CCNP - IP SEC Tunnel
Lab 14 IP SEC Tunnel
Internet Protocol Security (IPsec) adalah rangkaian protokol jaringan aman yang mengautentikasi dan mengenkripsi paket data untuk menyediakan komunikasi terenkripsi yang aman antara dua komputer melalui jaringan Protokol Internet. Ini digunakan dalam jaringan pribadi virtual (VPN).
Konfig ISAKMP phase 1 dan 2
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encryption aes
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#crypto isakmp key 0 IDNJOS address 13.13.13.3
R2(config)#crypto ipsec transform-set ROSLIANA esp-aes esp-sha-hmac
R2(config)#crypto map ROSLIANA12A 10 ipsec-isakmp
R2(config-crypto-map)#set peer 13.13.13.3
R2(config-crypto-map)#set transform-set ROSLIANA
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#access-list 100 permit ip host 2.2.2.2 host 3.3.3.3
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encryption aes R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#crypto isakmp key 0 IDNJOS address 12.12.12.2
R3(config)#crypto ipsec transform-set ROSLIANA esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#crypto map ROSLIANA12A 10 ipsec-isakmp
R3(config-crypto-map)#set peer 12.12.12.2
R3(config-crypto-map)#set transform-set ROSLIANA
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#access-list 100 permit ip host 3.3.3.3 host 2.2.2.2
Pasang static route dan crypto map di R2 dan R3
R2(config)#ip route 3.3.3.3 255.255.255.255 13.13.13.3
R2(config)#int fa0/0
R2(config-if)#crypto map IDNSCHOOL
R3(config)#ip route 2.2.2.2 255.255.255.255 12.12.12.2
R3(config)#int fa0/0
R3(config-if)#crypto map IDNSCHOOL
Pastikan session status sudah up
R2(config)#do show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 13.13.13.3 port 500
IKE SA: local 12.12.12.2/500 remote 13.13.13.3/500 Active
IPSEC FLOW: permit ip host 2.2.2.2 host 3.3.3.3
Active SAs: 2, origin: crypto map
R3#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 12.12.12.2 port 500
IKE SA: local 13.13.13.3/500 remote 12.12.12.2/500 Active
IPSEC FLOW: permit ip host 3.3.3.3 host 2.2.2.2
Active SAs: 2, origin: crypto map
R3#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: ROSLIANA12A, local addr 13.13.13.3
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 12.12.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 13.13.13.3, remote crypto endpt.: 12.12.12.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x7CAFE9D5(2091903445)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map:
ROSLIANA12A
sa timing: remaining key lifetime (k/sec): (4593143/1916)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4F0F0D33(1326386483)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map:
ROSLIANA12A
sa timing: remaining key lifetime (k/sec): (4593141/1916)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Cek ping
R2(config)#do ping 3.3.3.3 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 45/62/52 ms
Komentar
Posting Komentar