentication (AH) and Encapsulating Security Payload (ESP), as well as the use of key management procedures and protocols. The content of the required IPsec protocol suite and how it is used is determined by the security and system requirements of the user, application, and/or site, organization.
When these mechanisms are implemented and used correctly, they should not have a negative impact on users, hosts, and other Internet parts that do not use these security mechanisms to protect transmissions. These mechanisms are also designed to be algorithm independent. This modularity allows for the selection of different sets of algorithms without affecting the implementation of other parts. For example, different user communications can use different sets of algorithms if needed.
Defining a standard default set of algorithms can make it easier for the Internet to work together globally. These algorithms, complemented by the use of IPsec transport protection and key management protocols, provide a way for system and application developers to deploy high-quality Internet-layered cryptographic security technologies.
IPSec is not a special encryption algorithm or authentication algorithm, nor does it specify a special encryption algorithm or authentication algorithm in its data structure. It is just an open structure defined in the IP packet format to encrypt various data. Or the implementation of the authentication provides a data structure that provides a unified architecture for the implementation of these algorithms. Therefore, different encryption algorithms can be implemented in the network data transmission process using the architecture defined by IPSec.
Vista system commonly used English professional words
Internet Protocol Security, a standard mechanism for providing authentication, integrity, and confidentiality for packets traversing an IP network at the network level.
The IPsec protocol works in the third layer of the OSI model, making it suitable for protecting TCP or UDP-based protocols when used alone (such as Secure Sockets Layer (SSL), which does not protect the UDP layer traffic). This means that the IPsec protocol must deal with reliability and fragmentation issues compared to transport layer or higher layer protocols, which also increases its complexity and processing overhead. In contrast, SSL/TLS relies on higher-level TCP (the fourth layer of OSI) to manage reliability and fragmentation.
Windows settings IPsec instructions1. Windows 2003 IPsec (PolicyAgent service) conflicts with RemoteAccess service,
The RemoteAccess service conflicts with the SharedAccess service.
By modifying the registry to enable IP forwarding, you can work with the SharedAccess service enabled.
There is no need to open the RemoteAccess service at this time.
D:\"reg.exe query "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "
IPEnableRouter"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IPEnableRouter REG_DWORD 0x1
D:\"
However, if an interface uses IPsec, the SharedAccess service must be stopped and the IP forwarding function takes effect.
2. The essence of creating an IPsec policy is to create two IPsec filters, neither of which have to be mirrored.
An IPSecTunnelIn, the tunnel endpoint is the endpoint of the other party.
An IPsecTunnelOut, the tunnel endpoint is its own endpoint.
3. Windows 2003 configuration debugging IPsec can be done with the netsh tool.
C:\WIN2K3\system32》netsh
Netsh"ipsec dynamic
Netsh ipsec dynamic》show config
IPSec configuration parameters
---------------
IPSecDiagnosTIcs : 0 --- corresponding system log
IKElogging : 0 --- corresponds to oakley.log
StrongCRLCheck : 1
IPSecloginterval : 3600
IPSecexempt : 3
Startup mode: license
Start mode exemption:
Protocol source port destination port direction
--------- --------- --------- ---------
UDP 0 68 inbound
Netsh ipsec dynamic
3.1. Open IKE Logging (outdated)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley]
"EnableLogging"=dword
Then restart the machine and find oakley.log in the C:\WINDOWS\Debug directory.
Ikelogging and strongcrlcheck will be activated immediately; all other properties will take effect after the next reboot.
3.2. Setting the route to the other party's intranet
3.3. Run secpol.msc to configure IPsec
3.4. Using netsh to view ipsec
Netsh ipsec dynamic》show mmpolicy all
IKE MM Strategy Name: 6
IKE soft SA lifetime: 86400 seconds
EncrypTIon Integrity DH LifeTIme (Kb:secs) QM Limit Per MM
---------- --------- ---- ------------------ --------- ------
3DES MD5 2 0:86400 0
Netsh ipsec dynamic》show qmpolicy all
QM Negotiation Policy Name: test
Safe Method Survival Time (Kb:secs) PFS DH Group
------------------------- --------------------- ---- --------
ESP[3DES, MD5] 1048576: 3600 main mode has been derived
Netsh ipsec dynamic》show mmfilter all
Main mode filter: Normal
-------------------------------------------------- -----------------------------
Filter Name: 15
Connection type: All
Source address: "My IP address" (255.255.255.255)
Destination address: 10.47.159.251 (255.255.255.255)
Authentication method:
Pre-shared key
Safety method: 1
3DES/MD5/DH2/86400/QMlimit=0
------------------------------------------
-------------------------------------
Filter Name: 14
Connection type: LAN
Source address: "My IP address" (255.255.255.255)
Destination address: 10.47.159.66 (255.255.255.255)
Authentication method:
Pre-shared key
Safety method: 1
3DES/MD5/DH2/86400/QMlimit=0
2 common filter
Netsh ipsec dynamic》show qmfilter all
Quick Mode Filter (Tunnel): Normal
-------------------------------------------------- -----------------------------
Filter Name: 14
Connection type: LAN
Source address: 192.168.22.0 (255.255.255.0)
Destination address: 172.16.159.0 (255.255.255.0 )
Tunnel source: "any IP address"
Tunnel target: 10.47.159.66
Protocol: ANY Source Port: 0 Destination Port: 0
Mirrored: No
Quick mode strategy: test
Inbound operation: Negotiation
Outbound operation: Negotiation
-------------------------------------------------- -----------------------------
Filter Name: 15
Connection type: All
Source address: 172.16.159.0 (255.255.255.0 )
Destination address: 192.168.22.0 (255.255.255.0)
Tunnel source: "any IP address"
Tunnel target: 10.47.159.251
Protocol: ANY Source Port: 0 Destination Port: 0
Mirrored: No
Quick mode strategy: test
Inbound operation: Negotiation
Outbound operation: Negotiation
2 common filter
Netsh ipsec dynamic
Big Stage,juegos de sala,maquina de juegos,Tragamonedas
Guangzhou Ruihong Electronic Technology CO.,Ltd , https://www.callegame.com