Difference between revisions of "IPv6 Enkripsi: Contoh IPsec Tunnel Menggunakan racoon"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 14.04. Gateway A: IPv6 2001:470:...")
 
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 14.04.
+
Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 18.04.
Gateway A: IPv6 2001:470:19:b37::100/64 VPN Network: 2002::/64
+
 
Gateway B: IPv6 2001:470:19:b37::101/64 VPN Network: 2003::/64
+
Gateway A: IPv6 2345::100/64 LAN Network: 2002::/64
Kernel IP Forwarding
+
Gateway B: IPv6 2345::101/64 LAN Network: 2003::/64
 +
 
 +
==Topology Jaringan==
 +
 
 +
LAN A ------- GW A ------------ GW B ----------- LAN B
 +
2002::/64    2345::100/64      2345::101/64     2003::/64
 +
 
 +
GW A
 +
enp0s3 2345::100/64
 +
enp0s8 2002::1/64
 +
 
 +
GW B
 +
enp0s3 2345::101/64
 +
enp0s8 2003::1/64
 +
 
 +
 
 +
==Konfigurasi interface==
 +
 
 +
GW A
 +
ip address add 2345::100/64 dev enp0s3
 +
ip address add 2002::1/64 dev enp0s8
 +
 
 +
GW B
 +
ip address add 2345::101/64 dev enp0s3
 +
ip address add 2003::1/64 dev enp0s8
 +
 
 +
==Kernel IP Forwarding==
 +
 
 
Pada Gateway A dan Gateway B, kita perlu mengaktifkan kernel IP forwarding ,
 
Pada Gateway A dan Gateway B, kita perlu mengaktifkan kernel IP forwarding ,
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
+
 
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
Instalasi racoon dan ipsec-tools
+
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 +
 
 +
atau edit
 +
 
 +
vi /etc/sysctl.conf
 +
 
 +
net.ipv6.conf.all.forwarding=1
 +
net.ipv6.conf.default.forwarding=1
 +
net.ipv6.conf.enp0s3.forwarding=1
 +
net.ipv6.conf.enp0s8.forwarding=1
 +
net.ipv6.conf.tun0.forwarding=1
 +
 
 +
Seharusnya cukup all.forwarding=1 saja. Save dan jalankan di shell
 +
 
 +
sysctl -p
 +
 
 +
==Instalasi racoon dan ipsec-tools==
 +
 
 
Pada Gateway A dan Gateway B, instalasi:
 
Pada Gateway A dan Gateway B, instalasi:
# apt-get update
+
 
# apt-get install racoon ipsec-tools  
+
apt update
 +
apt install racoon ipsec-tools  
  
 
Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”
 
Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”
Konfigurasi racoon
+
 
Konfigurasi Gateway A
+
==Konfigurasi racoon==
 +
 
 +
===Konfigurasi Gateway A===
 +
 
 
Gateway A Konfigurasi /etc/racoon/racoon.conf  
 
Gateway A Konfigurasi /etc/racoon/racoon.conf  
log notify;
 
path pre_shared_key "/etc/racoon/psk.txt";
 
remote 2001:470:19:b37::101 {
 
        exchange_mode main,aggressive;
 
        proposal {
 
                encryption_algorithm 3des;
 
                hash_algorithm sha1;
 
                authentication_method pre_shared_key;
 
                dh_group 2;
 
        }
 
}
 
  
sainfo address 2002::/64 any address 2003::/64 any {  
+
log notify;
        pfs_group 2;  
+
path pre_shared_key "/etc/racoon/psk.txt";
        lifetime time 1 hour ;  
+
remote 2345::101 {
        encryption_algorithm 3des, blowfish 448, rijndael ;  
+
        exchange_mode main,aggressive;
        authentication_algorithm hmac_sha1, hmac_md5 ;  
+
        proposal {
        compression_algorithm deflate ;  
+
                encryption_algorithm 3des;
}  
+
                hash_algorithm sha1;
 +
                authentication_method pre_shared_key;
 +
                dh_group 2;
 +
        }
 +
}
 +
 +
sainfo address 2002::/64 any address 2003::/64 any {  
 +
        pfs_group 2;  
 +
        lifetime time 1 hour ;  
 +
        encryption_algorithm 3des, blowfish 448, rijndael ;  
 +
        authentication_algorithm hmac_sha1, hmac_md5 ;  
 +
        compression_algorithm deflate ;  
 +
}  
  
 
Gateway A Konfigurasi /etc/racoon/psk.txt  
 
Gateway A Konfigurasi /etc/racoon/psk.txt  
2001:470:19:b37::101 a9993e364706816aba3e
 
  
Konfigurasi Gateway B
+
2345::101 a9993e364706816aba3e
 +
 
 +
===Konfigurasi Gateway B===
 +
 
 
Gateway B Konfigurasi /etc/racoon/racoon.conf  
 
Gateway B Konfigurasi /etc/racoon/racoon.conf  
log notify;
 
path pre_shared_key "/etc/racoon/psk.txt";
 
remote 2001:470:19:b37::100 {
 
        exchange_mode main,aggressive;
 
        proposal {
 
                encryption_algorithm 3des;
 
                hash_algorithm sha1;
 
                authentication_method pre_shared_key;
 
                dh_group 2;
 
        }
 
}
 
  
sainfo address 2003::/64 any address 2002::/64 any {  
+
log notify;
        pfs_group 2;  
+
path pre_shared_key "/etc/racoon/psk.txt";
        lifetime time 1 hour ;  
+
remote 2345::100 {
        encryption_algorithm 3des, blowfish 448, rijndael ;  
+
        exchange_mode main,aggressive;
        authentication_algorithm hmac_sha1, hmac_md5 ;  
+
        proposal {
        compression_algorithm deflate ;  
+
                encryption_algorithm 3des;
}  
+
                hash_algorithm sha1;
 +
                authentication_method pre_shared_key;
 +
                dh_group 2;
 +
        }
 +
}
 +
 +
sainfo address 2003::/64 any address 2002::/64 any {  
 +
        pfs_group 2;  
 +
        lifetime time 1 hour ;  
 +
        encryption_algorithm 3des, blowfish 448, rijndael ;  
 +
        authentication_algorithm hmac_sha1, hmac_md5 ;  
 +
        compression_algorithm deflate ;  
 +
}  
  
 
Gateway B Konfigurasi /etc/racoon/psk.txt  
 
Gateway B Konfigurasi /etc/racoon/psk.txt  
2001:470:19:b37::100  a9993e364706816aba3e
 
  
Security Policies  
+
2345::100  a9993e364706816aba3e
Konfigurasi Gateway A
+
 
 +
==Security Policies==
 +
 
 +
===Konfigurasi Gateway A===
 +
 
 
Gateway A Konfigurasi /etc/ipsec-tools.conf  
 
Gateway A Konfigurasi /etc/ipsec-tools.conf  
flush;
 
spdflush;
 
spdadd 2002::/64 2003::/64 any -P out ipsec
 
          esp/tunnel/2001:470:19:b37::100-2001:470:19:b37::101/require;
 
spdadd 2003::/64 2002::/64 any -P in ipsec
 
          esp/tunnel/2001:470:19:b37::101-2001:470:19:b37::100/require;
 
  
Konfigurasi Gateway B
+
flush;
 +
spdflush;
 +
spdadd 2002::/64 2003::/64 any -P out ipsec
 +
            esp/tunnel/2345::100-2345::101/require;
 +
spdadd 2003::/64 2002::/64 any -P in ipsec
 +
            esp/tunnel/2345::101-2345::100/require;
 +
 
 +
===Konfigurasi Gateway B===
 +
 
 
Gateway B Konfigurasi /etc/ipsec-tools.conf  
 
Gateway B Konfigurasi /etc/ipsec-tools.conf  
flush;  
+
 
spdflush;  
+
flush;  
spdadd 2003::/64 2002::/64 any -P out ipsec  
+
spdflush;  
          esp/tunnel/2001:470:19:b37::101-2001:470:19:b37::100/require;
+
spdadd 2003::/64 2002::/64 any -P out ipsec  
spdadd 2002::/64 2003::/64 any -P in ipsec  
+
            esp/tunnel/2345::101-2345::100/require;
          esp/tunnel/2001:470:19:b37::100-2001:470:19:b37::101/require;  
+
spdadd 2002::/64 2003::/64 any -P in ipsec  
Run
+
            esp/tunnel/2345::100-2345::101/require;  
Pada Gateway A maupun Gateway B jalankan perintah berikut
+
 
/etc/init.d/setkey restart  
+
==Run==
/etc/init.d/racoon restart  
+
 
 +
Di Gateway A dan Gateway B jalankan,
 +
 
 +
/etc/init.d/setkey restart  
 +
/etc/init.d/racoon restart  
  
 
Akan tampak
 
Akan tampak
* Flushing IPsec SA/SP database:                                [ OK ]
 
* Loading IPsec SA/SP database:                                  [ OK ]
 
* Restarting IKE (ISAKMP/Oakley) server racoon                  [ OK ]
 
  
Cek /var/log/syslog  
+
[ ok ] Restarting setkey (via systemctl): setkey.service.
# tail /var/log/syslog
+
[ ok ] Restarting racoon (via systemctl): racoon.service.
 +
 
 +
 +
===Cek /var/log/syslog===
 +
 
 +
Jalankan
 +
 
 +
tail /var/log/syslog
 +
 
 
Akan keluar kira-kira
 
Akan keluar kira-kira
Jul 7 07:42:01 server100 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)  
+
 
Jul 7 07:42:01 server100 racoon: INFO: @(#)This product linked OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/)  
+
Feb 19 06:18:34 minimalis setkey[2555]:  * Loading IPsec SA/SP database:
Jul 7 07:42:01 server100 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"  
+
Feb 19 06:18:34 minimalis setkey[2555]:    ...done.
 +
Feb 19 06:18:34 minimalis systemd[1]: Stopping ipsec key exchange server...
 +
Feb 19 06:18:35 minimalis systemd[1]: Stopped ipsec key exchange server.
 +
Feb 19 06:18:35 minimalis systemd[1]: Starting ipsec key exchange server...
 +
  Feb 19 06:18:35 minimalis racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
 +
  Feb 19 06:18:35 minimalis racoon: INFO: @(#)This product linked OpenSSL 1.0.2n  7 Dec 2017 (http://www.openssl.org/)
 +
  Feb 19 06:18:35 minimalis racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 +
Feb 19 06:18:35 minimalis systemd[1]: racoon.service: Can't open PID file /var/run/racoon.pid (yet?) after start: No such file or directory
 +
Feb 19 06:18:35 minimalis systemd[1]: Started ipsec key exchange server.
 +
 
 
Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.
 
Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.
 +
 +
==Tambahkan Routing==
  
 
Pada Gateway A tambahkan routing
 
Pada Gateway A tambahkan routing
ip -6 addr add 2002::1/64 dev eth0
+
 
ip -6 route add to 2003::/64 via 2002::1 src 2002::1
+
ip -6 addr add 2002::1/64 dev enp0s8
 +
ip -6 route add to 2003::/64 dev enp0s3
  
 
Pada Gateway B tambahkan routing
 
Pada Gateway B tambahkan routing
ip -6 addr add 2003::1/64 dev eth0
+
 
ip -6 route add to 2002::/64 via 2003::1 src 2003::1
+
ip -6 addr add 2003::1/64 dev enp0s8
 +
ip -6 route add to 2002::/64 dev enp0s3
  
 
Setelah VPN tersambung, coba dari Gateway A:
 
Setelah VPN tersambung, coba dari Gateway A:
ping6 2003::1
+
 
Debugging
+
ping6 2003::1
Dari mesin  Gateway B 2001:470:19:b37::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya,
+
 
#  tcpdump -t -n -i eth0 -vv ip6 host 2001:470:19:b37::100
+
Lakukan penyadapan wireshark antara GW A dan GW B, harusnya packet di enkapsulasi menggunakan ESP.
 +
 
 +
==Debugging==
 +
 
 +
Sebaiknya simulasi di jalankan menggunakan GNS3.
 +
Proses debugging bisa menggunakan fasilitas untuk sniffing yang built-in di GNS3.
 +
 
 +
Dari mesin  Gateway B 2345::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya,
 +
 
 +
#  tcpdump -t -n -i eth0 -vv ip6 host 2345::100
 +
 
 +
atau menggunakan wireshark.
 +
 
 +
==Pranala Menarik==
 +
 
 +
* [[IPv6]]

Latest revision as of 04:55, 25 February 2019

Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 18.04.

Gateway A: IPv6 2345::100/64	LAN Network: 2002::/64
Gateway B: IPv6 2345::101/64	LAN Network: 2003::/64

Topology Jaringan

LAN A ------- GW A ------------ GW B ----------- LAN B
2002::/64     2345::100/64      2345::101/64     2003::/64

GW A

enp0s3 2345::100/64
enp0s8 2002::1/64

GW B

enp0s3 2345::101/64
enp0s8 2003::1/64


Konfigurasi interface

GW A

ip address add 2345::100/64 dev enp0s3
ip address add 2002::1/64 dev enp0s8

GW B

ip address add 2345::101/64 dev enp0s3
ip address add 2003::1/64 dev enp0s8

Kernel IP Forwarding

Pada Gateway A dan Gateway B, kita perlu mengaktifkan kernel IP forwarding ,

echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

atau edit

vi /etc/sysctl.conf
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.enp0s3.forwarding=1
net.ipv6.conf.enp0s8.forwarding=1
net.ipv6.conf.tun0.forwarding=1

Seharusnya cukup all.forwarding=1 saja. Save dan jalankan di shell

sysctl -p

Instalasi racoon dan ipsec-tools

Pada Gateway A dan Gateway B, instalasi:

apt update
apt install racoon ipsec-tools 

Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”

Konfigurasi racoon

Konfigurasi Gateway A

Gateway A Konfigurasi /etc/racoon/racoon.conf

log notify; 
path pre_shared_key "/etc/racoon/psk.txt"; 
remote 2345::101 { 
        exchange_mode main,aggressive; 
        proposal { 
                encryption_algorithm 3des; 
                hash_algorithm sha1; 
                authentication_method pre_shared_key; 
                dh_group 2; 
        } 
} 

sainfo address 2002::/64 any address 2003::/64 any { 
        pfs_group 2; 
        lifetime time 1 hour ; 
        encryption_algorithm 3des, blowfish 448, rijndael ; 
        authentication_algorithm hmac_sha1, hmac_md5 ; 
        compression_algorithm deflate ; 
} 

Gateway A Konfigurasi /etc/racoon/psk.txt

2345::101 a9993e364706816aba3e 

Konfigurasi Gateway B

Gateway B Konfigurasi /etc/racoon/racoon.conf

log notify; 
path pre_shared_key "/etc/racoon/psk.txt"; 
remote 2345::100 { 
        exchange_mode main,aggressive; 
        proposal { 
                encryption_algorithm 3des; 
                hash_algorithm sha1; 
                authentication_method pre_shared_key; 
                dh_group 2; 
        } 
} 

sainfo address 2003::/64 any address 2002::/64 any { 
        pfs_group 2; 
        lifetime time 1 hour ; 
        encryption_algorithm 3des, blowfish 448, rijndael ; 
        authentication_algorithm hmac_sha1, hmac_md5 ; 
        compression_algorithm deflate ; 
} 

Gateway B Konfigurasi /etc/racoon/psk.txt

2345::100  a9993e364706816aba3e 

Security Policies

Konfigurasi Gateway A

Gateway A Konfigurasi /etc/ipsec-tools.conf

flush; 
spdflush; 
spdadd 2002::/64 2003::/64 any -P out ipsec 
           esp/tunnel/2345::100-2345::101/require; 
spdadd 2003::/64 2002::/64 any -P in ipsec 
           esp/tunnel/2345::101-2345::100/require; 

Konfigurasi Gateway B

Gateway B Konfigurasi /etc/ipsec-tools.conf

flush; 
spdflush; 
spdadd 2003::/64 2002::/64 any -P out ipsec 
           esp/tunnel/2345::101-2345::100/require;
spdadd 2002::/64 2003::/64 any -P in ipsec 
           esp/tunnel/2345::100-2345::101/require; 

Run

Di Gateway A dan Gateway B jalankan,

/etc/init.d/setkey restart 
/etc/init.d/racoon restart 

Akan tampak

[ ok ] Restarting setkey (via systemctl): setkey.service.
[ ok ] Restarting racoon (via systemctl): racoon.service.


Cek /var/log/syslog

Jalankan

tail /var/log/syslog

Akan keluar kira-kira

Feb 19 06:18:34 minimalis setkey[2555]:  * Loading IPsec SA/SP database:
Feb 19 06:18:34 minimalis setkey[2555]:    ...done.
Feb 19 06:18:34 minimalis systemd[1]: Stopping ipsec key exchange server...
Feb 19 06:18:35 minimalis systemd[1]: Stopped ipsec key exchange server.
Feb 19 06:18:35 minimalis systemd[1]: Starting ipsec key exchange server...
Feb 19 06:18:35 minimalis racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
Feb 19 06:18:35 minimalis racoon: INFO: @(#)This product linked OpenSSL 1.0.2n  7 Dec 2017 (http://www.openssl.org/)
Feb 19 06:18:35 minimalis racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Feb 19 06:18:35 minimalis systemd[1]: racoon.service: Can't open PID file /var/run/racoon.pid (yet?) after start: No such file or directory
Feb 19 06:18:35 minimalis systemd[1]: Started ipsec key exchange server.

Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.

Tambahkan Routing

Pada Gateway A tambahkan routing

ip -6 addr add 2002::1/64 dev enp0s8
ip -6 route add to 2003::/64 dev enp0s3

Pada Gateway B tambahkan routing

ip -6 addr add 2003::1/64 dev enp0s8
ip -6 route add to 2002::/64 dev enp0s3

Setelah VPN tersambung, coba dari Gateway A:

ping6 2003::1

Lakukan penyadapan wireshark antara GW A dan GW B, harusnya packet di enkapsulasi menggunakan ESP.

Debugging

Sebaiknya simulasi di jalankan menggunakan GNS3. Proses debugging bisa menggunakan fasilitas untuk sniffing yang built-in di GNS3.

Dari mesin Gateway B 2345::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya,

#  tcpdump -t -n -i eth0 -vv ip6 host 2345::100

atau menggunakan wireshark.

Pranala Menarik