Juniper Policy-Based VPN

Assalamualaikum Wr. Wb.

Postingan kali ini saya akan membahas konfigurasi VPN di Juniper dengan tema policy-based VPN. Dengan menggunakan teknik ini kita bisa memfilter trafik yang boleh melewati tunnel VPN. Dalam skema ini saya beri contoh dua site kantor di Jakarta dan Semarang seperti pada gambar berikut :

 topo

Langsung saja kita lakukan konfigurasi :). Berikut konfigurasi router jakarta.

Pertama kita buat pre konfigurasi seperti IP, routing, zone dan address book.

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0
set security address-book book1 address jakarta 192.168.1.0/24
set security address-book book1 attach zone trust
set security address-book book2 address semarang 192.168.2.0/24
set security address-book book2 attach zone untrust

 

Konfigurasi IKE

set security ike proposal prop-semarang authentication-method pre-shared-keys
set security ike proposal prop-semarang dh-group group2
set security ike proposal prop-semarang authentication-algorithm sha1
set security ike proposal prop-semarang encryption-algorithm aes-128-cbc
set security ike policy pol-semarang mode main
set security ike policy pol-semarang proposals prop-semarang
set security ike policy pol-semarang pre-shared-key ascii-text P@ssw0rd
set security ike gateway semarang ike-policy pol-semarang
set security ike gateway semarang address 2.2.2.2
set security ike gateway semarang external-interface ge-0/0/0.0

 

Konfigurasi IPSec.

set security ipsec proposal prop-semarang protocol esp
set security ipsec proposal prop-semarang authentication-algorithm hmac-sha1-96
set security ipsec proposal prop-semarang encryption-algorithm aes-128-cbc
set security ipsec policy pol-semarang perfect-forward-secrecy keys group2
set security ipsec policy pol-semarang proposals prop-semarang
set security ipsec vpn semarang vpn-monitor
set security ipsec vpn semarang ike gateway semarang
set security ipsec vpn semarang ike ipsec-policy pol-semarang

 

Konfigurasi Security Policy.

set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy to-semarang match source-address jakarta
set security policies from-zone trust to-zone untrust policy to-semarang match destination-address semarang
set security policies from-zone trust to-zone untrust policy to-semarang match application any
set security policies from-zone trust to-zone untrust policy to-semarang then permit tunnel ipsec-vpn semarang
set security policies from-zone trust to-zone untrust policy to-semarang then permit tunnel pair-policy to-jakarta
set security policies from-zone trust to-zone untrust policy permit-any match source-address any
set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
set security policies from-zone trust to-zone untrust policy permit-any match application any
set security policies from-zone trust to-zone untrust policy permit-any then permit
set security policies from-zone untrust to-zone trust policy to-jakarta match source-address semarang
set security policies from-zone untrust to-zone trust policy to-jakarta match destination-address jakarta
set security policies from-zone untrust to-zone trust policy to-jakarta match application any
set security policies from-zone untrust to-zone trust policy to-jakarta then permit tunnel ipsec-vpn semarang
set security policies from-zone untrust to-zone trust policy to-jakarta then permit tunnel pair-policy to-semarang
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny

 

Nah, udah selesai untuk konfigurasi di Jakarta, berikutnya konfigurasi di site Semarang. Sama seperti di Jakarta buat pre konfigurasi terlebih dahulu untuk setting IP, routing, zone dan address book, sebagai berikut :

set interfaces ge-0/0/0 unit 0 family inet address 2.2.2.2/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0
set security address-book book1 address semarang 192.168.2.0/24
set security address-book book1 attach zone trust
set security address-book book2 address jakarta 192.168.1.0/24
set security address-book book2 attach zone untrust

 

Konfigurasi IKE di router Semarang

set security ike proposal prop-jakarta authentication-method pre-shared-keys
set security ike proposal prop-jakarta dh-group group2
set security ike proposal prop-jakarta authentication-algorithm sha1
set security ike proposal prop-jakarta encryption-algorithm aes-128-cbc
set security ike policy pol-jakarta mode main
set security ike policy pol-jakarta proposals prop-jakarta
set security ike policy pol-jakarta pre-shared-key ascii-text P@ssw0rd
set security ike gateway jakarta ike-policy pol-jakarta
set security ike gateway jakarta address 1.1.1.1
set security ike gateway jakarta external-interface ge-0/0/0.0

 

Konfigurasi IPSec di router Semarang.

set security ipsec proposal prop-jakarta protocol esp
set security ipsec proposal prop-jakarta authentication-algorithm hmac-sha1-96
set security ipsec proposal prop-jakarta encryption-algorithm aes-128-cbc
set security ipsec policy pol-jakarta perfect-forward-secrecy keys group2
set security ipsec policy pol-jakarta proposals prop-jakarta
set security ipsec vpn jakarta vpn-monitor
set security ipsec vpn jakarta ike gateway jakarta
set security ipsec vpn jakarta ike ipsec-policy pol-jakarta

 

Selanjutnya yang terahir konfigurasi security policy di router semarang.

set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy to-jakarta match source-address semarang
set security policies from-zone trust to-zone untrust policy to-jakarta match destination-address jakarta
set security policies from-zone trust to-zone untrust policy to-jakarta match application any
set security policies from-zone trust to-zone untrust policy to-jakarta then permit tunnel ipsec-vpn jakarta
set security policies from-zone trust to-zone untrust policy to-jakarta then permit tunnel pair-policy to-semarang
set security policies from-zone trust to-zone untrust policy permit-any match source-address any
set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
set security policies from-zone trust to-zone untrust policy permit-any match application any
set security policies from-zone trust to-zone untrust policy permit-any then permit
set security policies from-zone untrust to-zone trust policy to-semarang match source-address jakarta
set security policies from-zone untrust to-zone trust policy to-semarang match destination-address semarang
set security policies from-zone untrust to-zone trust policy to-semarang match application any
set security policies from-zone untrust to-zone trust policy to-semarang then permit tunnel ipsec-vpn jakarta
set security policies from-zone untrust to-zone trust policy to-semarang then permit tunnel pair-policy to-jakarta
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny

 

Konfigurasi di kedua router sudah selesai, cek establish tunnel IPSec menggunakan perintah run show security ipsec security-association seperti berikut.

[edit]
root@jakarta# run show security ipsec security-associations
Total active tunnels: 2
ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
<2    ESP:aes-128/sha1 33cfefa5 1240/ unlim  U   root 500   2.2.2.2
>2    ESP:aes-128/sha1 c7d03888 1240/ unlim  U   root 500   2.2.2.2

 

Agar kita tahu bahwa tunnel tersebut berjalan maka kita bisa test ping client diantara site, maka paket yang lewat akan terenkripsi bisa kita lihat dengan perintah run show ip sec statistics, seperti berikut.

[edit]
root@jakarta# run show security ipsec statistics
ESP Statistics:
  Encrypted bytes:           509352
  Decrypted bytes:           277788
  Encrypted packets:           3351
  Decrypted packets:           3307
AH Statistics:
Input bytes:                    0
Output bytes:                   0
Input packets:                  0
Output packets:                 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

 

Sekian dulu postingan kali ini, semoga bermanfaat 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *