Lab 4. Phase 1 With Ipsec
Kita masih menggunakan topology yang sama ya, IPsec ini sendiri digunakan untuk mengamankan sengan enskripsi. Intinya lebih secure aja.
Pertema konfigurasikan IPSec Phase 1 pada semua router.
R1(HUB):
HUB(config)#crypto isakmp policy 10
HUB(config-isakmp)#authentication pre-share
HUB(config-isakmp)#encryption aes128
HUB(config-isakmp)#group 5
HUB(config-isakmp)#hash sha
HUB(config-isakmp)#authentication pre-share
HUB(config-isakmp)#encryption aes128
HUB(config-isakmp)#group 5
HUB(config-isakmp)#hash sha
R3(SPOKE-1):
SPOKE-1(config)#crypto isakmp policy 10
SPOKE-1(config-isakmp)#authentication pre-share
SPOKE-1(config-isakmp)#encryption aes128
SPOKE-1(config-isakmp)#group 5
SPOKE-1(config-isakmp)#hash sha
SPOKE-1(config-isakmp)#authentication pre-share
SPOKE-1(config-isakmp)#encryption aes128
SPOKE-1(config-isakmp)#group 5
SPOKE-1(config-isakmp)#hash sha
R4(SPOKE-2):
SPOKE-2(config)#crypto isakmp policy 10
SPOKE-2(config-isakmp)#authentication pre-share
SPOKE-2(config-isakmp)#encryption aes128
SPOKE-2(config-isakmp)#group 5
SPOKE-2(config-isakmp)#hash sha
SPOKE-2(config-isakmp)#authentication pre-share
SPOKE-2(config-isakmp)#encryption aes128
SPOKE-2(config-isakmp)#group 5
SPOKE-2(config-isakmp)#hash sha
Setelah phase 1 kita lanjutkan phase 2 dengan melakukan peering le IPsec di HUB maupun di spoke.
R1(HUB):
HUB(config)#crypto isakmp key SMK_IDN address 23.23.23.1
HUB(config)#crypto isakmp key SMK_IDN address 24.24.24.1
HUB(config)#crypto ipsec transform-set IDN_TRANSFORM esp-aes esp-shahmac
HUB(cfg-crypto-trans)#mode transport
HUB(cfg-crypto-trans)#exit
HUB(config)#crypto ipsec profile IDN_PROFILE
HUB(ipsec-profile)#set transform-set IDN_TRANSFORM
HUB(config)#crypto isakmp key SMK_IDN address 23.23.23.1
HUB(config)#crypto isakmp key SMK_IDN address 24.24.24.1
HUB(config)#crypto ipsec transform-set IDN_TRANSFORM esp-aes esp-shahmac
HUB(cfg-crypto-trans)#mode transport
HUB(cfg-crypto-trans)#exit
HUB(config)#crypto ipsec profile IDN_PROFILE
HUB(ipsec-profile)#set transform-set IDN_TRANSFORM
R3(SPOKE-1):
SPOKE-1(config)#crypto isakmp key IDN_MANTAB address 12.12.12.1
SPOKE-1(config)#crypto ipsec transform-set IDN_TRANSFORM esp-aes esp-sha-hmac
SPOKE-1(cfg-crypto-trans)#mode transport
SPOKE-1(cfg-crypto-trans)#exit
SPOKE-1(config)#crypto ipsec profile IDN_PROFILE
SPOKE-1(ipsec-profile)#set transform-set IDN_TRANSFORM
SPOKE-1(config)#crypto isakmp key IDN_MANTAB address 12.12.12.1
SPOKE-1(config)#crypto ipsec transform-set IDN_TRANSFORM esp-aes esp-sha-hmac
SPOKE-1(cfg-crypto-trans)#mode transport
SPOKE-1(cfg-crypto-trans)#exit
SPOKE-1(config)#crypto ipsec profile IDN_PROFILE
SPOKE-1(ipsec-profile)#set transform-set IDN_TRANSFORM
R4(SPOKE-2):
SPOKE-2(config)#crypto isakmp key IDN_MANTAB address 12.12.12.1
SPOKE-2(config)#crypto ipsec transform-set IDN_TRANSFORM esp-aes esp-sha-hmac
SPOKE-2(cfg-crypto-trans)#mode transport
SPOKE-2(cfg-crypto-trans)#exit
SPOKE-2(config)#crypto ipsec profile IDN_PROFILE
SPOKE-2(ipsec-profile)#set transform-set IDN_TRANSFORM
SPOKE-2(config)#crypto isakmp key IDN_MANTAB address 12.12.12.1
SPOKE-2(config)#crypto ipsec transform-set IDN_TRANSFORM esp-aes esp-sha-hmac
SPOKE-2(cfg-crypto-trans)#mode transport
SPOKE-2(cfg-crypto-trans)#exit
SPOKE-2(config)#crypto ipsec profile IDN_PROFILE
SPOKE-2(ipsec-profile)#set transform-set IDN_TRANSFORM
Karena ip-sec cara kerja nya sama dengan vlan dimana harus di pasang di interface nya. Maka ip-sec pun begitu harus di pasang di interface nya.
R1(HUB):
HUB(config)#int tun0
HUB(config-if)#tunnel protect ipsec profile IDN_PROFILE
HUB(config)#int tun0
HUB(config-if)#tunnel protect ipsec profile IDN_PROFILE
R3(SPOKE-1):
SPOKE-1(config)#int tun0
SPOKE-1(config-if)#tunnel protect ipsec profile IDN_PROFILE
SPOKE-1(config)#int tun0
SPOKE-1(config-if)#tunnel protect ipsec profile IDN_PROFILE
R4(SPOKE-2):
SPOKE-2(config)#int tun0
SPOKE-2(config-if)#tunnel protect ipsec profile IDN_PROFILE
SPOKE-2(config)#int tun0
SPOKE-2(config-if)#tunnel protect ipsec profile IDN_PROFILE
Dan terakhir, kita verifikasi IPsecnya.
R1(HUB):
HUB#show crypto isakmp sa IPv4 Crypto ISAKMP SA
dst src state conn-id status
23.23.23.1 ................ 12.12.12.1 QM_IDLE 1003 ACTIVE
12.12.12.1 24.24.24.1 QM_IDLE 1002 ACTIVE
12.12.12.1 23.23.23.1 QM_IDLE 1001 ACTIVE
24.24.24.1 12.12.12.1 QM_IDLE 1004 ACTIVE
R3(SPOKE-1):
Spoke-1#show crypto isakmp sa IPv4 Crypto ISAKMP SA
dst src state conn-id status
12.12.12.1 23.23.23.1 QM_IDLE 1001 ACTIVE
23.23.23.1 12.12.12.1 QM_IDLE 1002 ACTIVE
R4(SPOKE-2):
Spoke-2#show crypto isakmp sa IPv4 Crypto ISAKMP SA
dst src state conn-id status
12.12.12.1 24.24.24.1 QM_IDLE 1001 ACTIVE
24.24.24.1 12.12.12.1 QM_IDLE 1002 ACTIVE
Komentar
Posting Komentar