IPSec: ESP Tunnel di Ubuntu untuk IPv4
IPv6 Enkripsi: Contoh IPsec Tunnel Menggunakan racoon
Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 14.04.
Gateway A: 192.168.0.100/24 VPN Network: 10.10.0.0/24 Gateway B: 192.168.0.101/24 VPN Network: 10.20.0.0/24
Kernel IP Forwarding
Pada Gateway A dan Gateway B, kita perlu mengaktifkan kernel IP forwarding ,
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Instalasi racoon dan ipsec-tools
Pada Gateway A dan Gateway B, instalasi:
# apt-get update # apt-get install racoon ipsec-tools
Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”
Konfigurasi racoon
Konfigurasi Gateway A
Gateway A Konfigurasi /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 192.168.0.101 {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 10.10.0.0/24 any address 10.20.0.0/24 any {
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
Gateway A Konfigurasi /etc/racoon/psk.txt
192.168.0.101 a9993e364706816aba3e
Konfigurasi Gateway B
Gateway B Konfigurasi /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 192.168.0.100 {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 10.20.0.0/24 any address 10.10.0.0/24 any {
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
Gateway B Konfigurasi /etc/racoon/psk.txt
192.168.0.100 a9993e364706816aba3e
Security Policies
Konfigurasi Gateway A
Gateway A Konfigurasi /etc/ipsec-tools.conf
flush;
spdflush;
spdadd 10.10.0.0/24 10.20.0.0/24 any -P out ipsec
esp/tunnel/192.168.0.100-192.168.0.101/require;
spdadd 10.20.0.0/24 10.10.0.0/24 any -P in ipsec
esp/tunnel/192.168.0.101-192.168.0.100/require;
Konfigurasi Gateway B
Gateway B Konfigurasi /etc/ipsec-tools.conf
flush;
spdflush;
spdadd 10.20.0.0/24 10.10.0.0/24 any -P out ipsec
esp/tunnel/192.168.0.101-192.168.0.100/require;
spdadd 10.10.0.0/24 10.20.0.0/24 any -P in ipsec
esp/tunnel/192.168.0.100-192.168.0.101/require;
Run
Pada Gateway A maupun Gateway B jalankan perintah berikut
/etc/init.d/setkey restart /etc/init.d/racoon restart
Akan tampak
* Flushing IPsec SA/SP database: [ OK ] * Loading IPsec SA/SP database: [ OK ] * Restarting IKE (ISAKMP/Oakley) server racoon [ OK ]
Cek /var/log/syslog
# tail /var/log/syslog
Akan keluar kira-kira
Jul 7 07:42:01 server100 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Jul 7 07:42:01 server100 racoon: INFO: @(#)This product linked OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/) Jul 7 07:42:01 server100 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.
Pada Gateway A tambahkan routing
ip addr add 10.10.0.1/24 dev eth0 ip route add to 10.20.0.0/24 via 10.10.0.1 src 10.10.0.1
Pada Gateway B tambahkan routing
ip addr add 10.20.0.1/24 dev eth0 ip route add to 10.10.0.0/24 via 10.20.0.1 src 10.20.0.1
Setelah VPN tersambung, coba dari Gateway A:
ping 10.20.0.1
Debugging
Dari mesin Gateway B 192.168.0.101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya,
# tcpdump -t -n -i eth0 -vv host 192.168.0.100