Friday, March 06, 2015

Simulasi IPSec VPN di Cisco + Mikrotik

Lanjutan posting sebelumnya. Design network ditambahkan Mikrotik dan hub di sisi cabang.
Ipsec Cisco + Mikrotik

Dan berikut ini show (print) konfigurasinya, di router Mikrotik.


[admin@MIKROTIK-CABANG] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE                               
 0   172.16.2.3/29      172.16.2.0      ether1                                  
 1   10.1.2.1/24        10.1.2.0        ether2                                  

[admin@MIKROTIK-CABANG] > ip route print 
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC             GATEWAY            DISTANCE
 0 A S        0.0.0.0/0                         172.16.2.1                1
 1 ADC  10.1.2.0/24        10.1.2.1             ether2                    0
 2 ADC  172.16.2.0/29    172.16.2.3      ether1                    0

Setelah disetting ip address dan ip route si mikrotik. Lanjutkan dengan settingan IP address PC2 sebagai users. (Sedangkan settingan IP address untuk Server Pusat, sudah di posting sebelumnya.)

PC2> ip 10.1.2.2/24 10.1.2.1
Checking for duplicate address...
PC2 : 10.1.2.2 255.255.255.0 gateway 10.1.2.1

PC1>

Beres,.. test ping dulu dari Mikrotik Cabang.
[admin@MIKROTIK-CABANG] > ping 172.16.2.1
HOST                                     SIZE TTL TIME  STATUS                  
172.16.2.1                                 56 255 35ms
172.16.2.1                                 56 255 29ms
172.16.2.1                                 56 255 23ms
172.16.2.1                                 56 255 14ms
172.16.2.1                                 56 255 26ms
    sent=5 received=5 packet-loss=0% min-rtt=14ms avg-rtt=25ms max-rtt=35ms

[admin@MIKROTIK-CABANG] > ping 172.16.1.2
HOST                                     SIZE TTL TIME  STATUS                  
172.16.1.2                                 56 254 34ms
172.16.1.2                                 56 254 20ms
172.16.1.2                                 56 254 49ms
172.16.1.2                                 56 254 57ms
172.16.1.2                                 56 254 29ms
    sent=5 received=5 packet-loss=0% min-rtt=20ms avg-rtt=37ms max-rtt=57ms

[admin@MIKROTIK-CABANG] > ping 10.121.1.1
HOST                                     SIZE TTL TIME  STATUS                  
172.16.2.1                                 56 255 43ms  host unreachable        
172.16.2.1                                 56 255 10ms  host unreachable        
172.16.2.1                                 56 255 19ms  host unreachable        
172.16.2.1                                 56 255 36ms  host unreachable        
172.16.2.1                                 56 255 38ms  host unreachable        
    sent=5 received=0 packet-loss=100%

[admin@MIKROTIK-CABANG] >
  • Test ping dari Mikrotik ke gateway ISP (172.16.2.1) = ok
  • Test ping dari Mikrotik ke WAN Server (172.16.1.2) = ok
  • Test ping dari Mikrotik ke IP LAN Server = nok (host unreachable). Berarti baik dan normal karena tidak ada routing menuju ke IP LAN Server.

Test ping dari PC2.
PC2> ping 10.1.2.1
84 bytes from 10.1.2.1 icmp_seq=1 ttl=64 time=0.500 ms
84 bytes from 10.1.2.1 icmp_seq=2 ttl=64 time=0.500 ms
84 bytes from 10.1.2.1 icmp_seq=3 ttl=64 time=0.500 ms
84 bytes from 10.1.2.1 icmp_seq=4 ttl=64 time=0.500 ms
84 bytes from 10.1.2.1 icmp_seq=5 ttl=64 time=0.500 ms

PC2> ping 172.16.2.3
84 bytes from 172.16.2.3 icmp_seq=1 ttl=64 time=1.000 ms
84 bytes from 172.16.2.3 icmp_seq=2 ttl=64 time=1.000 ms
84 bytes from 172.16.2.3 icmp_seq=3 ttl=64 time=0.500 ms
84 bytes from 172.16.2.3 icmp_seq=4 ttl=64 time=0.500 ms
84 bytes from 172.16.2.3 icmp_seq=5 ttl=64 time=0.501 ms

PC2> ping 172.16.2.1
172.16.2.1 icmp_seq=1 timeout
172.16.2.1 icmp_seq=2 timeout
172.16.2.1 icmp_seq=3 timeout
172.16.2.1 icmp_seq=4 timeout
172.16.2.1 icmp_seq=5 timeout

PC2> ping 10.121.1.2
10.121.1.2 icmp_seq=1 timeout
10.121.1.2 icmp_seq=2 timeout
10.121.1.2 icmp_seq=3 timeout
10.121.1.2 icmp_seq=4 timeout
10.121.1.2 icmp_seq=5 timeout

Test ping dari user PC2 hanya bisa ke IP gateway dan IP WAN Router Mikrotik. Sedangkan ke IP yang lainnya, tidak bisa. Ini juga berarti normal.

Settingan ipsecnya di Mikrotik. Cukup 3 langkah saja.
1.  Pastikan auth-algorthms dan enc-algorithms, sudah sesuai dengan cisco.
[admin@MIKROTIK-CABANG] > ip ipsec proposal print
Flags: X - disabled, * - default
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
      pfs-group=modp1024

2.  Create ipsec policy.
[admin@MIKROTIK-CABANG] > ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=10.1.2.0/24 src-port=any dst-address=10.121.1.0/30 dst-port=any protocol=all
     action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=172.16.2.3
     sa-dst-address=172.16.1.2 proposal=default priority=0

3. Create ipsec peer
[admin@MIKROTIK-CABANG] > ip ipsec peer print
Flags: X - disabled
 0   address=172.16.1.2/32 port=500 auth-method=pre-shared-key
     secret="myipsec123" generate-policy=no exchange-mode=main
     send-initial-contact=yes nat-traversal=no my-id-user-fqdn=""
     proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
     dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
     dpd-maximum-failures=5

Ok. Lanjutkan dengan test ping dari user PC2.
Test ping dari PC2 ke server

Awalnya memang ada rto, karena masih melakukan percobaan establish remote peers. Selanjutnya akan reply. Remote peers yang terbentuk bisa dilihat di mikrotik.
 [admin@MIKROTIK-CABANG] > ip ipsec remote-peers print
 0 local-address=172.16.2.3 remote-address=172.16.1.2 state=established
   side=initiator established=1m9s

Ok. Selesai.

1 comment:

  1. BlueHost is definitely one of the best hosting provider with plans for any hosting requirements.

    ReplyDelete