VPN Lab 2 : IPSEC Tunnel Mode
LAB 2
Nah guys dikarenakan GRE Tunnel tidak melakukan enskripsi maka rentan sekali dia untuk terkena Decrypt, nah pada kali ini ada solusi untuk mengenkripsi yaitu dengan cara mengkombinasikan GRE tunnel dengan IPsec, pada ipsec terdapat 2 phase IKE ;
1. Bertugas membangun dan membentuk koneksi awal dengan peer
2. Bertugas untuk mengenkripsi dan authentication transport data
sekarang kita akan lanjut konfigurasinya. Untuk lanjut konfigurasi ini, kita akan hapus dulu konfigurasi sebelumnya:
sekarang kita akan lanjut konfigurasinya. Untuk lanjut konfigurasi ini, kita akan hapus dulu konfigurasi sebelumnya:
R2
R2(config)#no router eigrp 23
R2(config)#no interface tunnel23
R3
R3(config)#no interface tunnel32
R3
R3(config)#no interface tunnel32
R3(config)#no router eigrp 23
Konfigurasi ISAKMPnya phase 1 dan Phase 2
R2
R2(config)#crypto isakmp policy 1
Konfigurasi ISAKMPnya phase 1 dan Phase 2
R2
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encryption aes
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#crypto isakmp key 0 IDNJOS address 13.13.13.3
R2(config)#crypto ipsec transform-set ROSLIANA esp-aes esp-sha-hmac
R2(config)#crypto ipsec transform-set ROSLIANA esp-aes esp-sha-hmac
R2(config)#crypto map ROSLIANA12A 10 ipsec-isakmp
R2(config-crypto-map)#set peer 13.13.13.3
R2(config-crypto-map)#set transform-set ROSLIANA
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#access-list 100 permit ip host 2.2.2.2 host 3.3.3.3
Jangan lupa ya teman-teman, kita konfigurasikan isakmp phase 1 dan 2 juga pada R3.
R3
R3(config)#crypto isakmp policy 1
Jangan lupa ya teman-teman, kita konfigurasikan isakmp phase 1 dan 2 juga pada R3.
R3
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encryption aes
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#crypto isakmp key 0 IDNJOS address 12.12.12.2
R3(config)#crypto ipsec transform-set ROSLIANA esp-aes esp-sha-hmac
R3(config-isakmp)#crypto isakmp key 0 IDNJOS address 12.12.12.2
R3(config)#crypto ipsec transform-set ROSLIANA esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#crypto map ROSLIANA12A 10 ipsec-isakmp
R3(config-crypto-map)#set peer 12.12.12.2
R3(config-crypto-map)#set transform-set ROSLIANA
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#access-list 100 permit ip host 3.3.3.3 host 2.2.2.2
Selanjutnya konfigurasikan static routing dan crypto map di R2 dan R3.
R2
R2(config)#ip route 3.3.3.3 255.255.255.255 13.13.13.3
Selanjutnya konfigurasikan static routing dan crypto map di R2 dan R3.
R2
R2(config)#ip route 3.3.3.3 255.255.255.255 13.13.13.3
R2(config)#int fa0/0
R2(config-if)#crypto map IDNSCHOOL
R3
R3(config)#ip route 2.2.2.2 255.255.255.255 12.12.12.2
R3
R3(config)#ip route 2.2.2.2 255.255.255.255 12.12.12.2
R3(config)#int fa0/0
R3(config-if)#crypto map IDNSCHOOL
Sekarang kita akan lakukan verifikasi sudah UP atau belum
R2
Sekarang kita akan lakukan verifikasi sudah UP atau belum
R2
R2(config)#do show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE Peer: 13.13.13.3 port 500
IKE SA: local 12.12.12.2/500 remote 13.13.13.3/500 Active
IPSEC FLOW: permit ip host 2.2.2.2 host 3.3.3.3
Active SAs: 2, origin: crypto map
R3
R3#show crypto session
R3#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE Peer: 12.12.12.2 port 500
IKE SA: local 13.13.13.3/500 remote 12.12.12.2/500 Active
IPSEC FLOW: permit ip host 3.3.3.3 host 2.2.2.2
Active SAs: 2, origin: crypto map
R3
R3#show crypto ipsec sa
R3
R3#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: ROSLIANA12A, local addr 13.13.13.3
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 12.12.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18,
#pkts encrypt: 18,
#pkts digest: 18
#pkts decaps: 5,
#pkts decrypt: 5,
#pkts verify: 5
#pkts compressed: 0,
#pkts decompressed: 0
#pkts not compressed: 0,
#pkts compr. failed: 0
#pkts not decompressed: 0,
#pkts decompress failed: 0
#send errors 5,
#recv errors 0
local crypto endpt.: 13.13.13.3, remote crypto endpt.: 12.12.12.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x4F0F0D33(1326386483)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x7CAFE9D5(2091903445)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map:
ROSLIANA12A
sa timing: remaining key lifetime (k/sec): (4593143/1916)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4F0F0D33(1326386483)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map:
ROSLIANA12A
sa timing: remaining key lifetime (k/sec): (4593141/1916)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Test ping
R2
R2(config)#do ping 3.3.3.3 source 2.2.2.2
R2(config)#do ping 3.3.3.3 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/75/92 ms
Comments
Post a Comment