Alhamdulillah, pada kesempatan kali ini admin akan share salah satu materi di Cisco track CCNP RS, tentang IPSec VPN,Pengertiannya dulu ni, untuk IPSec sendiri itu apa.
Jadi, IPSec adalah Protokol yang digunakan untuk mengamankan transmisi datagram dalam sebuah jaringan internetwork TCP/IP. IPSec sendiri diimplementasikan atau berjalan di Layer 4 atau Transport Layer. Dan cara kerja dari IPSec ini yaitu diletakan di Header dari datagram yang akan dikirimkan yang diatur dengan kebijakan keamanan tersendiri. Dan berikut gambaran secara umum dari layanan IPSec sebagai berikut :
- Data Confidentiality, pengirim mengenkripsi data sebelum data dikirimkan
- Data Integrity, penerimadapat mengontentifikasi paket yang dikirim pengirim agar tidak data tidak dibajak saat transmisi
- Data Origin Authentication, penerima dapat mengotentifikasi dari mana asal paket IPsec yang dikirimkan.
- Anti Replay, penerima dapat mendeteksi dan menolak paket yang telah dibajak.
Dan kali ini akan mengshare sedikit contoh labnya,
Topo
- Berikut Tasknya :
- Konfigurasi dasar(hostname,Ip address, routing,dll)
- konfigurasi IPSec VPN, dengan langkah berikut
- Policy 1
- Enkripsi 3DES
- Hash Sha
- DH Group 2
- Tunnel Mode
- Preshared Key rahasia
- Berikut Konfigurasinya :
- Dan berikut verifikasinya
| R1 (Cisco Router |
|---|
R1#show run ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 no ip icmp rate-limit unreachable ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key 6 rahasia address 75.0.0.1 ! ! crypto ipsec transform-set sulaiman esp-3des esp-sha-hmac ! crypto map vpnmap 10 ipsec-isakmp set peer 75.0.0.1 set transform-set sulaiman match address 100 ! ! ! ip tcp synwait-time 5 ! ! ! ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 65.0.0.1 255.0.0.0 clock rate 2000000 crypto map vpnmap ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ! no ip http server no ip http secure-server ! access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 no cdp log mismatch duplex ! ! ! ! control-plane ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end |
| R2 (Cisco Router |
|---|
R2#show run ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 no ip icmp rate-limit unreachable ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! ip tcp synwait-time 5 ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial0/0 ip address 65.0.0.2 255.0.0.0 ip virtual-reassembly clock rate 2000000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 ip address 75.0.0.2 255.0.0.0 ip virtual-reassembly clock rate 2000000 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! no cdp log mismatch duplex ! ! ! control-plane ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end |
| R3 (Cisco Router |
|---|
R3#show run ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 !br> boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 no ip icmp rate-limit unreachable ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! archive log config hidekeys ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key 6 rahasia address 65.0.0.1 ! ! crypto ipsec transform-set sulaiman esp-3des esp-sha-hmac ! crypto map vpnmap 10 ipsec-isakmp set peer 65.0.0.1 set transform-set sulaiman match address 100 ! ! ip tcp synwait-time 5 ! ! interface FastEthernet0/0 ip address 192.168.2.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0 no ip address shutdown clock rate 2000000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 ip address 75.0.0.1 255.0.0.0 clock rate 2000000 crypto map vpnmap ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Serial0/1 ! ! no ip http server no ip http secure-server ! access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 no cdp log mismatch duplex ! ! ! control-plane ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end |
| R1 (Cisco Router |
|---|
R1#ping Protocol [ip]: Target IP address: 192.168.2.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 32/105/312 ms |
| R3 (Cisco Router |
|---|
R3#ping Protocol [ip]: Target IP address: 192.168.1.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.2.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Packet sent with a source address of 192.168.2.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/38/72 ms |
| R1 (Cisco Router |
|---|
R1#show crypto ipsec sa
interface: Serial0/0
Crypto map tag: vpnmap, local addr 65.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 75.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 65.0.0.1, remote crypto endpt.: 75.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xC361863B(3277948475)
inbound esp sas:
spi: 0xBF48DB5E(3209223006)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4441984/3394)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC361863B(3277948475)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4441984/3394)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
|
| R1 (Cisco Router |
|---|
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 75.0.0.1 65.0.0.1 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA |
Sekian share tentang IPSec VPN, terima kasih
0 comments:
Post a Comment