IPSEC VPN SITE TO SITE

Posted: February 17, 2012 in Cisco, Networking

Biar ga lupa masukin ke blog dulu dokumentasinya..
Berikut konfigurasi simple “IPSEC VPN SITE TO SITE”

IPSEC VPN SI TE TO SITE BY WIWID

Secara umum tahapan konfigurasinya seperti ini :
1) Set ISAKMP policy
2) Set ISAKMP pre-shared key
3) Set transform-set
4) Buat Access List, untuk network LAN yang akan di enkrip
5) Buat Crypto Map, sesuai dg pre-share key, transform-set, dan access-list nya
6) Kemudian, apply di interface WAN nya

Konfigurasi
R3 (CORE)

interface Loopback0
ip address 10.1.1.3 255.255.255.255
!
interface FastEthernet0/0
description to F0/0 R2
ip address 172.16.10.1 255.255.255.252
!
interface FastEthernet0/1
description F0/1 R1
ip address 172.16.20.1 255.255.255.252
!
router ospf 88
router-id 10.1.1.3
log-adjacency-changes
network 10.1.1.3 0.0.0.0 area 0
network 172.16.10.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0

R1

crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key secret1 address 172.16.10.2
!
crypto ipsec transform-set secret1 esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.10.2
set transform-set secret1
match address 101

interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/1
ip address 172.16.20.2 255.255.255.252
crypto map vpn
!
router ospf 88
router-id 10.1.1.1
log-adjacency-changes
redistribute static subnets
network 10.1.1.1 0.0.0.0 area 0
network 172.16.20.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

R2

crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key secret1 address 172.16.20.2
!
crypto ipsec transform-set secret1 esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.20.2
set transform-set secret1
match address 101

interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.10.2 255.255.255.252
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
router ospf 88
router-id 10.1.1.2
log-adjacency-changes
redistribute static subnets
network 10.1.1.2 0.0.0.0 area 0
network 172.16.10.0 0.0.0.3 area 0
network 192.168.2.0 0.0.0.255 area 0

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

jika konfigurasi sdh sesuai, maka bisa dilakukan test koneksi dari R1 ke LAN R2 atau sebaliknya

R1#ping 192.168.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/92/160 ms
R1#ping 192.168.2.2 sou
R1#ping 192.168.2.2 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/144/236 ms

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s