Rabu, 18 November 2020

Lab. 14 IPSEC tunnel mode

Lab. 14 IPSEC tunnel mode



 IPsec adalah sebuah protokol yang digunakan untuk mengamankan transmisi datagram dalam sebuah internetwork berbasis TCP/IP. IPsec mendefiniskan beberapa standar untuk melakukan enkripsi data dan juga integritas data pada lapisan kedua dalam DARPA Reference Model

R2 

R2(config)#no router eigrp 23
R2(config)#no interface tunnel23

R3

R3(config)#no interface tunnel32
R3(config)#no router eigrp 23

Konfig ISAKMP phase 1 dan 2

R2

R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encryption aes
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#crypto isakmp key 0 IDNJOS address 13.13.13.3 
R2(config)#crypto ipsec transform-set ROSLIANA esp-aes esp-sha-hmac
R2(config)#crypto map ROSLIANA12A 10 ipsec-isakmp
R2(config-crypto-map)#set peer 13.13.13.3
R2(config-crypto-map)#set transform-set ROSLIANA
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#access-list 100 permit ip host 2.2.2.2 host 3.3.3.3 

R3

R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encryption aes R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#crypto isakmp key 0 IDNJOS address 12.12.12.2
R3(config)#crypto ipsec transform-set ROSLIANA esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#crypto map ROSLIANA12A 10 ipsec-isakmp
R3(config-crypto-map)#set peer 12.12.12.2
R3(config-crypto-map)#set transform-set ROSLIANA
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#access-list 100 permit ip host 3.3.3.3 host 2.2.2.2 

Sekarang kita akan memasang static route dan crypto map di R2 dan R3

R2

R2(config)#ip route 3.3.3.3 255.255.255.255 13.13.13.3
R2(config)#int fa0/0
R2(config-if)#crypto map IDNSCHOOL

R3

R3(config)#ip route 2.2.2.2 255.255.255.255 12.12.12.2
R3(config)#int fa0/0
R3(config-if)#crypto map IDNSCHOOL

Selanjutnya kita harus pastikan session status sudah up

R2

R2(config)#do show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 13.13.13.3 port 500
    IKE SA: local 12.12.12.2/500 remote 13.13.13.3/500 Active
    IPSEC FLOW: permit ip host 2.2.2.2 host 3.3.3.3
            Active SAs: 2, origin: crypto map 

R3

R3#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 12.12.12.2 port 500
    IKE SA: local 13.13.13.3/500 remote 12.12.12.2/500 Active
    IPSEC FLOW: permit ip host 3.3.3.3 host 2.2.2.2
        Active SAs: 2, origin: crypto map

R3

R3#show crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: ROSLIANA12A, local addr 13.13.13.3
    protected vrf: (none)
   local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
            remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 12.12.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0

    local crypto endpt.: 13.13.13.3, remote crypto endpt.: 12.12.12.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 
    PFS (Y/N): N, DH group: none
    inbound esp sas:
    spi: 0x7CAFE9D5(2091903445)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map:
ROSLIANA12A
    sa timing: remaining key lifetime (k/sec): (4593143/1916)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    spi: 0x4F0F0D33(1326386483)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map:
ROSLIANA12A
    sa timing: remaining key lifetime (k/sec): (4593141/1916)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE
    outbound ah sas:
    outbound pcp sas:

Kita cek ping 

R2

R2(config)#do ping 3.3.3.3 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 45/62/52 ms 




Komenta

-

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)

LAB 1 FORTIGATE BASIC KONFIG

BASIC KONFIG FORTIGATE     Assalamualaikum Warahmatullahi Wabarakaatuh.....       Yaa...  jadi kali ini saya akan menjelaskan tutorial basic...