Juniper SRX IPSec Aggressive Mode

Assalamualaikum Wr. Wb.

Pada pembahasan tulisan kali ini adalah mengenai implementasi Juniper SRX IPSec Aggressive Mode. Apa itu aggressive mode? yaitu mode yang digunakan apabila IPSec dalam implementasinya salah satu site menggunakan IP public dynamic. Oke, langsung saja guys.

 

JuniperSRX (Cabang)——– Modem ————— Modem ———JuniperSRX (Pusat)

                                      (Dynamic IP)                                                                                (Static IP)

Kasusnya adalah untuk menghubungkan kantor pusat dan cabang menggunakan IPSec via internet. Namun IP public yang digunakan pada kantor cabang menggunakan internet rumahan yang hanya menggunakan IP public dynamic yang didapat dari komunikasi PPPoE dengan ISP. Berikut konfigurasi PPPoE client pada Juniper SRX kantor cabang.

set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether

set interfaces pp0 unit 0 ppp-options pap local-name coba
set interfaces pp0 unit 0 ppp-options pap local-password cobaaja
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address

set routing-options static route 0.0.0.0/0 next-hop pp0.0

set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces pp0.0

 

Untuk melihat komunikasi PPPoE berhasil cek pada interface pp0.0 apakah sudah terima IP dari ISP.

 

root@CABANG# run show interfaces terse pp0
Interface               Admin Link Proto    Local                 Remote
pp0                     up    up
pp0.0                   up    up   inet     30.56.78.20         –> 30.56.78.1

 

Di kantor cabang karena menggunakan IP public static maka cukup konfigurasi IP pada interface fisik Juniper SRX, seperti berikut.

 

set interfaces ge-0/0/0 unit 0 family inet address 30.78.9.2/29

set routing-options static route 0.0.0.0/0 next-hop 30.78.9.1

set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0

 

Setelah IP address masing-masing sudah terpasang, selanjutnya konfigurasi untuk IPSec mode aggressive, berikut konfigurasi di Juniper SRX Cabang.

 

set security ike proposal PROP authentication-method pre-shared-keys
set security ike proposal PROP dh-group group2
set security ike proposal PROP authentication-algorithm sha-256
set security ike proposal PROP encryption-algorithm 3des-cbc
set security ike policy POL mode aggressive
set security ike policy POL proposals PROP
set security ike policy POL pre-shared-key ascii-text rahasia
set security ike gateway to-HeadOffice ike-policy POL
set security ike gateway to-HeadOffice address 30.67.78.2
set security ike gateway to-HeadOffice local-identity hostname coba.cabang.com
set security ike gateway to-HeadOffice external-interface pp0.0set security ipsec proposal PROP protocol esp
set security ipsec proposal PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal PROP encryption-algorithm aes-128-cbc
set security ipsec policy POL perfect-forward-secrecy keys group2
set security ipsec policy POL proposals PROP
set security ipsec vpn to-HeadOffice bind-interface st0.1
set security ipsec vpn to-HeadOffice vpn-monitor
set security ipsec vpn to-HeadOffice ike gateway to-HeadOffice
set security ipsec vpn to-HeadOffice ike ipsec-policy POL
set security ipsec vpn to-HeadOffice establish-tunnels immediatelyset interfaces st0 unit 1 family inet

rahasia, merupakan string otentikasi peer IPSec antara Cabang dan Pusat. Kemudian 30.67.78.2 adalah IP public dari kantor pusat. serta hostname coba.cabang.com adalah hostname yang akan dibaca oleh router kantor pusat sebagai peer IPSec.

Kemudian berikut adalah konfigurasi IPSec di sisi kantor pusat.

set security ike proposal PROP authentication-method pre-shared-keys
set security ike proposal PROP dh-group group2
set security ike proposal PROP authentication-algorithm sha-256
set security ike proposal PROP encryption-algorithm 3des-cbc
set security ike policy POL mode aggressive
set security ike policy POL proposals PROP
set security ike policy POL pre-shared-key ascii-text rahasia
set security ike gateway to-Cabang ike-policy POL
set security ike gateway to-Cabang dynamic hostname coba.cabang.com
set security ike gateway to-Cabang external-interface ge-0/0/0.0set security ipsec proposal PROP protocol esp
set security ipsec proposal PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal PROP encryption-algorithm aes-128-cbc
set security ipsec policy POL perfect-forward-secrecy keys group2
set security ipsec policy POL proposals PROP
set security ipsec vpn to-Cabang bind-interface st0.1
set security ipsec vpn to-Cabang vpn-monitor
set security ipsec vpn to-Cabang ike gateway to-Cabang
set security ipsec vpn to-Cabang ike ipsec-policy POL
set security ipsec vpn to-Cabang establish-tunnels immediately

 

Cek komunikasi IPSec apakah sudah terhubung atau belum seperti berikut.

root@HEADOFFIC# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3143163 UP     11aaf60c498f5995  8edb690617c5e40a  Aggressive     30.56.68.20root@CABANG# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
415044  UP     11aaf60c498f5995  8edb690617c5e40a  Aggressive     30.67.78.2

 

Sekian, semoga membantu

 

Wassalamualaikum Wr. Wb.

Leave a Reply

Your email address will not be published. Required fields are marked *