Skip to content

Belajar Mengkonfigurasi Site-to-Site IPsec VPNs

Belajar Mengkonfigurasi Site-to-Site IPsec VPNs
Topology yang digunakan :

 

Peralatan:
--3 buah router (2 buah harus support vpn,dalam simulasi ini adalah
cnc1 dan cnc3) dalam prakteknya menggunakan series 2800
--1 buah hub
--1 buah komputer dengan wireshark
--kabel utp seperlunya


Langkah-langkah dalam mengkonfigurasi Site-to-Site IPsec VPNs,
secara umum adalah sebagai berikut :

--Create IKE Policies
--Configure Pre-Shared Keys
--Configure the IPsec Transform Set and Lifetimes
--Define Interesting Traffic
--Create and Apply Crypto Maps

------------------cnc1--------------------------
--Create IKE Policies
cnc1(config)# crypto isakmp enable (jika pada tahap ini tidak bisa
dikonfigurasi maka ios router kemungkinan harus diupgrade)

cnc1(config)# crypto isakmp policy 10
cnc1(config-isakmp)# authentication pre-share
cnc1(config-isakmp)# encryption aes 256
cnc1(config-isakmp)# hash sha
cnc1(config-isakmp)# group 5
cnc1(config-isakmp)# lifetime 3600

-------------------------------------------------
-------------------------------------------------
--Configure Pre-Shared Keys
cnc1(config)# crypto isakmp key iwingganteng address 192.168.20.2
-------------------------------------------------
-------------------------------------------------

--Configure the IPsec Transform Set and Lifetimes
cnc1(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac
cnc1(cfg-crypto-trans)# exit
cnc1(config)#

cnc1(config)# crypto ipsec security-association lifetime seconds 1800
-------------------------------------------------
-------------------------------------------------
--Define Interesting Traffic
cnc1(config)# access-list 101 permit ip host 10.10.10.1 host 10.10.10.3
-------------------------------------------------
-------------------------------------------------
--Create and Apply Crypto Maps
cnc1(config)# crypto map iwingmap 10 ipsec-isakmp
cnc1(config-crypto-map)# match address 101
cnc1(config-crypto-map)# set peer 192.168.20.2
cnc1(config-crypto-map)# set pfs group5
cnc1(config-crypto-map)# set transform-set 50
cnc1(config-crypto-map)# set security-association lifetime seconds 900
-------------------------------------------------
-------------------------------------------------
--Applying the maps to interfaces
cnc1(config)# interface fastethernet0/0
cnc1(config-if)# crypto map iwingmap

------------------cnc1--------------------------

------------------cnc3--------------------------
--Create IKE Policies
cnc3(config)# crypto isakmp enable

cnc3(config)# crypto isakmp policy 10
cnc3(config-isakmp)# authentication pre-share
cnc3(config-isakmp)# encryption aes 256
cnc3(config-isakmp)# hash sha
cnc3(config-isakmp)# group 5
cnc3(config-isakmp)# lifetime 3600
-------------------------------------------------
-------------------------------------------------
--Configure Pre-Shared Keys
cnc3(config)# crypto isakmp key iwingganteng address 192.168.10.65
-------------------------------------------------
-------------------------------------------------
--Configure the IPsec Transform Set and Lifetimes
cnc3(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac
cnc3(cfg-crypto-trans)# exit
cnc3(config)#

cnc3(config)# crypto ipsec security-association lifetime seconds 1800
-------------------------------------------------
-------------------------------------------------
--Define Interesting Traffic
cnc3(config)# access-list 101 permit ip host 10.10.10.3 host 10.10.10.1
-------------------------------------------------
-------------------------------------------------
--Create and Apply Crypto Maps
cnc3(config)# crypto map iwingmap 10 ipsec-isakmp
cnc3(config-crypto-map)# match address 101
cnc3(config-crypto-map)# set peer 192.168.10.65
cnc3(config-crypto-map)# set pfs group5
cnc3(config-crypto-map)# set transform-set 50
cnc3(config-crypto-map)# set security-association lifetime seconds 900
-------------------------------------------------
-------------------------------------------------

--Applying the maps to interfaces
cnc3(config)# interface FastEthernet0/1
cnc3(config-if)# crypto map iwingmap

-------------------cnc3--------------------------
-------------------------------------------------
how to check :
-------------------------------------------------
cnc1#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
 encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
 hash algorithm:         Secure Hash Standard
 authentication method:  Pre-Shared Key
 Diffie-Hellman group:   #5 (1536 bit)
 lifetime:               3600 seconds, no volume limit
Default protection suite
 encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
 hash algorithm:         Secure Hash Standard
 authentication method:  Rivest-Shamir-Adleman Signature
 Diffie-Hellman group:   #1 (768 bit)
 lifetime:               86400 seconds, no volume limit
-------------------------------------------------
-------------------------------------------------
cnc1#show crypto ipsec transform-set
Transform set 50: { ah-sha-hmac  }
 will negotiate = { Tunnel,  },
 { esp-256-aes esp-sha-hmac  }
 will negotiate = { Tunnel,  },
-------------------------------------------------
-------------------------------------------------

cnc1#show crypto map
Crypto Map "iwingmap" 10 ipsec-isakmp
 Peer = 192.168.20.2
 Extended IP access list 101
 access-list 101 permit ip host 10.10.10.1 host 10.10.10.3
 Current peer: 192.168.20.2
 Security association lifetime: 4608000 kilobytes/900 seconds
 PFS (Y/N): Y
 DH group:  group5
 Transform sets={
 50,
 }
 Interfaces using crypto map iwingmap:
 FastEthernet0/0

cnc1#
-------------------------------------------------
-------------------------------------------------
cnc1#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.20.2    192.168.10.65   QM_IDLE              1    0 ACTIVE
-------------------------------------------------
-------------------------------------------------
cnc1#
cnc1#show crypto ipsec sa

interface: FastEthernet0/0
 Crypto map tag: iwingmap, local addr 192.168.10.65

 protected vrf: (none)
 local  ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
 remote ident (addr/mask/prot/port): (10.10.10.3/255.255.255.255/0/0)
 current_peer 192.168.20.2 port 500
 PERMIT, flags={origin_is_acl,}
 #pkts encaps: 293, #pkts encrypt: 293, #pkts digest: 293
 #pkts decaps: 1492, #pkts decrypt: 1492, #pkts verify: 1492
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not compressed: 0, #pkts compr. failed: 0
 #pkts not decompressed: 0, #pkts decompress failed: 0
 #send errors 1, #recv errors 0

 local crypto endpt.: 192.168.10.65, remote crypto endpt.: 192.168.20.2
 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
 current outbound spi: 0x12C59DEE(314940910)

 inbound esp sas:
 spi: 0x376827BF(929572799)
 transform: esp-256-aes esp-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 3003, flow_id: NETGX:3, crypto map: iwingmap
 sa timing: remaining key lifetime (k/sec): (4600421/613)
 IV size: 16 bytes
 replay detection support: Y
 Status: ACTIVE

 inbound ah sas:
 spi: 0xCEC9199A(3469285786)
 transform: ah-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 3003, flow_id: NETGX:3, crypto map: iwingmap
 sa timing: remaining key lifetime (k/sec): (4600421/612)
 replay detection support: Y
 Status: ACTIVE

 inbound pcp sas:

 outbound esp sas:
 spi: 0x12C59DEE(314940910)
 transform: esp-256-aes esp-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 3004, flow_id: NETGX:4, crypto map: iwingmap
 sa timing: remaining key lifetime (k/sec): (4600565/612)
 IV size: 16 bytes
 replay detection support: Y
 Status: ACTIVE

 outbound ah sas:
 spi: 0x1BF8DB4A(469293898)
 transform: ah-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 3004, flow_id: NETGX:4, crypto map: iwingmap
 sa timing: remaining key lifetime (k/sec): (4600565/612)
 replay detection support: Y
 Status: ACTIVE

 outbound pcp sas:
cnc1#
-------------------------------------------------
-------------------------------------------------

cnc3#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
 encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
 hash algorithm:         Secure Hash Standard
 authentication method:  Pre-Shared Key
 Diffie-Hellman group:   #5 (1536 bit)
 lifetime:               3600 seconds, no volume limit
Default protection suite
 encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
 hash algorithm:         Secure Hash Standard
 authentication method:  Rivest-Shamir-Adleman Signature
 Diffie-Hellman group:   #1 (768 bit)
 lifetime:               86400 seconds, no volume limit
-------------------------------------------------
-------------------------------------------------
cnc3#show crypto ipsec transform-set
Transform set 50: { ah-sha-hmac  }
 will negotiate = { Tunnel,  },
 { esp-256-aes esp-sha-hmac  }
 will negotiate = { Tunnel,  },
-------------------------------------------------
-------------------------------------------------
cnc3#show crypto map
Crypto Map "iwingmap" 10 ipsec-isakmp
 Peer = 192.168.10.65
 Extended IP access list 101
 access-list 101 permit ip host 10.10.10.3 host 10.10.10.1
 Current peer: 192.168.10.65
 Security association lifetime: 4608000 kilobytes/900 seconds
 PFS (Y/N): Y
 DH group:  group5
 Transform sets={
 50,
 }
 Interfaces using crypto map iwingmap:
 FastEthernet0/1

cnc3#
-------------------------------------------------
-------------------------------------------------

cnc3#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.20.2    192.168.10.65   QM_IDLE              1    0 ACTIVE

cnc3#
-------------------------------------------------
-------------------------------------------------
cnc3#show crypto ipsec sa

interface: FastEthernet0/1
 Crypto map tag: iwingmap, local addr 192.168.20.2

 protected vrf: (none)
 local  ident (addr/mask/prot/port): (10.10.10.3/255.255.255.255/0/0)
 remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
 current_peer 192.168.10.65 port 500
 PERMIT, flags={origin_is_acl,}
 #pkts encaps: 1477, #pkts encrypt: 1477, #pkts digest: 1477
 #pkts decaps: 275, #pkts decrypt: 275, #pkts verify: 275
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not compressed: 0, #pkts compr. failed: 0
 #pkts not decompressed: 0, #pkts decompress failed: 0
 #send errors 10, #recv errors 0

 local crypto endpt.: 192.168.20.2, remote crypto endpt.: 192.168.10.65
 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
 current outbound spi: 0x376827BF(929572799)

 inbound esp sas:
 spi: 0x12C59DEE(314940910)
 transform: esp-256-aes esp-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 3003, flow_id: NETGX:3, crypto map: iwingmap
 sa timing: remaining key lifetime (k/sec): (4600407/661)
 IV size: 16 bytes
 replay detection support: Y
 Status: ACTIVE

 inbound ah sas:
 spi: 0x1BF8DB4A(469293898)
 transform: ah-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 3003, flow_id: NETGX:3, crypto map: iwingmap
 sa timing: remaining key lifetime (k/sec): (4600407/659)
 replay detection support: Y
 Status: ACTIVE

 inbound pcp sas:

 outbound esp sas:
 spi: 0x376827BF(929572799)
 transform: esp-256-aes esp-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 3004, flow_id: NETGX:4, crypto map: iwingmap
 sa timing: remaining key lifetime (k/sec): (4600263/659)
 IV size: 16 bytes
 replay detection support: Y
 Status: ACTIVE

 outbound ah sas:
 spi: 0xCEC9199A(3469285786)
 transform: ah-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 3004, flow_id: NETGX:4, crypto map: iwingmap
 sa timing: remaining key lifetime (k/sec): (4600263/658)
 replay detection support: Y
 Status: ACTIVE

 outbound pcp sas:
cnc3#
-------------------------------------------------







-------------------------------------------------
Konfigurasi lengkapnya:

cnc1#sh run
Building configuration...

Current configuration : 3250 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cnc1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$74ea$OP8QNxsjNbZ0YxcV6Giow1
!
no aaa new-model
!
ip cef
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
voice-card 0
 no dspfarm
!
crypto pki trustpoint TP-self-signed-736434198
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-736434198
 revocation-check none
 rsakeypair TP-self-signed-736434198
!
crypto pki certificate chain TP-self-signed-736434198
 certificate self-signed 01
 3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
 69666963 6174652D 37333634 33343139 38301E17 0D313030 33313031 30343532
 365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3733 36343334
 31393830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
 D2B0B81A 7DAD1F32 3240D35C 29E36D7A E36C27AE 5C9B54C0 FBABF15A CF6CF268
 AA2B0A7E BEB81357 B8902625 C93DF3FC 9AA66FDE 2345DFB0 63C02006 CA84EEBE
 2F42EC3F C9766E78 5A2FE2A1 30702B10 2A0E0262 9854ACE2 49FECAE2 B8F7AB73
 80DBF81C B0091E97 AF87C981 6A1E52EE 1998D8C6 BD461E93 6D8257F5 8B3BC9D3
 02030100 01A36430 62300F06 03551D13 0101FF04 05300301 01FF300F 0603551D
 11040830 06820463 6E633130 1F060355 1D230418 30168014 5E455C9E BF1BADD9
 DAF46DB4 CBD16CD1 55210B48 301D0603 551D0E04 1604145E 455C9EBF 1BADD9DA
 F46DB4CB D16CD155 210B4830 0D06092A 864886F7 0D010104 05000381 810072A1
 E481D0EF 4929969F 9C239A08 9FDE9ADC 591F1282 457195C4 69591438 EB84CC3E
 42FC93D3 933E539E CEAA943E 79B15F50 1E6D56D7 8E573E4C DA40022E 621DCBFE
 FCB6A57B 65395A7C E8A59685 2FF0DF6D C8412091 AFD0F522 FDFBE14B A321A882
 A3925387 7619FA26 A4724F72 082675C1 EE39FAA5 4B21D197 DE8BC858 8C34
 quit
username xxxx privilege 15 password 0 xxxx
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key iwingganteng address 192.168.20.2
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map iwingmap 10 ipsec-isakmp
 set peer 192.168.20.2
 set security-association lifetime seconds 900
 set transform-set 50
 set pfs group5
 match address 101
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.10.65 255.255.255.252
 duplex auto
 speed auto
 crypto map iwingmap
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.10.10.1 0.0.0.0 area 0
 network 192.168.10.64 0.0.0.3 area 0
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 101 remark SDM_ACL Category=16
access-list 101 permit ip host 10.10.10.1 host 10.10.10.3
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

cnc1#

-------------------------------------------------
-------------------------------------------------

cnc3#sh run
Building configuration...

Current configuration : 3445 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cnc3
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$mDFU$jbR/xsINnUt7kUTsfNv7F.
!
no aaa new-model
!
ip cef
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
voice-card 0
 no dspfarm
!
crypto pki trustpoint TP-self-signed-1322511713
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1322511713
 revocation-check none
 rsakeypair TP-self-signed-1322511713
!
crypto pki certificate chain TP-self-signed-1322511713
 certificate self-signed 01
 3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
 69666963 6174652D 31333232 35313137 3133301E 170D3130 30333130 30373035
 32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33323235
 31313731 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
 8100B81B AD129F07 E25E0979 A31D9AF3 881C5E18 BE512D2F FA40E304 CA37CD56
 78B9C4C8 6E8328C2 29CF81AE FEAFAEFC 1DCB40B1 12D256D2 D837C15D C3E25C0B
 60E7BC9F FC40F412 B84F6719 6ECF3B80 D334614F 4BA2394A 54901368 230CB4DF
 27438902 78012D26 E4EFC5F8 B60268D3 4E5380F7 80D7CB07 D35C44C9 84A9C545
 82490203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603
 551D1104 08300682 04636E63 33301F06 03551D23 04183016 80142290 2A089FDA
 763F8B5C DBF92660 B7E978E1 9236301D 0603551D 0E041604 1422902A 089FDA76
 3F8B5CDB F92660B7 E978E192 36300D06 092A8648 86F70D01 01040500 03818100
 908893F4 450A7BBD 6646FBCC 6161B3DF 29C2159B 55786793 0A368DBA 4814C9E3
 09708FB4 20B29507 B7B8DBA3 F549F858 B2B2C81E 2EB359C8 ABE3BBC7 21646A61
 46B55C67 F3D46A7D BE5AA38C 55C95DD2 8671BC3D 7821A5C8 E1CAFFFE AA51298B
 48C75D1E C8CBD4C3 BF770B90 D1B493AE 4CB8FF8E 47771981 633C3EB0 E3E6FA58
 quit
username xxxx privilege 15 password 0 xxxx
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key iwingganteng address 192.168.10.65
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map iwingmap 10 ipsec-isakmp
 set peer 192.168.10.65
 set security-association lifetime seconds 900
 set transform-set 50
 set pfs group5
 match address 101
!
interface Loopback0
 ip address 10.10.10.3 255.255.255.0
!
interface Loopback1
 ip address 192.168.30.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.50.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.20.2 255.255.255.0
 duplex auto
 speed auto
 crypto map iwingmap
!
router ospf 1
 log-adjacency-changes
 network 10.10.10.3 0.0.0.0 area 0
 network 192.168.20.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 101 remark SDM_ACL Category=16
access-list 101 permit ip host 10.10.10.3 host 10.10.10.1
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

cnc3#

"------------Sekian dulu, semoga bermanfaat------------------"

ref:
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 3-5
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: