Bo mt trong mng LAN o IPsec VPN

Nguyn Trn Tin I. Gii thiu VPN 1. VPN l g? Ti sao chng ta s dng VPN? VPN l vit tt ca Virtual Private Network. l cng ngh s dng mng cng cng (Internet) kt ni tng trang web ca mt cng ty chia s cc ngun d liu. Hnh 1-1 cho ta ci nhn khi qut v VPN.

Hnh 1-1. Connecting kt ni cc mng ca 1 cng ty thng qua mng Internet Nhng l do chnh trin khai mt VPN l tit kim chi ph. Mt tp on vi tt c cc vn phng trn th gii thng xuyn cn phi tng tc tin hnh vic kinh doanh hng ngy. i vi nhng kt ni, h c th s dng thu ng dy ring ni gia cc vn phng (leased line) hoc kt ni gia cc vn phng thng qua mt mng li cng cng, chng hn nh Internet, v to mt VPN qua mng cng cng. Mc d kt ni cc mng LAN thng qua mng internet cng cng (VPN) r rng l tit kim chi ph hn 1 ng leased line, nhng m hnh ny c nhiu ri ro, v d nh:

Vn bo mt d liu Vn bng thng kt ni gia cc site.

2. VPN technology

Hnh 1-2: Phn loi VPN VPN cho php bn s dng c s h tng c chia s ca mt nh cung cp dch v, thc hin cc mng ring t ca bn. Hin c hai iu c bn trong vic vic trin khai thc hin m hnh:

Overlay VPN (nh cung cp dch v s cung cp 1 ng kt ni point-to-point o gia cc site ca khch hng), bao gm cc cng ngh nh X.25, Frame Relay, ATM dng cho lp 2; Generic Routing Encapsulation (GRE) and IPsec cho lp 3.

Peer-to-peer VPN (nh cung cp dch v s tham gia trong qu trnh nh tuyn ng i cc lung d liu ca khch hng), dng cho routers v cc b lc, vi nh tuyn ring bit cho mi khch hng, hoc vi cng ngh MPLS VP.

Frame Relay (Lp 2 Overlay VPN): nh cung cp dch v thc hin bng cch cung cp cc mch o vnh vin (PVCs) trn mng Frame Relay. MPLS VPN (Lp 2 Peer-to-peer): y l chun ring ca Cisco, chuyn mch nhn a thc (Multiprotocol Label Switching) c bit n nh l cng gh chuyn i th (Tag Switching) v sau , thng qua cc chun ca IETF tr thnh MPLS. Nh cung cp dch v hin nay ang tng cng trin khai cung cp dch v MPLS VPN cho khch. Mt nguyn tc chung ca cng ngh VPN l vn ng gi d liu vi 1 tiu (header) a ch c chuyn n;

MPLS VPN s dng cc nhn ng gi cc gi tin hnh thnh kt ni VPN gia cc site. Generic routing encapsulation (GRE- Lp 3 Overlay VPN): c pht trin bi Cisco v sau c coi nh chun RFC 1701. Phn tiu IP cho GRE c xc nh theo chun RFC 1702. Mt ng hm GRE gia 2 site c IP nhn thy c, c dng nh 1 dng VPN bi v cc d liu gia cc site c ng gi trong GRE header. GRE tng, v vn cn c tip tc s dng kt ni gia cc giao thc IP-backbone m khng cn cu hnh backbone chy vi 1 giao thc b sung. GRE, l 1 giao thc IP lp 3, c th ng gi cc giao thc sau:

AppleTalk Banyan Vines Lp 2 bridged traffic CLNP DECnet IP IPX

Do s ng gi linh hot rt nhiu giao thc, ta s ngh rng GRE s l mt gii php VPN tt, t nht l so vi cc gii php VPN vi cc gii hn giao thc h tr. Tuy nhin, GRE c hai kh khn chnh:

c pht trin bi Cisco, GRE ch c th chy trn cc router Cisco. GRE khng th bo v d liu, ni cch khc, n khng thc hin cch hnh ng nh xc thc ngi dng, m ha, v khim tra s ton vn ca gi tin.

Bi 2 gii hn trn, GRE khng th c s dng nh 1 gii php VPN hon chnh; tuy vy, ta c th kt hp n vi cc gii php khc, nh l IPsec, to nn s mnh m hn trong vic trin khai h thng VPN. IPsec VPN (Lp 3 Overlay VPN): Ging nh GRE, IPsec (vit tt ca IP Security) l 1 giao thc lp 3. Mc d vy, c rt t im tng ng ca 2 giao thc. Mt trong nhng li th ca GRE i vi IPsec l IPsec ch h tr giao thc TCP/IP, v khng th s dng vi cch giao thc nh IPX hoc

AppleTalk. Tuy nhin, bi v GRE l 1 giao thc IP, ta c th trin khai ng hm GRE cng vi kt ni IPsec VPN bo v cc lung d liu nonTCP/IP. IPSec l mt s kt hp ca cc tiu chun c xc nh trong IETF RFCs. Vi GRE khng cung cp bt c kh nng bo mt no, th IPSec c thit k c bit i ph vi cc lung d liu nhy cm, an ton, trn mt mng khng bo mt (mng Internet). IPsec c 3 vn chnh:

Bo mt d liu Tnh ton vn ca d liu Xc thc

So vi cc ng dng VPN khc, IPsec l ph bin nht v trin khai rng ri nht khng phi bi v IPsec d dng trin khai v kim tra li, nhng v n l 1 chun m v c ph bin hu ht cc nh cung cp mng khi cc tiu chun u tin c ph duyt. Hu ht cc nh cung cp mng, khi a ra gii php cho VPN, u c h tr ti thiu i vi IPsec. Ch : trong lp 3 Overlay VPN nh cung cp mng v hnh i vi nh tuyn ca khch hng, m c lin kt theo dng im-im. Cc giao thc nh tuyn chy trc tip gia cc router ca khch hng thit lp quan h lng ging v trao i thng tin nh tuyn. Nh cung cp dch v s khng bit g v nh tuyn ca khch hng. Trch nhim ca nh cung cp dch v ch n gin l trung chuyn d liu gia cc site ca khch hng.
3. Cc thnh phn VPN Khng phi tt c cc ng dng VPN u bao gm tt c thnh phn ny. Hn na, da vo yu cu chnh sch bo mt ring ca tng cng ty, c th ta khng cn thit phi s dng tt c cc thnh phn ca VPN. Trong phn ny chng ta s tp trung vo nhng thnh phn quan trng c bn ca cc ng dng VPN. a. Xc thc: Mt trong nhng vn quan tm hng u l chng ta cn xc minh mt thit b no , hay danh tnh 1 ngi no , trc khi cho php n thc hin kt ni VPN vo mng ring. Nhn chung c 2 dng xc thc: xc thc thit b v xc thc ngi dng. b. ng gi:

Phng php m ha l lm cch no s dng nhng thng tin thng tin, d liu, c ng gi v chuyn i qua mng. Ni cch khc, ta cn nm r nh dng v ni dung s gm c nhng g? ng gi cng xc nh theo cc loi ng dng hoc giao thc c th c t trong phn payload ca 1 gi tin VPN. Mt vi ng dng VPN s ch ng gi thng tin lp ng dng, trong khi 1 s khc c th ng gi ton b gi tin lp 3 hoc lp 2. Thng tin c ng gi theo cch no rt quan trng v n c nh hng trc tip n d liu khi i qua tng la (firewall) hoc chuyn i a ch IP (NAT). c. Qun l kha: 3 thnh phn ca VPN c s dng kha l: xc thc, m ha, v thut ton bm. Do vic qun l kha tr thnh 1 phn quan trng ca VPN. C th hn, lm th no chuyn i kha? Kha c to ra bng tay hay t ng? Bao lu th kha s t ng chuyn i nng cao bo mt? Chng ta s bn v vn sau. d. S ton vn ca gi tin: Hon ton c kh nng gi tin s b gi mo hoc c trm, 1 vi ng dng VPN cho php chng ta la chn cch thc kim tra s ton vn ca gi tin, hoc m bo ngi nhn gi tin thng qua xc thc. Vi xc thc gi tin, 1 ch k s c n km vo gi tin. Ch k c to ra bng phn ni dung gi tin kt hn vi Kha c thng nht trc, v tt c s c thut ton bm to ra ch k in t. Ch k ny s c gn vo gi tin gc v chuyn n ngi a ch nhn. Ti u nhn, ch k s c kim tra, v nu ch k hp l, ti u cui s tin hnh gii m gi tin. Xc nh ch k bng thut ton bm s tn nhiu nng sut CPU hn qu trnh gii m. e. Cc ng dng v giao thc h tr: Khi chn trin khai 1 ng dng VPN, chng ta u tin cn phi xc nh loi d liu no cn c bo v. V d, nu ch c lung d liu gi tin chy trong mng, hu ht tt c ng dng VPN u c th s dng; tuy nhin, nu ta cn bo v c lung d liu IP v IPX, s lng ng dng VPN c th s dng s gim xung nhanh chng. Tng t, khi ta cn bo v d liu ca 1 s ng dng t bit nh web hay e-mail. iu ny s nh hng n s la chn gii php VPN, nh SSL v PPTP hoc IPsec. f. Qun l a ch:

Qun l a ch l vn ch duy nht i vi vic qun l cc kt ni truy cp t xa. Mt khch hng truy cp t xa thng c ch nh 1 IP ni b. Theo di a ch IP c cp cho khch hng l vn i vi cc kt ni khch hng truy cp t xa. 4. u im v khuyt im ca VPN a. u im: Gim chi ph: VPN c th mt chi ph rt t so vi nhng ng dng khc nh Frame Relay, ATM, hay ISDN. L do l VPN loi b cc kt ni xa gia cc a phng thay th chng vi mng li kt ni v chuyn giao nh cung cp dch v Internet. Gim chi ph vn hnh qun l: Bng cch gim chi ph ng di, VPN cng lm gim chi ph vn hnh mt mng WAN ng k. Ngoi ra, cc cng ty c th lm gim tng chi ph hn phn cc thit b mng WAN cho VPNs c s qun l ca ISP. Mt trong nhiu l do gip gim chi ph vn hnh nh l cng ty khng phi tr chi ph o to v tr tin cho nhiu nh qun l mng. Tng cng kt ni: VPN s dng Internet cho cc kt ni ni b gia mng lan khc. Bi v Internet c th c truy cp trn ton th gii, do , trong bt k cc chi nhnh xa, trong ngi s dng cng c th d dng kt ni vi cc mng LAN ring. Bo mt: Bi v VPN s dng k thut ng hm thng qua cc mng khng bo mt nn tnh an ton c ci thin. Ngoi ra, VPN s dng thm cc bin php tng cng an ninh nh m ho, xc thc v cp php. V vy VPN c nh gi cao an ton truyn ti thng tin. S dng hiu qu bng thng: Cc bng thng lng ph khi khng c kt ni Internet ang hot ng. K thut VPN, "ng hm" c hnh thnh ch khi c yu cu truyn ti thng tin. Mng bng thng c s dng khi kch hot kt ni Internet. Do , nhiu hn ch s lng ph bng thng. D dng nng cp v m rng: Bi v VPN da trn Internet cc mng ni b giao tip vi nhau, nn iu ny gip d dng cho vic nng cp pht trin trong tng lai m khng cn phi u t thm v c s h tng mng. b. Khuyt im: Ph thuc cht lng Internet: S qu ti ca mng Internet c th nh hng trc tip n cht lng ca cc kt ni VPN.

Thiu s k tha cc giao thc h tr: VPN hin ti hon ton da trn k thut IP.Tuy nhin nhiu cng ty vn tip tc s dng nhng my tnh ln (mainframe) va cc thit b ti tn hn mi ngy. Kt qu l VPN khng phi l ph hp vi cc trang thit b mi. Vn ny c th c gii quyt theo cc cp ca c ch o hm, tuy nhin u c th lm chm hn hiu sut mng.

II. Tng qut v IPsec 1. Thut ng m ha M ha l qu trnh truyn ti d liu dng m ngi mun xem ln ni dung khng th c c nu khng bit v Kha s dng cho vic m ha. Ty vo thut ton m ha m ta c th s dng kha ng b hoc khng ng b. Thut ton m ha l da vo cng thc ton hc dng cho vic m ha v gii m. Nhn chung, thng c 2 thut ton c mi lin h vi nhau, 1 cho m ha v 1 dng gii m. Bo mt d liu hin i l thut ton da trn cc kha, c th c phn lm 2 loi: a. Thut ton s dng kha ng b: Thut ton s dng kha ng b da trn ngi gi v ngi nhn u bit v mt kha b mt.Ngi gi s dng kha b mt m ha gi tin,v ngi nhn s dng cng kha gii m gi tin. Vn chnh trong vic s dng kha ng b l lm sao phn phi kha 1 cch an ton, khng cho ngi th 3 bit. Bt c ngi th 3 bit v kha b mt c th chen vo qu trnh chuyn gi tin c v sa i ni dung gi tin. DES, 3DES, v AES l nhng thut ton s dng kha ng b thng dng. b.Thut ton s dng kha khng ng b: Thut ton s dng kha khng ng b, hoc c bin n nh l thut ton cng khai kha, s dng mt cp kha, 1 dng m ha v 1 gii m. Kha dng m ha cn c gi l kha cng khai v c th cng khai ra ngoi. Kha cn li l kha c nhn, s dng gii m, v phi cn c b mt. Mc d cp kha c mi lin h ton hc vi nhau, khng th dng kha ny ln ra kha kia c. Bt c ai c kha cng khai ca ngi nhn c th m ha c gi tin, nhng gi tin ch c th c m ha vi kha ring ca ngi nhn bit c. V vy, 1 knh thng tin bo mt dung chuyn i key b mt l khng cn thit trong thut ton s dng kha khng ng b.

 minh ha cho thut ton m ha s dng key khng ng b hot ng, chng ta theo di v d nh hnh 2-1.

Hnh 2-1. M ha s dng kha cng khai

Alice v Bob thng nht v kha cng khai.

Bob gi Alice kha cng khai ca cu ta v Alice gi Bob kha cng khai ca c.

Alice gi Bob 1 tin nhn, m ha tin nhn s dng kha cng khai ca Bob.

Bob nhn c tin nhn v gii m tin nhn s dng chnh Key b mt ca cu ta.

c. Ch k s: M ha tin nhn vi kha b mt tao ra 1 ch k s, c s dng xc thc v cung cp thng tin ngi gi. Do , ch k s khng ch c tc dng bo v ni dng thng tin m cn xc thc danh tnh ngi gi. Alice v Bob thng tin lien lc bng ch k s c biu hin trn hnh 2-2.

Hnh 2-2. Signed Message Digest

Alice tnh ra gi tr bm ca phn thng tin c s gi cho Bob.

Alice m ha phn gi tr bm vi kha ring ca c v tr thnh ch k s.

Alice gi phn thng tin cng ch k s cho Bob.

Bob gii m ch k s ca Alice bng kha cng khai ca Alice v tnh ra gi tr bm ca phn thng tin nhn c. Nu 2 gi tr ging nhau, Bob c th chc chn l thng tin trn c gi ti t Alice v thng tin khng b xm phm trong su qu trnh vn chuyn. Bt c thay i no trong thng tin nhn c s gy ra gi tr bm khc vi gi tr bm nhn c, v do qu trnh xc thc tht bi.

d. Thut ton m ha: C rt nhiu thut ton m ha c pht trin cho kha ng b. Cc thut ton thng dng nht dng cho m ha l DES (kha 56 bit), 3DES (kha 168 bit) v AES ( c th ln ti kha 488 bit). 2. Giao thc bo mt IPsec Mc tiu ca IPsec l cung cp cc dch v bo mt cho cc gi IP ti tng mng (lp 3). Nhng dch v ny bao gm kim sot truy cp, tch hp d liu, xc thc, bo v chng li, v bo mt d liu. ng gi bo mt (ESP) v tiu xc thc (AH) l hai giao thc bo mt IPsec c s dng cung cp bo mt ny cho mt m hnh mng IP.

Trc khi nhn vo cc giao thc bo mt IPsec, cn phi hiu r hai ch IPsec, ch vn chuyn v ch ng hm, v nhng dch v cung cp cho mi ch . a. ng gi bo mt (ESP): ESP cung cp bo mt, tch hp d liu, v ty chn d liu c ngun gc xc thc v chng gi li. N cung cp cc dch v ny bng cch m ha phn payload ban u v ng gi gi tin gia mt tiu v mt i sau, nh c hin th trong hnh 2-3.

Hnh 2-3 ESP bo v gi tin IP ESP c xc nh vi gi tr 50 trong tiu gi tin. Tiu ESP c t vo pha sau tiu IP v trc phn tiu ca cc lp trn. Phn tiu IP c th l mt IP mi trong ch ng hm hoc IP chnh ca n trong ch vn chuyn. Cc tham s ch mc bo mt (SPI) trong ESP l mt tiu 32-bit, gi tr , kt hp im a ch n v cc giao thc trong phm tiu IP, xc nh an ninh (SA) c s dng x l cc gi. Cc SPI ngang nhau trong sut kha trao i kha (IKE). N hot ng nh mt s th t c th c s dng tm kim cc SA d liu bo mt (SADB). Cc dy s l mt s duy nht tng dn c chn vo tiu ca ngi gi. Dy s, cng vi cc gi tin nhn c, cung cp li dch v chng gi li. Vic bo v chng gi li l ph bin cho c hai ESP v AH. Phn m trong tiu ESP l vic b sung cc bit vo tiu ESP, s lng bit c thm ph thuc vo thut ton mt m c s dng. Trng Pad Length cho bit s byte ca pad c thm vo c th khi phc d liu khi m ha. Tiu Payload xc nh kiu d liu trong Payload. V d, nu ESP s dng trong ch ng hm, gi tr ny s l 4. Phn xc nhn trong tiu ESP c s dng xc minh cc d liu tch

hp. Bi v xc thc l lun lun xy ra sau khi m ha, vic kim tra xc thc c thc hin trc khi va nhn c gi tin v sau mi gii m. b. Tiu xc thc (AH): AH cung cp kt ni c tnh lim chnh, d liu xc thc, v v bo v chng gi li khng bt buc, nhng khng ging nh ESP, n khng cung cp bo mt. Do , n c mt tiu n gin hn nhiu hn ESP. Hnh 2-4 hin th tiu ca 1 AH.

Hnh 2-4 AH bo v gi tin IP AH l mt giao thc IP, c xc nh bi mt gi tr ca 51 trong IP header. Trong ch vn chuyn, n s c gi tr ca giao thc lp trn ang c bo v (v d, UDP hoc TCP). Trong ch ng hm, gi tr ny l 4. ] c. IPsec ch vn chuyn: Trong ch vn chuyn, 1 tiu IPsec (AH hoc ESP) s c thm vo gia tiu IP v tiu ca giao thc lp trn.

Hnh 2-5 Gi tin IPsec trong ch vn chuyn ch ny, phn tiu IP l ging nh IP nguyn gc, ngoi tr phn giao thc s c thay i thnh 50 (ESP) hoc 51 (AH), v phn kim tra (checksum). Phn IP u cui phi l giao

tip c. ch ny, a ch IP im n trong phn tiu IP s khng thay i bi phn a ch ngun; do , ch ny ch c th c s dng bo v d liu khi m a ch ch n v a ch ch n ca IPsec l 1. i vi IPsec, ch ny tht s hu dng khi lung d liu gia 2 host c bo v thay v ch bo v lung traffic t 2 mng m mi mng c rt nhiu host. Thch thc ln nht ca ch vn chuyn l khi s dng IPsec bo v lung d liu gia 2 host bt k trong 2 mng. Thm na, khi a ch IP ca 2 host phi c nh tuyn qua gi tin IP. Bi s phc tp khi phi trin khai IPsec trong ch vn chuyn host ti host, in hnh ca VPN s s dng mt cng ni VPN bo v tt c cc my t mt site n tt c cc my ngang nhau ti mt site khc. Mt in hnh v trin khai IPsec VPN gia cc site khi mi site c rt nhiu host v ng hm IPsec u cui hot ng nh 1 cng router VPN. Vi s bo v ca cng VPN bo v 1 tp hp cc a ch ca host th IPsec ch vn chuyn gp phi 1 s gii hn. IPsec ch vn chuyn vn cn c s dng trong khc kt ni VPN nu gia 2 site c thit lp GRE. u cui ng hm GRE s hot ng nh 1 host u cui v IPsec s bo v lung d liu trong ng hm GRE. d. IPsec ch ng hm: Ch ng hm c s dng khi nt IP khng h tr GRE, nhng mun thit lp kt ni IPsec VPN vi site khc. V d ph bin nht l mt nh cung cp dch v vin thng (telecommuter).

Hnh 2-6. Gi tin IP c bo v bi AH v ESP trong ch ng hm Trong ch ng hm, gi tin IP gc c ng gi trong 1 gi tin IP khc, v 1 tiu IPsec (AH hoc ESP) s c t vo gia tiu IP gc bn trong v tiu IP mi bn ngoi. Bi v c ng gi vi 1 tiu IP mi bn ngoi, ch ng hm co th s dng cho mc ch bo mt gia cc host bn trong cng ra VPN (gatequay). Trong ch ng hm, AH ng gi gi tin IP v tiu IP thm vo trc tiu AH. Mc d ch ng hm AH c th s dng IPsec bo v 2 u cui kt ni VPN, nhng li khng bo m ha phn d liu, cho nn ch ny cng khng thc s l gii php tt. 3. Qun l Kha v thut ton Diffie-Hellman Trao i kha: c nhiu loi kha dng cho cc mc ch khc nhau: kha ng b, kha khng

ng b, kha dng m ha. Qu trnh chia s kha cn c bo v l 1 vn ca bo mt. C nhiu cch gii quyt vn trn, 1 trong nhng cch l thut ton chuyn i kha Diffie-Hellman. Whitfield Diffie v Martin Hellman cng b thut ton ca h ln u tin nm 1976. Thut ton ny da trn s phc tp khi gii nhng php ton ri rc.

Hnh 2-7 Thut ton chuyn i kha Diffie Hellman

a. Thng tin bo mt v hot ng ca IKE: Thng tin bo mt, hay cn gi l SA, l phn xy dng c bn ca IPSec. Mt SA l 1 tng hp c s d liu SA (SADB), n bao gm nhng thng tin v bo mt v m phn gia 2 thnh phn IKE v IPsec. IKE (Chuyn i kha qua Internet) hot ng gm 2 pha chnh, v 1 pha ty chn c th thit lp IKE v IPsec SA:

Pha 1: cung cp thng tin xc thc IKE cho cc thnh vin v thit lp kha cho phin kt ni . Pha 1 to ra chnh sch ISAKMP SA (thng tin bo mt cho IKE, i khi c bit n nh IKE SA) s dng thut ton trao i kha,

cookies, v trao i ID. Khi m ISAKMP SA c thit lp, tt c trao i IKE gia bn nhn v bn gi s c bo v bng m ha v m bo an ton d liu vi vic kim tra xc thc. Mc ch chnh ca IKE pha 1 l thit lp 1 knh kt ni c bo v gia cc bn qu trnh m phn pha 2 c th din ra 1 cch bo mt.

Pha 2: m phn v thit lp chnh sch IPsec SA s dng ESP hoc AH bo v d liu trong gi tin IP.

Pha 1.5 (XAUTH): vi nhng kt ni t xa, thit b cung cp IPsec thng thc hin thm 1 bc c th gip khch hng d dng qun l kt ni IPsec ca mnh. Pha 1.5 xy ra gia pha 1 v pha 2.

b. IKE pha 1:

Hnh 2-8 IKE pha 1 : ch Main IKE pha 1 qun l thit lp kt ni:

Qun l kt ni

Chnh sch trao i kha: Diffie-Hellman

Xc thc thit b

Thit lp kt ni t xa (pha 1.5 ty chn)

IKE pha 1 c 2 ch l Main v Aggressive. C 2 u dng thit lp ISAKMP/IKE SA. IKE SA c cc thng s khc nhau m phn gia cc bn. Thng s bt but gm c thut ton m ha, thut ton bm, phng thc xc thc, nhm Diffie-Hellman, v cc thng s khc nh thi gian kt ni. Ch Main Ch Main thc hin trao i 2 chiu, tng cng gm 6 gi tin. 3 Ln trao i nh 3 bc ni trn: m phn chnh sch bo mt qun l kt ni, s dng DH m ha kha cho chnh sc m ha v HMAC m phn phng thc xc thc nh s dng chia s kha trc, m ha RSA hoc ch k RSA (ch k s). Ch Main c 1 u im: l bc xc thc thit b c thc hin thng qua kt ni c bo v, v kt ni c thit lp qua 2 bc u. Chnh v vy, bt k thng tin nh dng m cc bn cn gi cho nhau s c bo v, chng li ngi l c th c c. y l ch mc nh ca Cisco trong kt ni mng-mng v cc kt ni t xa c s dng chng ch xc thc. Ch Aggressive Trong ch aggressive, 2 bn trao i thng qua 3 gi tin. Trao i u tin bao gm danh sch cc chnh sch dng cho qun l kt ni, cng b kha kt hp vi DH, thng tin xc thc, v xc minh d liu (v d nh ch k). Tt c nhn t trn c gi gn trong 1 gi tin. Trao i th 2 l xc nhn ca gi tin th nht l thng bo kt ni c thit lp thnh cng hay khng. Ch Aggressive c 1 u im so vi ch Main l thit lp kt ni bo mt nhanh hn. Tuy nhin, tt c thng tin trao i u dng text bnh thng (khng c m ha), cho nn nu c ngi nm c gi tin thit lp, h c th to ra thng tin xc thc khc dng tn cng.

Hnh 2-9 IKE pha 1: Ch Aggressive Cu hnh pha 1

Hnh 2-10 V d cu hnh pha 1 IKE Bc u tin thit lp kt ni mng-mng h tr bo mt IPsec VPN l phi thit lp chnh sch ISAKMP, gm 4 thng s chnh l xc thc, m ha, bm v nhm DH.
http://vnpro.org/forum/showthread.php/27137-B%E1%BA%A3o-m%E1%BA%ADt-trongm%E1%BA%A1ng-LAN-%E1%BA%A3o-%E2%80%93-IPsec-VPN