Assalamu’alaikum wr. wb.
Month: September 2014
CISCO GRE TUNNEL
Assalamu’alaikum wr. wb.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/37/48 ms
SBY#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/39/44 ms
SBY#
Nah, selesai sudah. semoga bermanfaat ya, amiiin 🙂
CISCO IP SECURITY (IPSEC)
Assalamu’alaikum warrohmatullahiwabarokatuh 🙂
“The IP Security Protocol Working Group (IPSEC) will develop mechanisms to protect client protocols of IP. A security protocol in the network layer will be developed to provide cryptographic security services that will flexibly support combinations of authentication, integrity, access control, and confidentiality”
Dari gambar di atas dapat dilihat ada 3 router yang saya namai R2 dan R3 serta Cloud. Karena menggunakan jaringan simulasi jadi seolah-olah router yang berada di tengah itu diasumsikan adalah cloud/internet.
Ada beberapa step yang dilakukan untuk mengaktifkan komunikasi VPN yang dilapisi IPSec, antara lain :
Konfigurasi IP address
Konfigurasi IP address pada interface masing-masing router seperti gambar di atas, dan pastikan loopback pada router R2 bisa ping loopback router R3, bisa menggunakan dynamic routing atau statik routing karena sebagai catatan topologi di atas hanya sekedar simulasi.
Membuat session ISAKMP
Untuk membuat sebuah sesi komunikasi yang aman antara dua router dengan menggunakan IPSec, maka dibutuhkan sebuah framework protokol yang disebut ISAKMP/Oakley. (id.wikipedia.org/wiki/IP_Security)
Berikut komponen ISAKMP untuk konfigurasi di router R2 dan R3 :
authentication : pre-share
encryption : aes 256
group : 5
hash : sha
lifetime : 1800
Router R2
R2#configure terminal
R2(config)#crypto isakmp policy 5
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption aes 256
R2(config-isakmp)#group 5
R2(config-isakmp)#hash sha
R2(config-isakmp)#lifetime 1800
Router R3
R3#configure terminal
R3(config)#crypto isakmp policy 5
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#group 5
R3(config-isakmp)#hash sha
R3(config-isakmp)#lifetime 1800
Menentukan pre-shared key
Pre-shared key ini adalah berupa kunci yang sudah ditentukan sebelumnya digunakan untuk membuka komunikasi kedua node menggunakan protokol IPSec, contoh kali ini misal kata kuncinya adalah ‘RAHASIA’.
Router R2
R2(config)#crypto isakmp key 0 RAHASIA address 11.11.11.10
Router R3
R3(config)#crypto isakmp key 0 RAHASIA address 22.22.22.6
Membuat trasnform set
Transform set merupakan kombinasi dari protokol sekuriti dan algoritma. Sewaktu IPSec melakukan negosiasi SA (Security Association), kedua peer harus menggunakan transform set yang sama untuk melindungi flow data. Contoh transform set saya beri nama JOIN.
Router R2
Router R3
Menentukan lifetime IPSec SA
Selanjutnya menentukan lama waktu SA sebelum menjadi expired.
Router R2
Router R3
R2(config)#crypto ipsec security-association lifetime seconds 1800
Membuat access list
Pembuatan access list ini berfungsi untuk mengfilter network lokal yang diijinkan untuk berkomunikasi menggunakan protokol IPSec. Kemudian advertise access list tadi kedalam Crypto Map.
Router R2
Router R3
R3(config-crypto-map)#set security-association lifetime seconds 1800
Mengaktifkan IPSec pada interface router
Setelah semua konfigurasi IPSec dilakukan selanjutnya adalah mengaktifkanya pada interface router yang digunakan untuk komunikasi IPSec.
Router R2
R2(config)#interface Fastethernet 0/0
R2(config-if)#crypto map MAP
Router R3
R3(config)#interface Fastethernet 0/0
R3(config-if)#crypto map MAP
Cek IPSec
untuk melakukan cek konfigurasi IPsec sudah berjalan dengan baik lakukan test ping dengan source dari network lokal (loopback).
Router R3
R3#ping 2.2.2.2 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/39/40 ms
Lakukan beberapa perintah ‘show’ seperti berikut :
R3#show crypto ipsec transform-set
Transform set JOIN: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
R3#show crypto map
Crypto Map “MAP” 10 ipsec-isakmp
Peer = 22.22.22.6
Extended IP access list 100
access-list 100 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
Current peer: 22.22.22.6
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group5
Transform sets={
JOIN,
}
Interfaces using crypto map MAP:
FastEthernet0/0
R3#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MAP, local addr 11.11.11.10
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
current_peer 22.22.22.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 11.11.11.10, remote crypto endpt.: 22.22.22.6
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x2045B818(541440024)
inbound esp sas:
spi: 0x20E57A35(551909941)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4529856/1296)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2045B818(541440024)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4529856/1295)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3#show crypto isakmp sa
dst src state conn-id slot status
22.22.22.6 11.11.11.10 QM_IDLE 1 0 ACTIVE
BASIC MPLS VPN CISCO PART 3
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback0
5.0.0.0/24 is subnetted, 1 subnets
D 5.5.5.0 [90/158720] via 120.120.120.1, 02:28:43, FastEthernet0/0
130.130.0.0/24 is subnetted, 1 subnets
D 130.130.130.0 [90/30720] via 120.120.120.1, 02:28:44, FastEthernet0/0
120.0.0.0/24 is subnetted, 1 subnets
C 120.120.120.0 is directly connected, FastEthernet0/0
CSR1#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 130.130.130.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/76/84 ms
CSR1#
BASIC MPLS VPN CISCO PART2
MPLS Router-id
Router SP1
SP1(config)#mpls ldp router-id loopback 0
Router SP2
SP2(config)#mpls ldp router-id loopback 0
Router SP3
SP3(config)#mpls ldp router-id loopback 0
Konfigurasi VRF
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.120.120.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.120.120.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
SP1#
SP1(config)#router eigrp 1
SP1(config-router)#address-family ipv4 vrf PELANGGAN
SP1(config-router-af)#autonomous-system 100
SP1(config-router-af)#network 120.120.120.0 0.0.0.255
SP1(config-router-af)#no auto-summary
Router SP3
SP3(config)#router eigrp 1
SP3(config-router)#address-family ipv4 vrf PELANGGAN
SP3(config-router-af)#autonomous-system 100
SP3(config-router-af)#network 130.130.130.0 0.0.0.255
SP3(config-router-af)#no auto-summary
Cek konfigurasi EIGRP Router SP
Melakukan cek EIGRP pada router SP dengan melakukan perintah ‘show’ seperti berikut.
Router SP1
SP1#show ip eigrp 1 neighbors
IP-EIGRP neighbors for process 1
SP1#
Terlihat bahwa tidak ada informasi routing EIGRP seperti pada yang tertera diatas, namun bagaimana apabila menggunakan perintah ‘show’ seperti berikut.
Router SP1
SP1#show ip eigrp vrf PELANGGAN neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 120.120.120.2 Fa0/0 10 00:54:31 870 5000 0 3
SP1#
Dengan menggunakan perintah ‘show ip eigrp vrf’ akan menampilkan informasi neighbor/tetangga dari EIGRP router SP1.
Cek juga informasi routing tabel untuk vrf PELANGGAN dengan perintah berikut.
Router SP1
SP1#show ip route vrf PELANGGAN
Routing Table: PELANGGAN
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
D 4.4.4.0 [90/156160] via 120.120.120.2, 00:58:20, FastEthernet0/0
C 120.120.120.0 is directly connected, FastEthernet0/0
BASIC MPLS VPN CISCO PART1
Assalamualaikum wr. wb,
“Cisco IOS Multiprotocol Label Switching (MPLS) enables Enterprises and Service Providers to build next-generation intelligent networks that deliver a wide variety of advanced, value-added services over a single infrastructure. This economical solution can be integrated seamlessly over any existing infrastructure, such as IP, Frame Relay, ATM, or Ethernet. Subscribers with differing access links can be aggregated on an MPLS edge without changing their current environments, as MPLS is independent of access technologies”
Router SP2
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 2WAY/DROTHER 00:00:30 11.11.11.2 FastEthernet1/0
1.1.1.1 1 2WAY/DROTHER 00:00:31 10.10.10.2 FastEthernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/37/44 ms
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 3.3.3.0/24 3477 Fa1/0 11.11.11.2
17 Pop tag 1.1.1.0/24 4611 Fa0/0 10.10.10.2