Difference between revisions of "IPv6 Enkripsi: Contoh IPsec Tunnel Menggunakan racoon"

From OnnoWiki
Jump to navigation Jump to search
Line 34: Line 34:
 
  echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
 
  echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
 
  echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 
  echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 +
 +
atau edit
 +
 +
vi /etc/sysctl.conf
  
 
==Instalasi racoon dan ipsec-tools==
 
==Instalasi racoon dan ipsec-tools==

Revision as of 06:06, 19 February 2019

Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 18.04. 

Gateway A: IPv6 2345::100/64	VPN Network: 2002::/64
Gateway B: IPv6 2345::101/64	VPN Network: 2003::/64

Topology Jaringan

LAN A ------- GW A ------------ GW B ----------- LAN B
2002::/64     2345::100/64      2345::101/64     2003::/64

GW A 

enp0s3 2345::100/64
enp0s8 2002::1/64

GW B 

enp0s3 2345::101/64
enp0s8 2003::1/64


Konfigurasi interface

GW A 

ip address add 2345::100/64 dev enp0s3
ip address add 2002::1/64 dev enp0s8

GW B 

ip address add 2345::101/64 dev enp0s3
ip address add 2003::1/64 dev enp0s8

Kernel IP Forwarding

Pada Gateway A dan Gateway B, kita perlu mengaktifkan kernel IP forwarding , 

echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

atau edit 

vi /etc/sysctl.conf

Instalasi racoon dan ipsec-tools

Pada Gateway A dan Gateway B, instalasi: 

apt update
apt install racoon ipsec-tools

Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”

Konfigurasi racoon

Konfigurasi Gateway A

Gateway A Konfigurasi /etc/racoon/racoon.conf 

log notify; 
path pre_shared_key "/etc/racoon/psk.txt"; 
remote 2345::101 { 
        exchange_mode main,aggressive; 
        proposal { 
                encryption_algorithm 3des; 
                hash_algorithm sha1; 
                authentication_method pre_shared_key; 
                dh_group 2; 
        } 
} 

sainfo address 2002::/64 any address 2003::/64 any { 
        pfs_group 2; 
        lifetime time 1 hour ; 
        encryption_algorithm 3des, blowfish 448, rijndael ; 
        authentication_algorithm hmac_sha1, hmac_md5 ; 
        compression_algorithm deflate ; 
}

Gateway A Konfigurasi /etc/racoon/psk.txt 

2345::101 a9993e364706816aba3e

Konfigurasi Gateway B

Gateway B Konfigurasi /etc/racoon/racoon.conf 

log notify; 
path pre_shared_key "/etc/racoon/psk.txt"; 
remote 2345::100 { 
        exchange_mode main,aggressive; 
        proposal { 
                encryption_algorithm 3des; 
                hash_algorithm sha1; 
                authentication_method pre_shared_key; 
                dh_group 2; 
        } 
} 

sainfo address 2003::/64 any address 2002::/64 any { 
        pfs_group 2; 
        lifetime time 1 hour ; 
        encryption_algorithm 3des, blowfish 448, rijndael ; 
        authentication_algorithm hmac_sha1, hmac_md5 ; 
        compression_algorithm deflate ; 
}

Gateway B Konfigurasi /etc/racoon/psk.txt 

2345::100  a9993e364706816aba3e

Security Policies

Konfigurasi Gateway A

Gateway A Konfigurasi /etc/ipsec-tools.conf 

flush; 
spdflush; 
spdadd 2002::/64 2003::/64 any -P out ipsec 
           esp/tunnel/2345::100-2345::101/require; 
spdadd 2003::/64 2002::/64 any -P in ipsec 
           esp/tunnel/2345::101-2345::100/require;

Konfigurasi Gateway B

Gateway B Konfigurasi /etc/ipsec-tools.conf 

flush; 
spdflush; 
spdadd 2003::/64 2002::/64 any -P out ipsec 
           esp/tunnel/2345::101-2345::100/require;
spdadd 2002::/64 2003::/64 any -P in ipsec 
           esp/tunnel/2345::100-2345::101/require;

Run

Di Gateway A dan Gateway B jalankan, 

/etc/init.d/setkey restart 
/etc/init.d/racoon restart

Akan tampak 

* Flushing IPsec SA/SP database:                                 [ OK ]
* Loading IPsec SA/SP database:                                  [ OK ] 
* Restarting IKE (ISAKMP/Oakley) server racoon                   [ OK ]

Cek /var/log/syslog

# tail /var/log/syslog

Akan keluar kira-kira 

Jul  7 07:42:01 server100 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) 
Jul  7 07:42:01 server100 racoon: INFO: @(#)This product linked OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/) 
Jul  7 07:42:01 server100 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"

Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.

Pada Gateway A tambahkan routing 

ip -6 addr add 2002::1/64 dev eth0 
ip -6 route add to 2003::/64 via 2002::1 src 2002::1

Pada Gateway B tambahkan routing 

ip -6 addr add 2003::1/64 dev eth0 
ip -6 route add to 2002::/64 via 2003::1 src 2003::1

Setelah VPN tersambung, coba dari Gateway A: 

ping6 2003::1

Debugging

Dari mesin Gateway B 2345::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya, 

#  tcpdump -t -n -i eth0 -vv ip6 host 2345::100

atau menggunakan wireshark.

Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=IPv6_Enkripsi:_Contoh_IPsec_Tunnel_Menggunakan_racoon&oldid=55440"