Difference between revisions of "IPv6 Enkripsi: Contoh IPsec Tunnel Menggunakan racoon"

From OnnoWiki
Jump to navigation Jump to search
Line 1: Line 1:
 
Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 18.04.
 
Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 18.04.
  
  Gateway A: IPv6 2001:470:19:b37::100/64 VPN Network: 2002::/64
+
  Gateway A: IPv6 2345::100/64 VPN Network: 2002::/64
  Gateway B: IPv6 2001:470:19:b37::101/64 VPN Network: 2003::/64
+
  Gateway B: IPv6 2345::101/64 VPN Network: 2003::/64
  
  
Line 33: Line 33:
 
  log notify;  
 
  log notify;  
 
  path pre_shared_key "/etc/racoon/psk.txt";  
 
  path pre_shared_key "/etc/racoon/psk.txt";  
  remote 2001:470:19:b37::101 {  
+
  remote 2345::101 {  
 
         exchange_mode main,aggressive;  
 
         exchange_mode main,aggressive;  
 
         proposal {  
 
         proposal {  
Line 53: Line 53:
 
Gateway A Konfigurasi /etc/racoon/psk.txt  
 
Gateway A Konfigurasi /etc/racoon/psk.txt  
  
  2001:470:19:b37::101 a9993e364706816aba3e  
+
  2345::101 a9993e364706816aba3e  
  
 
===Konfigurasi Gateway B===
 
===Konfigurasi Gateway B===
Line 61: Line 61:
 
  log notify;  
 
  log notify;  
 
  path pre_shared_key "/etc/racoon/psk.txt";  
 
  path pre_shared_key "/etc/racoon/psk.txt";  
  remote 2001:470:19:b37::100 {  
+
  remote 2345::100 {  
 
         exchange_mode main,aggressive;  
 
         exchange_mode main,aggressive;  
 
         proposal {  
 
         proposal {  
Line 81: Line 81:
 
Gateway B Konfigurasi /etc/racoon/psk.txt  
 
Gateway B Konfigurasi /etc/racoon/psk.txt  
  
  2001:470:19:b37::100  a9993e364706816aba3e  
+
  2345::100  a9993e364706816aba3e  
  
 
==Security Policies==
 
==Security Policies==
Line 92: Line 92:
 
  spdflush;  
 
  spdflush;  
 
  spdadd 2002::/64 2003::/64 any -P out ipsec  
 
  spdadd 2002::/64 2003::/64 any -P out ipsec  
             esp/tunnel/2001:470:19:b37::100-2001:470:19:b37::101/require;  
+
             esp/tunnel/2345::100-2345::101/require;  
 
  spdadd 2003::/64 2002::/64 any -P in ipsec  
 
  spdadd 2003::/64 2002::/64 any -P in ipsec  
             esp/tunnel/2001:470:19:b37::101-2001:470:19:b37::100/require;  
+
             esp/tunnel/2345::101-2345::100/require;  
  
 
===Konfigurasi Gateway B===
 
===Konfigurasi Gateway B===
Line 103: Line 103:
 
  spdflush;  
 
  spdflush;  
 
  spdadd 2003::/64 2002::/64 any -P out ipsec  
 
  spdadd 2003::/64 2002::/64 any -P out ipsec  
             esp/tunnel/2001:470:19:b37::101-2001:470:19:b37::100/require;
+
             esp/tunnel/2345::101-2345::100/require;
 
  spdadd 2002::/64 2003::/64 any -P in ipsec  
 
  spdadd 2002::/64 2003::/64 any -P in ipsec  
             esp/tunnel/2001:470:19:b37::100-2001:470:19:b37::101/require;  
+
             esp/tunnel/2345::100-2345::101/require;  
  
 
==Run==
 
==Run==
Line 148: Line 148:
 
==Debugging==
 
==Debugging==
  
Dari mesin  Gateway B 2001:470:19:b37::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya,
+
Dari mesin  Gateway B 2345::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya,
  
  #  tcpdump -t -n -i eth0 -vv ip6 host 2001:470:19:b37::100
+
  #  tcpdump -t -n -i eth0 -vv ip6 host 2345::100
  
 
atau menggunakan wireshark.
 
atau menggunakan wireshark.

Revision as of 13:02, 18 February 2019

Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 18.04. 

Gateway A: IPv6 2345::100/64	VPN Network: 2002::/64
Gateway B: IPv6 2345::101/64	VPN Network: 2003::/64



LAN A ------- GW A ------------ GW B ----------- LAN B
2002::/64     2345::100/64      2345::101/64     2003::/64


Kernel IP Forwarding

Pada Gateway A dan Gateway B, kita perlu mengaktifkan kernel IP forwarding , 

echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Instalasi racoon dan ipsec-tools

Pada Gateway A dan Gateway B, instalasi: 

# apt-get update
# apt-get install racoon ipsec-tools

Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”

Konfigurasi racoon

Konfigurasi Gateway A

Gateway A Konfigurasi /etc/racoon/racoon.conf 

log notify; 
path pre_shared_key "/etc/racoon/psk.txt"; 
remote 2345::101 { 
        exchange_mode main,aggressive; 
        proposal { 
                encryption_algorithm 3des; 
                hash_algorithm sha1; 
                authentication_method pre_shared_key; 
                dh_group 2; 
        } 
} 

sainfo address 2002::/64 any address 2003::/64 any { 
        pfs_group 2; 
        lifetime time 1 hour ; 
        encryption_algorithm 3des, blowfish 448, rijndael ; 
        authentication_algorithm hmac_sha1, hmac_md5 ; 
        compression_algorithm deflate ; 
}

Gateway A Konfigurasi /etc/racoon/psk.txt 

2345::101 a9993e364706816aba3e

Konfigurasi Gateway B

Gateway B Konfigurasi /etc/racoon/racoon.conf 

log notify; 
path pre_shared_key "/etc/racoon/psk.txt"; 
remote 2345::100 { 
        exchange_mode main,aggressive; 
        proposal { 
                encryption_algorithm 3des; 
                hash_algorithm sha1; 
                authentication_method pre_shared_key; 
                dh_group 2; 
        } 
} 

sainfo address 2003::/64 any address 2002::/64 any { 
        pfs_group 2; 
        lifetime time 1 hour ; 
        encryption_algorithm 3des, blowfish 448, rijndael ; 
        authentication_algorithm hmac_sha1, hmac_md5 ; 
        compression_algorithm deflate ; 
}

Gateway B Konfigurasi /etc/racoon/psk.txt 

2345::100  a9993e364706816aba3e

Security Policies

Konfigurasi Gateway A

Gateway A Konfigurasi /etc/ipsec-tools.conf 

flush; 
spdflush; 
spdadd 2002::/64 2003::/64 any -P out ipsec 
           esp/tunnel/2345::100-2345::101/require; 
spdadd 2003::/64 2002::/64 any -P in ipsec 
           esp/tunnel/2345::101-2345::100/require;

Konfigurasi Gateway B

Gateway B Konfigurasi /etc/ipsec-tools.conf 

flush; 
spdflush; 
spdadd 2003::/64 2002::/64 any -P out ipsec 
           esp/tunnel/2345::101-2345::100/require;
spdadd 2002::/64 2003::/64 any -P in ipsec 
           esp/tunnel/2345::100-2345::101/require;

Run

Pada Gateway A maupun Gateway B jalankan perintah berikut 

/etc/init.d/setkey restart 
/etc/init.d/racoon restart

Akan tampak 

* Flushing IPsec SA/SP database:                                 [ OK ]
* Loading IPsec SA/SP database:                                  [ OK ] 
* Restarting IKE (ISAKMP/Oakley) server racoon                   [ OK ]

Cek /var/log/syslog

# tail /var/log/syslog

Akan keluar kira-kira 

Jul  7 07:42:01 server100 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) 
Jul  7 07:42:01 server100 racoon: INFO: @(#)This product linked OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/) 
Jul  7 07:42:01 server100 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"

Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.

Pada Gateway A tambahkan routing 

ip -6 addr add 2002::1/64 dev eth0 
ip -6 route add to 2003::/64 via 2002::1 src 2002::1

Pada Gateway B tambahkan routing 

ip -6 addr add 2003::1/64 dev eth0 
ip -6 route add to 2002::/64 via 2003::1 src 2003::1

Setelah VPN tersambung, coba dari Gateway A: 

ping6 2003::1

Debugging

Dari mesin Gateway B 2345::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya, 

#  tcpdump -t -n -i eth0 -vv ip6 host 2345::100

atau menggunakan wireshark.

Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=IPv6_Enkripsi:_Contoh_IPsec_Tunnel_Menggunakan_racoon&oldid=55434"