Difference between revisions of "IPv6 Enkripsi: Contoh IPsec Tunnel Menggunakan racoon"

From OnnoWiki
Jump to navigation Jump to search
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 14.04.
+
Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 18.04.
  
  Gateway A: IPv6 2001:470:19:b37::100/64 VPN Network: 2002::/64
+
  Gateway A: IPv6 2345::100/64 LAN Network: 2002::/64
  Gateway B: IPv6 2001:470:19:b37::101/64 VPN Network: 2003::/64
+
  Gateway B: IPv6 2345::101/64 LAN Network: 2003::/64
  
 +
==Topology Jaringan==
  
 
  LAN A ------- GW A ------------ GW B ----------- LAN B
 
  LAN A ------- GW A ------------ GW B ----------- LAN B
 
  2002::/64    2345::100/64      2345::101/64    2003::/64
 
  2002::/64    2345::100/64      2345::101/64    2003::/64
  
 +
GW A
 +
enp0s3 2345::100/64
 +
enp0s8 2002::1/64
 +
 +
GW B
 +
enp0s3 2345::101/64
 +
enp0s8 2003::1/64
 +
 +
 +
==Konfigurasi interface==
 +
 +
GW A
 +
ip address add 2345::100/64 dev enp0s3
 +
ip address add 2002::1/64 dev enp0s8
 +
 +
GW B
 +
ip address add 2345::101/64 dev enp0s3
 +
ip address add 2003::1/64 dev enp0s8
  
 
==Kernel IP Forwarding==
 
==Kernel IP Forwarding==
Line 15: Line 34:
 
  echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
 
  echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
 
  echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 
  echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 +
 +
atau edit
 +
 +
vi /etc/sysctl.conf
 +
 +
net.ipv6.conf.all.forwarding=1
 +
net.ipv6.conf.default.forwarding=1
 +
net.ipv6.conf.enp0s3.forwarding=1
 +
net.ipv6.conf.enp0s8.forwarding=1
 +
net.ipv6.conf.tun0.forwarding=1
 +
 +
Seharusnya cukup all.forwarding=1 saja. Save dan jalankan di shell
 +
 +
sysctl -p
  
 
==Instalasi racoon dan ipsec-tools==
 
==Instalasi racoon dan ipsec-tools==
Line 20: Line 53:
 
Pada Gateway A dan Gateway B, instalasi:
 
Pada Gateway A dan Gateway B, instalasi:
  
  # apt-get update
+
  apt update
  # apt-get install racoon ipsec-tools  
+
  apt install racoon ipsec-tools  
  
 
Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”
 
Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”
Line 33: Line 66:
 
  log notify;  
 
  log notify;  
 
  path pre_shared_key "/etc/racoon/psk.txt";  
 
  path pre_shared_key "/etc/racoon/psk.txt";  
  remote 2001:470:19:b37::101 {  
+
  remote 2345::101 {  
 
         exchange_mode main,aggressive;  
 
         exchange_mode main,aggressive;  
 
         proposal {  
 
         proposal {  
Line 53: Line 86:
 
Gateway A Konfigurasi /etc/racoon/psk.txt  
 
Gateway A Konfigurasi /etc/racoon/psk.txt  
  
  2001:470:19:b37::101 a9993e364706816aba3e  
+
  2345::101 a9993e364706816aba3e  
  
 
===Konfigurasi Gateway B===
 
===Konfigurasi Gateway B===
Line 61: Line 94:
 
  log notify;  
 
  log notify;  
 
  path pre_shared_key "/etc/racoon/psk.txt";  
 
  path pre_shared_key "/etc/racoon/psk.txt";  
  remote 2001:470:19:b37::100 {  
+
  remote 2345::100 {  
 
         exchange_mode main,aggressive;  
 
         exchange_mode main,aggressive;  
 
         proposal {  
 
         proposal {  
Line 81: Line 114:
 
Gateway B Konfigurasi /etc/racoon/psk.txt  
 
Gateway B Konfigurasi /etc/racoon/psk.txt  
  
  2001:470:19:b37::100  a9993e364706816aba3e  
+
  2345::100  a9993e364706816aba3e  
  
 
==Security Policies==
 
==Security Policies==
Line 92: Line 125:
 
  spdflush;  
 
  spdflush;  
 
  spdadd 2002::/64 2003::/64 any -P out ipsec  
 
  spdadd 2002::/64 2003::/64 any -P out ipsec  
             esp/tunnel/2001:470:19:b37::100-2001:470:19:b37::101/require;  
+
             esp/tunnel/2345::100-2345::101/require;  
 
  spdadd 2003::/64 2002::/64 any -P in ipsec  
 
  spdadd 2003::/64 2002::/64 any -P in ipsec  
             esp/tunnel/2001:470:19:b37::101-2001:470:19:b37::100/require;  
+
             esp/tunnel/2345::101-2345::100/require;  
  
 
===Konfigurasi Gateway B===
 
===Konfigurasi Gateway B===
Line 103: Line 136:
 
  spdflush;  
 
  spdflush;  
 
  spdadd 2003::/64 2002::/64 any -P out ipsec  
 
  spdadd 2003::/64 2002::/64 any -P out ipsec  
             esp/tunnel/2001:470:19:b37::101-2001:470:19:b37::100/require;
+
             esp/tunnel/2345::101-2345::100/require;
 
  spdadd 2002::/64 2003::/64 any -P in ipsec  
 
  spdadd 2002::/64 2003::/64 any -P in ipsec  
             esp/tunnel/2001:470:19:b37::100-2001:470:19:b37::101/require;  
+
             esp/tunnel/2345::100-2345::101/require;  
  
 
==Run==
 
==Run==
  
Pada Gateway A maupun Gateway B jalankan perintah berikut
+
Di Gateway A dan Gateway B jalankan,
  
 
  /etc/init.d/setkey restart  
 
  /etc/init.d/setkey restart  
Line 116: Line 149:
 
Akan tampak
 
Akan tampak
  
  * Flushing IPsec SA/SP database:                                [ OK ]
+
  [ ok ] Restarting setkey (via systemctl): setkey.service.
  * Loading IPsec SA/SP database:                                  [ OK ]  
+
  [ ok ] Restarting racoon (via systemctl): racoon.service.
* Restarting IKE (ISAKMP/Oakley) server racoon                   [ OK ]
+
 
 
   
 
   
 
===Cek /var/log/syslog===
 
===Cek /var/log/syslog===
  
  # tail /var/log/syslog
+
Jalankan
 +
 
 +
  tail /var/log/syslog
  
 
Akan keluar kira-kira
 
Akan keluar kira-kira
  
  Jul 7 07:42:01 server100 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)  
+
  Feb 19 06:18:34 minimalis setkey[2555]:  * Loading IPsec SA/SP database:
  Jul  7 07:42:01 server100 racoon: INFO: @(#)This product linked OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/)  
+
Feb 19 06:18:34 minimalis setkey[2555]:    ...done.
  Jul  7 07:42:01 server100 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"  
+
  Feb 19 06:18:34 minimalis systemd[1]: Stopping ipsec key exchange server...
 +
Feb 19 06:18:35 minimalis systemd[1]: Stopped ipsec key exchange server.
 +
Feb 19 06:18:35 minimalis systemd[1]: Starting ipsec key exchange server...
 +
Feb 19 06:18:35 minimalis racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
 +
  Feb 19 06:18:35 minimalis racoon: INFO: @(#)This product linked OpenSSL 1.0.2n  7 Dec 2017 (http://www.openssl.org/)
 +
  Feb 19 06:18:35 minimalis racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 +
Feb 19 06:18:35 minimalis systemd[1]: racoon.service: Can't open PID file /var/run/racoon.pid (yet?) after start: No such file or directory
 +
Feb 19 06:18:35 minimalis systemd[1]: Started ipsec key exchange server.
  
 
Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.
 
Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.
 +
 +
==Tambahkan Routing==
  
 
Pada Gateway A tambahkan routing
 
Pada Gateway A tambahkan routing
  
  ip -6 addr add 2002::1/64 dev eth0
+
  ip -6 addr add 2002::1/64 dev enp0s8
  ip -6 route add to 2003::/64 via 2002::1 src 2002::1
+
  ip -6 route add to 2003::/64 dev enp0s3
  
 
Pada Gateway B tambahkan routing
 
Pada Gateway B tambahkan routing
  
  ip -6 addr add 2003::1/64 dev eth0
+
  ip -6 addr add 2003::1/64 dev enp0s8
  ip -6 route add to 2002::/64 via 2003::1 src 2003::1
+
  ip -6 route add to 2002::/64 dev enp0s3
  
 
Setelah VPN tersambung, coba dari Gateway A:
 
Setelah VPN tersambung, coba dari Gateway A:
  
 
  ping6 2003::1
 
  ping6 2003::1
 +
 +
Lakukan penyadapan wireshark antara GW A dan GW B, harusnya packet di enkapsulasi menggunakan ESP.
  
 
==Debugging==
 
==Debugging==
  
Dari mesin  Gateway B 2001:470:19:b37::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya,
+
Sebaiknya simulasi di jalankan menggunakan GNS3.
 +
Proses debugging bisa menggunakan fasilitas untuk sniffing yang built-in di GNS3.
 +
 
 +
Dari mesin  Gateway B 2345::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya,
  
  #  tcpdump -t -n -i eth0 -vv ip6 host 2001:470:19:b37::100
+
  #  tcpdump -t -n -i eth0 -vv ip6 host 2345::100
  
 
atau menggunakan wireshark.
 
atau menggunakan wireshark.

Latest revision as of 04:55, 25 February 2019

Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 18.04. 

Gateway A: IPv6 2345::100/64	LAN Network: 2002::/64
Gateway B: IPv6 2345::101/64	LAN Network: 2003::/64

Topology Jaringan

LAN A ------- GW A ------------ GW B ----------- LAN B
2002::/64     2345::100/64      2345::101/64     2003::/64

GW A 

enp0s3 2345::100/64
enp0s8 2002::1/64

GW B 

enp0s3 2345::101/64
enp0s8 2003::1/64


Konfigurasi interface

GW A 

ip address add 2345::100/64 dev enp0s3
ip address add 2002::1/64 dev enp0s8

GW B 

ip address add 2345::101/64 dev enp0s3
ip address add 2003::1/64 dev enp0s8

Kernel IP Forwarding

Pada Gateway A dan Gateway B, kita perlu mengaktifkan kernel IP forwarding , 

echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

atau edit 

vi /etc/sysctl.conf

net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.enp0s3.forwarding=1
net.ipv6.conf.enp0s8.forwarding=1
net.ipv6.conf.tun0.forwarding=1

Seharusnya cukup all.forwarding=1 saja. Save dan jalankan di shell 

sysctl -p

Instalasi racoon dan ipsec-tools

Pada Gateway A dan Gateway B, instalasi: 

apt update
apt install racoon ipsec-tools

Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”

Konfigurasi racoon

Konfigurasi Gateway A

Gateway A Konfigurasi /etc/racoon/racoon.conf 

log notify; 
path pre_shared_key "/etc/racoon/psk.txt"; 
remote 2345::101 { 
        exchange_mode main,aggressive; 
        proposal { 
                encryption_algorithm 3des; 
                hash_algorithm sha1; 
                authentication_method pre_shared_key; 
                dh_group 2; 
        } 
} 

sainfo address 2002::/64 any address 2003::/64 any { 
        pfs_group 2; 
        lifetime time 1 hour ; 
        encryption_algorithm 3des, blowfish 448, rijndael ; 
        authentication_algorithm hmac_sha1, hmac_md5 ; 
        compression_algorithm deflate ; 
}

Gateway A Konfigurasi /etc/racoon/psk.txt 

2345::101 a9993e364706816aba3e

Konfigurasi Gateway B

Gateway B Konfigurasi /etc/racoon/racoon.conf 

log notify; 
path pre_shared_key "/etc/racoon/psk.txt"; 
remote 2345::100 { 
        exchange_mode main,aggressive; 
        proposal { 
                encryption_algorithm 3des; 
                hash_algorithm sha1; 
                authentication_method pre_shared_key; 
                dh_group 2; 
        } 
} 

sainfo address 2003::/64 any address 2002::/64 any { 
        pfs_group 2; 
        lifetime time 1 hour ; 
        encryption_algorithm 3des, blowfish 448, rijndael ; 
        authentication_algorithm hmac_sha1, hmac_md5 ; 
        compression_algorithm deflate ; 
}

Gateway B Konfigurasi /etc/racoon/psk.txt 

2345::100  a9993e364706816aba3e

Security Policies

Konfigurasi Gateway A

Gateway A Konfigurasi /etc/ipsec-tools.conf 

flush; 
spdflush; 
spdadd 2002::/64 2003::/64 any -P out ipsec 
           esp/tunnel/2345::100-2345::101/require; 
spdadd 2003::/64 2002::/64 any -P in ipsec 
           esp/tunnel/2345::101-2345::100/require;

Konfigurasi Gateway B

Gateway B Konfigurasi /etc/ipsec-tools.conf 

flush; 
spdflush; 
spdadd 2003::/64 2002::/64 any -P out ipsec 
           esp/tunnel/2345::101-2345::100/require;
spdadd 2002::/64 2003::/64 any -P in ipsec 
           esp/tunnel/2345::100-2345::101/require;

Run

Di Gateway A dan Gateway B jalankan, 

/etc/init.d/setkey restart 
/etc/init.d/racoon restart

Akan tampak 

[ ok ] Restarting setkey (via systemctl): setkey.service.
[ ok ] Restarting racoon (via systemctl): racoon.service.


Cek /var/log/syslog

Jalankan 

tail /var/log/syslog

Akan keluar kira-kira 

Feb 19 06:18:34 minimalis setkey[2555]:  * Loading IPsec SA/SP database:
Feb 19 06:18:34 minimalis setkey[2555]:    ...done.
Feb 19 06:18:34 minimalis systemd[1]: Stopping ipsec key exchange server...
Feb 19 06:18:35 minimalis systemd[1]: Stopped ipsec key exchange server.
Feb 19 06:18:35 minimalis systemd[1]: Starting ipsec key exchange server...
Feb 19 06:18:35 minimalis racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
Feb 19 06:18:35 minimalis racoon: INFO: @(#)This product linked OpenSSL 1.0.2n  7 Dec 2017 (http://www.openssl.org/)
Feb 19 06:18:35 minimalis racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Feb 19 06:18:35 minimalis systemd[1]: racoon.service: Can't open PID file /var/run/racoon.pid (yet?) after start: No such file or directory
Feb 19 06:18:35 minimalis systemd[1]: Started ipsec key exchange server.

Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.

Tambahkan Routing

Pada Gateway A tambahkan routing 

ip -6 addr add 2002::1/64 dev enp0s8
ip -6 route add to 2003::/64 dev enp0s3

Pada Gateway B tambahkan routing 

ip -6 addr add 2003::1/64 dev enp0s8
ip -6 route add to 2002::/64 dev enp0s3

Setelah VPN tersambung, coba dari Gateway A: 

ping6 2003::1

Lakukan penyadapan wireshark antara GW A dan GW B, harusnya packet di enkapsulasi menggunakan ESP.

Debugging

Sebaiknya simulasi di jalankan menggunakan GNS3. Proses debugging bisa menggunakan fasilitas untuk sniffing yang built-in di GNS3.

Dari mesin Gateway B 2345::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya, 

#  tcpdump -t -n -i eth0 -vv ip6 host 2345::100

atau menggunakan wireshark.

Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=IPv6_Enkripsi:_Contoh_IPsec_Tunnel_Menggunakan_racoon&oldid=55654"