Konfigurasi GRE IPSEC Over VPN
Setelah gue amati bahwa banyak perusahaan saat ini membeli solusi WAN
yang lebih murah tapi aman, terutama perusahaan yang berada di lokasi
terpencil. beberapa perusahaan juga mencoba menggunakan VPN sebagai
solusi backup WAN.
Selain menyenangkan belajar security ini juga buat catatan buat di ingat nantinya jika lupa.
Siang ini gue mau nge-lab tentang GRE-IPSEC over VPN
detail konsep designya bisa dilihat di link di bawah ini
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html
lab mengunakan GNS3 1.3.0 dengan ios c3725-adventerprisek9-mz.124-12.image
Router 1 - Branch
Branch#sh run
Building configuration...
Current configuration : 2114 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Branch
!
crypto isakmp policy 1 // ISAKMP POLICY FOR PHASE 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 202.130.200.18
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set HO-VPN esp-3des esp-sha-hmac // IPSEC POLICY FOR PHASE 2
!
crypto map HO-MAP 10 ipsec-isakmp // VPN TUNNEL INFO
set peer 202.130.200.18
set transform-set HO-VPN
match address HO-VPN-ACL
interface Loopback1
description Branch Lan
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Tunnel0
ip address 172.100.100.1 255.255.255.252
tunnel source 202.130.200.26
tunnel destination 202.130.200.18
!
interface FastEthernet0/0
description connection to ISP
ip address 202.130.200.26 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map HO-MAP // APPLY CRYPTO MAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 10
network 172.100.100.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 202.130.200.25 // DEFAULT ROUTE TO ISP
!
!
no ip http server
no ip http secure-server
ip nat pool BRANCH_NAT_ACL 202.130.200.27 202.130.200.30 prefix-length 29
ip nat inside source list BRANCH_NAT_ACL pool BRANCH_NAT_POOL
!
ip access-list extended BRANCH_NAT_ACL //Skip NAT supaya tidak membebani memory router
remark tidak di translate branch LAN ke HO LAN address
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 //for Site-toSite IPSEC VPN
remark translate LAN to all internet destination
permit ip 192.168.1.0 0.0.0.255 any //NAT ACL
ip access-list extended HO-VPN-ACL
remark Branch to HO GRE traffic to Trigger VPN
permit gre host 202.130.200.26 host 202.130.200.18
Router 2 - HO
HO# sh running-config
Building configuration...
Current configuration : 2225 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HO
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 202.130.200.26
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set BRANCH-VPN esp-3des esp-sha-hmac
!
crypto map BRANCH-MAP 10 ipsec-isakmp
set peer 202.130.200.26
set transform-set BRANCH-VPN
match address BRANCH-VPN-ACL
!
!
!
!
interface Loopback1
description HEad Office LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Tunnel0 // Ipsec vpn tidak mengizinkan dynamic routing protocols dan multicast
ip address 172.100.100.2 255.255.255.252
tunnel source 202.130.200.18
tunnel destination 202.130.200.26
!
interface FastEthernet0/0
description connection to ISP
ip address 202.130.200.18 255.255.255.248
duplex auto
speed auto
crypto map BRANCH-MAP
!
interface FastEthernet0/1
ip address 10.100.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router eigrp 10
network 10.100.200.0 0.0.0.255
network 172.100.100.0 0.0.0.3
network 192.168.2.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 202.130.200.17 // DEFAULT ROUTE TO ISP
!
no ip http server
no ip http secure-server
ip nat pool HO_NAT_ACL 202.130.200.20 202.130.200.22 prefix-length 29
ip nat inside source list HO_NAT_ACL pool HO_NAT_ACL
ip nat inside source static tcp 10.100.200.33 25 202.130.200.19 25
ip nat inside source static tcp 10.100.200.33 110 202.130.200.19 110
ip nat inside source static tcp 10.100.200.33 443 202.130.200.19 443
!
ip access-list extended BRANCH-VPN-ACL
remark Branch to HO Gre traffic to trigger VPN
permit gre host 202.130.200.18 host 202.130.200.26 // Create Gre Traffic Tunnel
ip access-list extended HO_NAT_ACL // Skip NAT due to Router memory issue
remark tidak di translate dari HO ke BRANCH lan address
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
remark translate LAN to All internet destination
permit ip 192.168.2.0 0.0.0.255 any
Router 3 - ISP
ISP#sh running-config
Building configuration...
Current configuration : 1135 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
!
!
!
interface Loopback1
description sim the internet
ip address 202.130.202.129 255.255.255.240
!
interface FastEthernet0/0
description conncetion to Branch
ip address 202.130.200.25 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
description connection to HQ
ip address 202.130.200.17 255.255.255.248
duplex auto
speed auto
!
router eigrp 10
auto-summary
!
ip route 202.130.200.16 255.255.255.248 FastEthernet0/1 // routing static ISP ke HO
ip route 202.130.200.24 255.255.255.248 FastEthernet0/0 // routing static ISP ke BRANCH
##############Testing#######################
Branch#show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.100.100.1/30
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 202.130.200.26, destination 202.130.200.18
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:02, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 274
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1944 packets input, 164558 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2055 packets output, 171350 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Branch#
show ip route dari branch
Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 202.130.200.25 to network 0.0.0.0
202.130.200.0/29 is subnetted, 1 subnets
C 202.130.200.24 is directly connected, FastEthernet0/0
172.100.0.0/30 is subnetted, 1 subnets
C 172.100.100.0 is directly connected, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
D 10.100.200.0 [90/297270016] via 172.100.100.2, 00:58:17, Tunnel0
C 192.168.1.0/24 is directly connected, Loopback1
D 192.168.2.0/24 [90/297372416] via 172.100.100.2, 01:18:44, Tunnel0
S* 0.0.0.0/0 [1/0] via 202.130.200.25
Status IPSEC // Branch ke HO
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 202.130.200.18 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 202.130.200.18
Desc: (none)
IKE SA: local 202.130.200.26/500 remote 202.130.200.18/500 Active
Capabilities:D connid:19 lifetime:22:12:19
IPSEC FLOW: permit 47 host 202.130.200.26 host 202.130.200.18
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1244 drop 0 life (KB/Sec) 4555377/2169
Outbound: #pkts enc'ed 1198 drop 1 life (KB/Sec) 4555381/2169
Branch#
Testing Site to site // Branch ke HO
Branch#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/147/176 ms
Branch#traceroute 192.168.2.1 source 192.168.1.1 // lan-to-lan (site-tosite vpn) has reachability
Type escape sequence to abort.
Tracing the route to 192.168.2.1
1 172.100.100.2 144 msec 128 msec 128 msec
Branch#
Selain menyenangkan belajar security ini juga buat catatan buat di ingat nantinya jika lupa.
Siang ini gue mau nge-lab tentang GRE-IPSEC over VPN
detail konsep designya bisa dilihat di link di bawah ini
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html
lab mengunakan GNS3 1.3.0 dengan ios c3725-adventerprisek9-mz.124-12.image
Router 1 - Branch
Branch#sh run
Building configuration...
Current configuration : 2114 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Branch
!
crypto isakmp policy 1 // ISAKMP POLICY FOR PHASE 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 202.130.200.18
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set HO-VPN esp-3des esp-sha-hmac // IPSEC POLICY FOR PHASE 2
!
crypto map HO-MAP 10 ipsec-isakmp // VPN TUNNEL INFO
set peer 202.130.200.18
set transform-set HO-VPN
match address HO-VPN-ACL
interface Loopback1
description Branch Lan
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Tunnel0
ip address 172.100.100.1 255.255.255.252
tunnel source 202.130.200.26
tunnel destination 202.130.200.18
!
interface FastEthernet0/0
description connection to ISP
ip address 202.130.200.26 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map HO-MAP // APPLY CRYPTO MAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 10
network 172.100.100.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 202.130.200.25 // DEFAULT ROUTE TO ISP
!
!
no ip http server
no ip http secure-server
ip nat pool BRANCH_NAT_ACL 202.130.200.27 202.130.200.30 prefix-length 29
ip nat inside source list BRANCH_NAT_ACL pool BRANCH_NAT_POOL
!
ip access-list extended BRANCH_NAT_ACL //Skip NAT supaya tidak membebani memory router
remark tidak di translate branch LAN ke HO LAN address
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 //for Site-toSite IPSEC VPN
remark translate LAN to all internet destination
permit ip 192.168.1.0 0.0.0.255 any //NAT ACL
ip access-list extended HO-VPN-ACL
remark Branch to HO GRE traffic to Trigger VPN
permit gre host 202.130.200.26 host 202.130.200.18
Router 2 - HO
HO# sh running-config
Building configuration...
Current configuration : 2225 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HO
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 202.130.200.26
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set BRANCH-VPN esp-3des esp-sha-hmac
!
crypto map BRANCH-MAP 10 ipsec-isakmp
set peer 202.130.200.26
set transform-set BRANCH-VPN
match address BRANCH-VPN-ACL
!
!
!
!
interface Loopback1
description HEad Office LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Tunnel0 // Ipsec vpn tidak mengizinkan dynamic routing protocols dan multicast
ip address 172.100.100.2 255.255.255.252
tunnel source 202.130.200.18
tunnel destination 202.130.200.26
!
interface FastEthernet0/0
description connection to ISP
ip address 202.130.200.18 255.255.255.248
duplex auto
speed auto
crypto map BRANCH-MAP
!
interface FastEthernet0/1
ip address 10.100.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router eigrp 10
network 10.100.200.0 0.0.0.255
network 172.100.100.0 0.0.0.3
network 192.168.2.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 202.130.200.17 // DEFAULT ROUTE TO ISP
!
no ip http server
no ip http secure-server
ip nat pool HO_NAT_ACL 202.130.200.20 202.130.200.22 prefix-length 29
ip nat inside source list HO_NAT_ACL pool HO_NAT_ACL
ip nat inside source static tcp 10.100.200.33 25 202.130.200.19 25
ip nat inside source static tcp 10.100.200.33 110 202.130.200.19 110
ip nat inside source static tcp 10.100.200.33 443 202.130.200.19 443
!
ip access-list extended BRANCH-VPN-ACL
remark Branch to HO Gre traffic to trigger VPN
permit gre host 202.130.200.18 host 202.130.200.26 // Create Gre Traffic Tunnel
ip access-list extended HO_NAT_ACL // Skip NAT due to Router memory issue
remark tidak di translate dari HO ke BRANCH lan address
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
remark translate LAN to All internet destination
permit ip 192.168.2.0 0.0.0.255 any
Router 3 - ISP
ISP#sh running-config
Building configuration...
Current configuration : 1135 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
!
!
!
interface Loopback1
description sim the internet
ip address 202.130.202.129 255.255.255.240
!
interface FastEthernet0/0
description conncetion to Branch
ip address 202.130.200.25 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
description connection to HQ
ip address 202.130.200.17 255.255.255.248
duplex auto
speed auto
!
router eigrp 10
auto-summary
!
ip route 202.130.200.16 255.255.255.248 FastEthernet0/1 // routing static ISP ke HO
ip route 202.130.200.24 255.255.255.248 FastEthernet0/0 // routing static ISP ke BRANCH
##############Testing#######################
Branch#show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.100.100.1/30
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 202.130.200.26, destination 202.130.200.18
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:02, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 274
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1944 packets input, 164558 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2055 packets output, 171350 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Branch#
show ip route dari branch
Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 202.130.200.25 to network 0.0.0.0
202.130.200.0/29 is subnetted, 1 subnets
C 202.130.200.24 is directly connected, FastEthernet0/0
172.100.0.0/30 is subnetted, 1 subnets
C 172.100.100.0 is directly connected, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
D 10.100.200.0 [90/297270016] via 172.100.100.2, 00:58:17, Tunnel0
C 192.168.1.0/24 is directly connected, Loopback1
D 192.168.2.0/24 [90/297372416] via 172.100.100.2, 01:18:44, Tunnel0
S* 0.0.0.0/0 [1/0] via 202.130.200.25
Status IPSEC // Branch ke HO
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 202.130.200.18 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 202.130.200.18
Desc: (none)
IKE SA: local 202.130.200.26/500 remote 202.130.200.18/500 Active
Capabilities:D connid:19 lifetime:22:12:19
IPSEC FLOW: permit 47 host 202.130.200.26 host 202.130.200.18
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1244 drop 0 life (KB/Sec) 4555377/2169
Outbound: #pkts enc'ed 1198 drop 1 life (KB/Sec) 4555381/2169
Branch#
Testing Site to site // Branch ke HO
Branch#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/147/176 ms
Branch#traceroute 192.168.2.1 source 192.168.1.1 // lan-to-lan (site-tosite vpn) has reachability
Type escape sequence to abort.
Tracing the route to 192.168.2.1
1 172.100.100.2 144 msec 128 msec 128 msec
Branch#
Komentar