Lanjutan posting sebelumnya. Design network ditambahkan
Mikrotik dan hub di sisi cabang.
Dan berikut ini show (print) konfigurasinya, di router
Mikrotik.
[admin@MIKROTIK-CABANG]
> ip address print
Flags:
X - disabled, I - invalid, D - dynamic
#
ADDRESS NETWORK INTERFACE
0
172.16.2.3/29 172.16.2.0 ether1
1
10.1.2.1/24 10.1.2.0 ether2
[admin@MIKROTIK-CABANG]
> ip route print
Flags:
X - disabled, A - active, D - dynamic,
C
- connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B
- blackhole, U - unreachable, P - prohibit
#
DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 172.16.2.1 1
1 ADC
10.1.2.0/24 10.1.2.1 ether2 0
2 ADC
172.16.2.0/29 172.16.2.3 ether1 0
Setelah disetting ip address dan ip route si mikrotik.
Lanjutkan dengan settingan IP address PC2 sebagai users. (Sedangkan settingan
IP address untuk Server Pusat, sudah di posting sebelumnya.)
PC2>
ip 10.1.2.2/24 10.1.2.1
Checking
for duplicate address...
PC2
: 10.1.2.2 255.255.255.0 gateway 10.1.2.1
PC1>
Beres,.. test ping dulu dari Mikrotik Cabang.
[admin@MIKROTIK-CABANG]
> ping 172.16.2.1
HOST SIZE TTL
TIME STATUS
172.16.2.1 56 255 35ms
172.16.2.1 56 255 29ms
172.16.2.1 56 255 23ms
172.16.2.1 56 255 14ms
172.16.2.1 56 255 26ms
sent=5 received=5 packet-loss=0%
min-rtt=14ms avg-rtt=25ms max-rtt=35ms
[admin@MIKROTIK-CABANG]
> ping 172.16.1.2
HOST SIZE TTL TIME STATUS
172.16.1.2 56 254 34ms
172.16.1.2 56 254 20ms
172.16.1.2 56 254 49ms
172.16.1.2 56 254 57ms
172.16.1.2 56 254 29ms
sent=5 received=5 packet-loss=0%
min-rtt=20ms avg-rtt=37ms max-rtt=57ms
[admin@MIKROTIK-CABANG]
> ping 10.121.1.1
HOST SIZE TTL TIME STATUS
172.16.2.1 56 255
43ms host unreachable
172.16.2.1 56 255
10ms host unreachable
172.16.2.1 56 255 19ms host unreachable
172.16.2.1 56 255
36ms host unreachable
172.16.2.1 56 255
38ms host unreachable
sent=5 received=0 packet-loss=100%
[admin@MIKROTIK-CABANG]
>
- Test ping dari Mikrotik ke gateway ISP (172.16.2.1) = ok
- Test ping dari Mikrotik ke WAN Server (172.16.1.2) = ok
- Test ping dari Mikrotik ke IP LAN Server = nok (host unreachable). Berarti baik dan normal karena tidak ada routing menuju ke IP LAN Server.
Test ping dari PC2.
PC2>
ping 10.1.2.1
84
bytes from 10.1.2.1 icmp_seq=1 ttl=64 time=0.500 ms
84
bytes from 10.1.2.1 icmp_seq=2 ttl=64 time=0.500 ms
84
bytes from 10.1.2.1 icmp_seq=3 ttl=64 time=0.500 ms
84
bytes from 10.1.2.1 icmp_seq=4 ttl=64 time=0.500 ms
84
bytes from 10.1.2.1 icmp_seq=5 ttl=64 time=0.500 ms
PC2>
ping 172.16.2.3
84
bytes from 172.16.2.3 icmp_seq=1 ttl=64 time=1.000 ms
84
bytes from 172.16.2.3 icmp_seq=2 ttl=64 time=1.000 ms
84
bytes from 172.16.2.3 icmp_seq=3 ttl=64 time=0.500 ms
84
bytes from 172.16.2.3 icmp_seq=4 ttl=64 time=0.500 ms
84
bytes from 172.16.2.3 icmp_seq=5 ttl=64 time=0.501 ms
PC2>
ping 172.16.2.1
172.16.2.1
icmp_seq=1 timeout
172.16.2.1
icmp_seq=2 timeout
172.16.2.1
icmp_seq=3 timeout
172.16.2.1
icmp_seq=4 timeout
172.16.2.1
icmp_seq=5 timeout
PC2>
ping 10.121.1.2
10.121.1.2
icmp_seq=1 timeout
10.121.1.2
icmp_seq=2 timeout
10.121.1.2
icmp_seq=3 timeout
10.121.1.2
icmp_seq=4 timeout
10.121.1.2
icmp_seq=5 timeout
Test ping dari user PC2 hanya bisa ke IP gateway dan
IP WAN Router Mikrotik. Sedangkan ke IP yang lainnya, tidak bisa. Ini juga
berarti normal.
Settingan ipsecnya di Mikrotik. Cukup 3 langkah saja.
1. Pastikan
auth-algorthms dan enc-algorithms, sudah sesuai dengan cisco.
[admin@MIKROTIK-CABANG]
> ip ipsec proposal print
Flags:
X - disabled, * - default
0 *
name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
2. Create ipsec
policy.
[admin@MIKROTIK-CABANG]
> ip ipsec policy print
Flags:
X - disabled, D - dynamic, I - inactive
0
src-address=10.1.2.0/24 src-port=any dst-address=10.121.1.0/30
dst-port=any protocol=all
action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=172.16.2.3
sa-dst-address=172.16.1.2 proposal=default
priority=0
3. Create ipsec peer
[admin@MIKROTIK-CABANG]
> ip ipsec peer print
Flags:
X - disabled
0
address=172.16.1.2/32 port=500 auth-method=pre-shared-key
secret="myipsec123"
generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no
my-id-user-fqdn=""
proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=2m
dpd-maximum-failures=5
Ok. Lanjutkan dengan test ping dari user PC2.
Awalnya memang ada rto, karena masih melakukan
percobaan establish remote peers. Selanjutnya akan reply. Remote peers yang
terbentuk bisa dilihat di mikrotik.
[admin@MIKROTIK-CABANG] > ip ipsec
remote-peers print
0 local-address=172.16.2.3
remote-address=172.16.1.2 state=established
side=initiator established=1m9s
Ok. Selesai.
No comments:
Post a Comment