Lab - 130520091028
Bro Networkers.
Lab kali ini akan mengkonfigur Site-to-Site VPN. Topologi lab bisa dilihat dibawah.
Spesifikasi Lab:
- Konfigur IGP routing protokol untuk menghubungkan semua prefix,
- hal ini juga dimaksudkan agar kita mempunyai ‘environment’ hubungan antara customer melalui ISP/Internet.
- Prefix 192.168.1.0/24 dan 192.168.2.0/24 disimulasikan sebagai client node,
- yang akan melakukan koneksi site-to-site VPN menggunakan IPSec
Berikut konfigurasi dari masing-masing router,
R0#sh run
Building configuration…
Current configuration : 817 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R0
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 201.1.1.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 200.1.1.2 255.255.255.252
duplex auto
speed auto
!
router rip
version 2
network 200.1.1.0
network 201.1.1.0
no auto-summary
!
ip classless
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
R1#sh run
Building configuration…
Current configuration : 1255 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key 6 cisco123 address 201.1.1.2
!
!
crypto ipsec transform-set trans1 esp-aes esp-md5-hmac
!
crypto map vpnmap 10 ipsec-isakmp
set peer 201.1.1.2
set transform-set trans1
match address 101
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 200.1.1.1 255.255.255.252
shutdown
duplex auto
speed auto
crypto map vpnmap
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router rip
version 2
network 192.168.1.0
network 200.1.1.0
no auto-summary
!
ip classless
!
ip http server
no ip http secure-server
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
R2#sh run
Building configuration…
Current configuration : 1255 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key 6 cisco123 address 200.1.1.1
!
!
crypto ipsec transform-set trans1 esp-aes esp-md5-hmac
!
crypto map vpnmap 10 ipsec-isakmp
set peer 200.1.1.1
set transform-set trans1
match address 101
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 201.1.1.2 255.255.255.252
shutdown
duplex auto
speed auto
crypto map vpnmap
!
router rip
version 2
network 192.168.2.0
network 201.1.1.0
no auto-summary
!
ip classless
!
ip http server
no ip http secure-server
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
Dua kondisi diatas dilakukan pada saat konfigurasi sudah selesai, namun IPSec masih belum berjalan.
Untuk menjalankan cukup men-generate satu traffic. Pada capture dibawah terlihat IPSec Up setelah R1 men-generate satu traffic ICMP.
Perhatikan perbedaan hasil verifikasi setelah IPSec Up.
