Thursday, March 05, 2015

Simulasi IPSec VPN di Cisco

Hari kedua di tempat kerja yang baru, langsung dapat tugas dari Boss, untuk membuat simulasi network mikrotik dan cisco. Bukan hanya connect begitu saja, tapi ada ipsecnya juga yang juga harus bisa connect. Ilmu baru ini, langsung semangat dengernya.
Karena menyangkut rahasia negera, maka sengaja IP address diganti, tidak sesuai dengan kenyataan di lapangan. hahaha...  :) Ada 2 tahap simulasi. Awalnya  simulasi Ipsec VPN di Cisco dulu. Jika sudah berhasil, lanjut ditambahkan mikrotik.

Simulasi I, Simulasi IPSec VPN di Cisco
Ipsec Cisco

Dan berikut ini konfigurasi di masing-masing perangkat.
ROUTER ISP-1
ISP-1#sh run
Building configuration...
---------deleted-----------------
interface FastEthernet0/0
 description ##TO-BACKHAUL-PUSAT##
 ip address 172.16.1.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/0
 description ##TO-ROUTER-CABANG##
 ip address 172.16.2.1 255.255.255.248
 speed 100
 full-duplex
!
---------deleted-------
End

ROUTER BH SERVER
ROUTER-BH-PUSAT#sh run
---------deleted---------
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key myipsec123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
!
crypto dynamic-map VPNdynamic 10
  set transform-set TRANSFORM
  match address MY-VPN-LIST
!
!
crypto map DYN-MAP 10 ipsec-isakmp dynamic VPNdynamic
!
!
!
!
interface FastEthernet0/0
 description ##TO-WAN-ISP##
 ip address 172.16.1.2 255.255.255.252
 ip accounting output-packets
 duplex auto
 speed auto
 crypto map DYN-MAP
!
interface FastEthernet1/0
 description ##TO-LAN-SERVER##
 ip address 10.121.1.1 255.255.255.252
duplex auto
 speed auto
!
!
router eigrp 10
 network 10.121.1.0 0.0.0.3
 auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended MY-VPN-LIST
 permit ip 10.121.1.0 0.0.0.3 10.1.1.0 0.0.0.255
 permit ip 10.121.1.0 0.0.0.3 10.1.2.0 0.0.0.255
 permit ip 10.121.1.0 0.0.0.3 10.1.3.0 0.0.0.255
 permit ip 10.121.1.0 0.0.0.3 10.1.4.0 0.0.0.255
 permit ip 10.121.1.0 0.0.0.3 10.1.5.0 0.0.0.255
 permit ip 10.121.1.0 0.0.0.3 10.1.6.0 0.0.0.255
 permit ip 10.121.1.0 0.0.0.3 10.1.7.0 0.0.0.255
 permit ip 10.121.1.0 0.0.0.3 10.1.8.0 0.0.0.255
 permit ip 10.121.1.0 0.0.0.3 10.1.9.0 0.0.0.255
 permit ip 10.121.1.0 0.0.0.3 10.1.10.0 0.0.0.255

ROUTER CABANG
ROUTER-CABANG-01#sh run
Building configuration...
--------deleted------
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key myipsec123 address 172.16.1.2
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
!
crypto map CRYPTO-MAP 1 ipsec-isakmp
 set peer 172.16.1.2
 set transform-set TRANSFORM
 match address 100
!
!
!
!
interface FastEthernet0/0
 description ##TO-WAN-ISP##
 ip address 172.16.2.2 255.255.255.248
 speed 100
 full-duplex
crypto map CRYPTO-MAP
!
interface FastEthernet1/0
 description ##TO-LAN-USERS##
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.2.1
!
!
no ip http server
no ip http secure-server
!
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.121.1.0 0.0.0.3

PC1
PC1> ip 10.1.1.2/24 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.2 255.255.255.0 gateway 10.1.1.1

PC1>

SERVER
SERVER> ip 10.121.1.2/30 10.121.1.1
Checking for duplicate address...
PC1 : 10.121.1.2 255.255.255.252 gateway 10.121.1.1

SERVER>

Hasil Test
PC1> ping 10.1.1.1
84 bytes from 10.1.1.1 icmp_seq=1 ttl=255 time=23.001 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=255 time=63.004 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=255 time=8.001 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=255 time=27.001 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=255 time=19.001 ms

PC1> ping 172.16.2.2
84 bytes from 172.16.2.2 icmp_seq=1 ttl=255 time=34.002 ms
84 bytes from 172.16.2.2 icmp_seq=2 ttl=255 time=37.002 ms
84 bytes from 172.16.2.2 icmp_seq=3 ttl=255 time=9.000 ms
84 bytes from 172.16.2.2 icmp_seq=4 ttl=255 time=55.004 ms
84 bytes from 172.16.2.2 icmp_seq=5 ttl=255 time=41.002 ms

PC1> ping 172.16.2.1
172.16.2.1 icmp_seq=1 timeout
172.16.2.1 icmp_seq=2 timeout
172.16.2.1 icmp_seq=3 timeout
172.16.2.1 icmp_seq=4 timeout
172.16.2.1 icmp_seq=5 timeout

PC1> ping 10.121.1.1
10.121.1.1 icmp_seq=1 timeout
84 bytes from 10.121.1.1 icmp_seq=2 ttl=254 time=129.007 ms
84 bytes from 10.121.1.1 icmp_seq=3 ttl=254 time=106.006 ms
84 bytes from 10.121.1.1 icmp_seq=4 ttl=254 time=105.006 ms
84 bytes from 10.121.1.1 icmp_seq=5 ttl=254 time=107.006 ms

PC1> ping 10.121.1.2
84 bytes from 10.121.1.2 icmp_seq=1 ttl=62 time=114.007 ms
84 bytes from 10.121.1.2 icmp_seq=2 ttl=62 time=93.006 ms
84 bytes from 10.121.1.2 icmp_seq=3 ttl=62 time=99.005 ms
84 bytes from 10.121.1.2 icmp_seq=4 ttl=62 time=98.005 ms
84 bytes from 10.121.1.2 icmp_seq=5 ttl=62 time=126.007 ms
  • Ping dari PC1 Cabang (10.1.1.2) ke Gateway (10.1.1.1) = ok.
  • Ping dari PC1 Cabang (10.1.1.2) ke IP WAN Router (172.16.2.2) = ok.
  • Ping dari PC1 Cabang (10.1.1.2) ke IP WAN ISP (172.16.2.1) = nok (request time out). Ini dikarenakan tidak ada routing menuju ke arah IP WAN. Tidak masalah ini. Malah bagus, karena lebih secure.
  • Ping dari PC1 Cabang (10.1.1.2) ke IP LAN Router Pusat (10.121.1.1) = ok, berhasil.
  • Ping dari PC1 Cabang (10.1.1.2) ke IP Server Pusat (10.121.1.2) = ok, berhasil.

Mengecek status crypto map di Router BH Pusat.
ROUTER-BH-PUSAT#sh crypto map
Crypto Map "DYN-MAP" 10 ipsec-isakmp
        Dynamic map template tag: VPNdynamic

Crypto Map "DYN-MAP" 65536 ipsec-isakmp
        Peer = 172.16.2.2
        Extended IP access list
            access-list  permit ip 10.121.1.0 0.0.0.3 10.1.1.0 0.0.0.255
            dynamic (created from dynamic map VPNdynamic/10)
        Current peer: 172.16.2.2
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                TRANSFORM,
        }
        Interfaces using crypto map DYN-MAP:
                FastEthernet0/0

Mengecek status crypto map di Router Cabang.
ROUTER-CABANG-01#sh crypto map
Crypto Map "CRYPTO-MAP" 1 ipsec-isakmp
        Peer = 172.16.1.2
        Extended IP access list 100
            access-list 100 permit ip 10.1.1.0 0.0.0.255 10.121.1.0 0.0.0.3
        Current peer: 172.16.1.2
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                TRANSFORM,
        }
        Interfaces using crypto map CRYPTO-MAP:
                FastEthernet0/0

Mengecek status ipsec di Router BH Pusat.
ROUTER-BH-PUSAT#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: DYN-MAP, local addr 172.16.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.121.1.0/255.255.255.252/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer 172.16.2.2 port 500
     PERMIT, flags={}
    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x64FD1357(1694307159)

     inbound esp sas:
      spi: 0x8E3D183D(2386368573)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: DYN-MAP
        sa timing: remaining key lifetime (k/sec): (4423169/3263)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
-----deleted-------

Mengecek status ipsec di Router Cabang.
ROUTER-CABANG-01#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: CRYPTO-MAP, local addr 172.16.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.121.1.0/255.255.255.252/0/0)
   current_peer 172.16.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 172.16.2.2, remote crypto endpt.: 172.16.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x8E3D183D(2386368573)

     inbound esp sas:
      spi: 0x64FD1357(1694307159)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4385166/3188)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

------deleted-------

Selesai...

2 comments:

  1. Gan, kira kira, ini bisa disimulasiin di GnS3 nggak gan

    ReplyDelete
  2. BlueHost is ultimately the best web-hosting company with plans for all of your hosting needs.

    ReplyDelete