Difference between revisions of "IPv6 Enkripsi: Contoh IPsec Tunnel Menggunakan racoon"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 179: | Line 179: | ||
ip -6 addr add 2002::1/64 dev enp0s8 | ip -6 addr add 2002::1/64 dev enp0s8 | ||
| − | ip -6 route add to 2003::/64 | + | ip -6 route add to 2003::/64 dev enp0s3 |
Pada Gateway B tambahkan routing | Pada Gateway B tambahkan routing | ||
ip -6 addr add 2003::1/64 dev enp0s8 | ip -6 addr add 2003::1/64 dev enp0s8 | ||
| − | ip -6 route add to 2002::/64 | + | ip -6 route add to 2002::/64 dev enp0s3 |
Setelah VPN tersambung, coba dari Gateway A: | Setelah VPN tersambung, coba dari Gateway A: | ||
ping6 2003::1 | ping6 2003::1 | ||
| + | |||
| + | Lakukan penyadapan wireshark antara GW A dan GW B, harusnya packet di enkapsulasi menggunakan ESP. | ||
==Debugging== | ==Debugging== | ||
Revision as of 08:39, 19 February 2019
Pada kesempatan ini akan di berikan contoh untuk membuat Ipsec tunnel menggunakan racoon pada dua gateway Linux berbasis sistem operasi Ubuntu 18.04.
Gateway A: IPv6 2345::100/64 VPN Network: 2002::/64 Gateway B: IPv6 2345::101/64 VPN Network: 2003::/64
Topology Jaringan
LAN A ------- GW A ------------ GW B ----------- LAN B 2002::/64 2345::100/64 2345::101/64 2003::/64
GW A
enp0s3 2345::100/64 enp0s8 2002::1/64
GW B
enp0s3 2345::101/64 enp0s8 2003::1/64
Konfigurasi interface
GW A
ip address add 2345::100/64 dev enp0s3 ip address add 2002::1/64 dev enp0s8
GW B
ip address add 2345::101/64 dev enp0s3 ip address add 2003::1/64 dev enp0s8
Kernel IP Forwarding
Pada Gateway A dan Gateway B, kita perlu mengaktifkan kernel IP forwarding ,
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
atau edit
vi /etc/sysctl.conf
net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1 net.ipv6.conf.enp0s3.forwarding=1 net.ipv6.conf.enp0s8.forwarding=1 net.ipv6.conf.tun0.forwarding=1
Seharusnya cukup all.forwarding=1 saja. Save dan jalankan di shell
sysctl -p
Instalasi racoon dan ipsec-tools
Pada Gateway A dan Gateway B, instalasi:
apt update apt install racoon ipsec-tools
Pada pertanyaan “Configuration mode for racoon IKE daemon:” jawab “direct”
Konfigurasi racoon
Konfigurasi Gateway A
Gateway A Konfigurasi /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
remote 2345::101 {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 2002::/64 any address 2003::/64 any {
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
Gateway A Konfigurasi /etc/racoon/psk.txt
2345::101 a9993e364706816aba3e
Konfigurasi Gateway B
Gateway B Konfigurasi /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
remote 2345::100 {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 2003::/64 any address 2002::/64 any {
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
Gateway B Konfigurasi /etc/racoon/psk.txt
2345::100 a9993e364706816aba3e
Security Policies
Konfigurasi Gateway A
Gateway A Konfigurasi /etc/ipsec-tools.conf
flush;
spdflush;
spdadd 2002::/64 2003::/64 any -P out ipsec
esp/tunnel/2345::100-2345::101/require;
spdadd 2003::/64 2002::/64 any -P in ipsec
esp/tunnel/2345::101-2345::100/require;
Konfigurasi Gateway B
Gateway B Konfigurasi /etc/ipsec-tools.conf
flush;
spdflush;
spdadd 2003::/64 2002::/64 any -P out ipsec
esp/tunnel/2345::101-2345::100/require;
spdadd 2002::/64 2003::/64 any -P in ipsec
esp/tunnel/2345::100-2345::101/require;
Run
Di Gateway A dan Gateway B jalankan,
/etc/init.d/setkey restart /etc/init.d/racoon restart
Akan tampak
[ ok ] Restarting setkey (via systemctl): setkey.service. [ ok ] Restarting racoon (via systemctl): racoon.service.
Cek /var/log/syslog
Jalankan
tail /var/log/syslog
Akan keluar kira-kira
Feb 19 06:18:34 minimalis setkey[2555]: * Loading IPsec SA/SP database: Feb 19 06:18:34 minimalis setkey[2555]: ...done. Feb 19 06:18:34 minimalis systemd[1]: Stopping ipsec key exchange server... Feb 19 06:18:35 minimalis systemd[1]: Stopped ipsec key exchange server. Feb 19 06:18:35 minimalis systemd[1]: Starting ipsec key exchange server... Feb 19 06:18:35 minimalis racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net) Feb 19 06:18:35 minimalis racoon: INFO: @(#)This product linked OpenSSL 1.0.2n 7 Dec 2017 (http://www.openssl.org/) Feb 19 06:18:35 minimalis racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Feb 19 06:18:35 minimalis systemd[1]: racoon.service: Can't open PID file /var/run/racoon.pid (yet?) after start: No such file or directory Feb 19 06:18:35 minimalis systemd[1]: Started ipsec key exchange server.
Pastikan tidak ada error. Jika ada error timeout, restart ipsec dan racoon.
Tambahkan Routing
Pada Gateway A tambahkan routing
ip -6 addr add 2002::1/64 dev enp0s8 ip -6 route add to 2003::/64 dev enp0s3
Pada Gateway B tambahkan routing
ip -6 addr add 2003::1/64 dev enp0s8 ip -6 route add to 2002::/64 dev enp0s3
Setelah VPN tersambung, coba dari Gateway A:
ping6 2003::1
Lakukan penyadapan wireshark antara GW A dan GW B, harusnya packet di enkapsulasi menggunakan ESP.
Debugging
Sebaiknya simulasi di jalankan menggunakan GNS3. Proses debugging bisa menggunakan fasilitas untuk sniffing yang built-in di GNS3.
Dari mesin Gateway B 2345::101 Proses debugging jika dibutuhkan dapat menggunakan tcpdump dengan perintah, misalnya,
# tcpdump -t -n -i eth0 -vv ip6 host 2345::100
atau menggunakan wireshark.