IPSec: ESP Tunnel di UBuntu untuk IPv6

From OnnoWiki
Jump to navigation Jump to search

IPv6 Enkripsi: Contoh IPsec Tunnel Menggunakan racoon

Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 14.04.

Gateway A: IPv6 2001:470:19:b37::100/64	VPN Network: 2002::/64
Gateway B: IPv6 2001:470:19:b37::101/64	VPN Network: 2003::/64

Kernel IP Forwarding

Pada Gateway A dan Gateway B, kita perlu mengaktifkan kernel IP forwarding ,

echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Instalasi racoon dan ipsec-tools

Pada Gateway A dan Gateway B, instalasi:

# apt-get update
# apt-get install racoon ipsec-tools 

Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”

Konfigurasi racoon

Konfigurasi Gateway A

Gateway A Konfigurasi /etc/racoon/racoon.conf

log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 2001:470:19:b37::101 { 
        exchange_mode main,aggressive; 
        proposal { 
                encryption_algorithm 3des; 
                hash_algorithm sha1; 
                authentication_method pre_shared_key; 
                dh_group 2; 
        } 
} 

sainfo address 2002::/64 any address 2003::/64 any { 
        pfs_group 2; 
        lifetime time 1 hour ; 
        encryption_algorithm 3des, blowfish 448, rijndael ; 
        authentication_algorithm hmac_sha1, hmac_md5 ; 
        compression_algorithm deflate ; 
} 

Gateway A Konfigurasi /etc/racoon/psk.txt

2001:470:19:b37::101 a9993e364706816aba3e 

Konfigurasi Gateway B

Gateway B Konfigurasi /etc/racoon/racoon.conf

log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 2001:470:19:b37::100 { 
        exchange_mode main,aggressive; 
        proposal { 
                encryption_algorithm 3des; 
                hash_algorithm sha1; 
                authentication_method pre_shared_key; 
                dh_group 2; 
        } 
} 

sainfo address 2003::/64 any address 2002::/64 any { 
        pfs_group 2; 
        lifetime time 1 hour ; 
        encryption_algorithm 3des, blowfish 448, rijndael ; 
        authentication_algorithm hmac_sha1, hmac_md5 ; 
        compression_algorithm deflate ; 
} 

Gateway B Konfigurasi /etc/racoon/psk.txt

2001:470:19:b37::100  a9993e364706816aba3e 

Security Policies

Konfigurasi Gateway A

Gateway A Konfigurasi /etc/ipsec-tools.conf

flush; 
spdflush; 

spdadd 2002::/64 2003::/64 any -P out ipsec 
           esp/tunnel/2001:470:19:b37::100-2001:470:19:b37::101/require; 
spdadd 2003::/64 2002::/64 any -P in ipsec 
           esp/tunnel/2001:470:19:b37::101-2001:470:19:b37::100/require; 

Konfigurasi Gateway B

Gateway B Konfigurasi /etc/ipsec-tools.conf

flush; 
spdflush;  

spdadd 2003::/64 2002::/64 any -P out ipsec 
           esp/tunnel/2001:470:19:b37::101-2001:470:19:b37::100/require;
spdadd 2002::/64 2003::/64 any -P in ipsec 
           esp/tunnel/2001:470:19:b37::100-2001:470:19:b37::101/require; 

Run

Pada Gateway A maupun Gateway B jalankan perintah berikut

/etc/init.d/setkey restart 
/etc/init.d/racoon restart 

Akan tampak

 * Flushing IPsec SA/SP database:                                 [ OK ]
 * Loading IPsec SA/SP database:                                  [ OK ]
 * Restarting IKE (ISAKMP/Oakley) server racoon                   [ OK ] 

Cek /var/log/syslog

# tail /var/log/syslog

Akan keluar kira-kira

Jul  7 07:42:01 server100 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Jul  7 07:42:01 server100 racoon: INFO: @(#)This product linked OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/)
Jul  7 07:42:01 server100 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"

Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.

Pada Gateway A tambahkan routing

ip -6 addr add 2002::1/64 dev eth0 
ip -6 route add to 2003::/64 via 2002::1 src 2002::1

Pada Gateway B tambahkan routing

ip -6 addr add 2003::1/64 dev eth0 
ip -6 route add to 2002::/64 via 2003::1 src 2003::1

Setelah VPN tersambung, coba dari Gateway A:

ping6 2003::1

Debugging

Dari mesin Gateway B 2001:470:19:b37::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya,

#  tcpdump -t -n -i eth0 -vv ip6 host 2001:470:19:b37::100