Juniper : Configuring Policy-Based VPN
February 24, 2017
Add Comment
Assalamu'alaikum
Juniper Configuring Policy Based VPN- Pada Postingan kali ini saya akan menerapkan cara konfigurasi policy-based VPN di juniper. Dengan menggunakan teknik ini kita bisa memfilter trafik yang boleh melewati tunnel VPN. Dalam topology ini ada dua site kantor di Jakarta dan Semarang buat topology seperti pada gambar berikut :
oke biar gak lama lama langsing saja berikut ini konfigurasi nya, pertama kita setting yang bagian jakarta dlu ya.
kita buat pre konfigurasi seperti IP, routing, zone dan address book.
[edit]
root@jakarta# run show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<2 ESP:aes-128/sha1 33cfefa5 1240/ unlim U root 500 2.2.2.2
>2 ESP:aes-128/sha1 c7d03888 1240/ unlim U root 500 2.2.2.2
ohh ya.. Agar kita tahu bahwa tunnel tersebut berjalan maka kita bisa test ping client diantara site, maka paket yang lewat akan terenkripsi bisa kita lihat dengan perintah run show ip sec statistics, seperti berikut.
[edit]
root@jakarta# run show security ipsec statistics
ESP Statistics:
Encrypted bytes: 509352
Decrypted bytes: 277788
Encrypted packets: 3351
Decrypted packets: 3307
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
oke mungkin sekian dari saya semoga bermanfaat dan terimakasih sudah berkunjung.
Juniper Configuring Policy Based VPN- Pada Postingan kali ini saya akan menerapkan cara konfigurasi policy-based VPN di juniper. Dengan menggunakan teknik ini kita bisa memfilter trafik yang boleh melewati tunnel VPN. Dalam topology ini ada dua site kantor di Jakarta dan Semarang buat topology seperti pada gambar berikut :
oke biar gak lama lama langsing saja berikut ini konfigurasi nya, pertama kita setting yang bagian jakarta dlu ya.
kita buat pre konfigurasi seperti IP, routing, zone dan address book.
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0
set security address-book book1 address jakarta 192.168.1.0/24
set security address-book book1 attach zone trust
set security address-book book2 address semarang 192.168.2.0/24
set security address-book book2 attach zone untrust
kemudian Konfigurasi IKE
set security ike proposal prop-semarang authentication-method pre-shared-keys
set security ike proposal prop-semarang dh-group group2
set security ike proposal prop-semarang authentication-algorithm sha1
set security ike proposal prop-semarang encryption-algorithm aes-128-cbc
set security ike policy pol-semarang mode main
set security ike policy pol-semarang proposals prop-semarang
set security ike policy pol-semarang pre-shared-key ascii-text P@ssw0rd
set security ike gateway semarang ike-policy pol-semarang
set security ike gateway semarang address 2.2.2.2
set security ike gateway semarang external-interface ge-0/0/0.0
Lalu Konfigurasi IPsec
set security ipsec proposal prop-semarang protocol esp
set security ipsec proposal prop-semarang authentication-algorithm hmac-sha1-96
set security ipsec proposal prop-semarang encryption-algorithm aes-128-cbc
set security ipsec policy pol-semarang perfect-forward-secrecy keys group2
set security ipsec policy pol-semarang proposals prop-semarang
set security ipsec vpn semarang vpn-monitor
set security ipsec vpn semarang ike gateway semarang
set security ipsec vpn semarang ike ipsec-policy pol-semarang
kemudian Konfigurasi Security Policy
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy to-semarang match source-address jakarta
set security policies from-zone trust to-zone untrust policy to-semarang match destination-address semarang
set security policies from-zone trust to-zone untrust policy to-semarang match application any
set security policies from-zone trust to-zone untrust policy to-semarang then permit tunnel ipsec-vpn semarang
set security policies from-zone trust to-zone untrust policy to-semarang then permit tunnel pair-policy to-jakarta
set security policies from-zone trust to-zone untrust policy permit-any match source-address any
set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
set security policies from-zone trust to-zone untrust policy permit-any match application any
set security policies from-zone trust to-zone untrust policy permit-any then permit
set security policies from-zone untrust to-zone trust policy to-jakarta match source-address semarang
set security policies from-zone untrust to-zone trust policy to-jakarta match destination-address jakarta
set security policies from-zone untrust to-zone trust policy to-jakarta match application any
set security policies from-zone untrust to-zone trust policy to-jakarta then permit tunnel ipsec-vpn semarang
set security policies from-zone untrust to-zone trust policy to-jakarta then permit tunnel pair-policy to-semarang
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
Nah, udah selesai untuk konfigurasi di Jakarta, berikutnya konfigurasi di site Semarang. Sama seperti di Jakarta buat pre konfigurasi terlebih dahulu untuk setting IP, routing, zone dan address book, sebagai berikut :
set interfaces ge-0/0/0 unit 0 family inet address 2.2.2.2/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0
set security address-book book1 address semarang 192.168.2.0/24
set security address-book book1 attach zone trust
set security address-book book2 address jakarta 192.168.1.0/24
set security address-book book2 attach zone untrust
Lalu Konfigurasi IKE di router Semarang
set security ike proposal prop-jakarta authentication-method pre-shared-keys
set security ike proposal prop-jakarta dh-group group2
set security ike proposal prop-jakarta authentication-algorithm sha1
set security ike proposal prop-jakarta encryption-algorithm aes-128-cbc
set security ike policy pol-jakarta mode main
set security ike policy pol-jakarta proposals prop-jakarta
set security ike policy pol-jakarta pre-shared-key ascii-text P@ssw0rd
set security ike gateway jakarta ike-policy pol-jakarta
set security ike gateway jakarta address 1.1.1.1
set security ike gateway jakarta external-interface ge-0/0/0.0
Konfigurasi IPsec Di router Semarang
set security ipsec proposal prop-jakarta protocol esp
set security ipsec proposal prop-jakarta authentication-algorithm hmac-sha1-96
set security ipsec proposal prop-jakarta encryption-algorithm aes-128-cbc
set security ipsec policy pol-jakarta perfect-forward-secrecy keys group2
set security ipsec policy pol-jakarta proposals prop-jakarta
set security ipsec vpn jakarta vpn-monitor
set security ipsec vpn jakarta ike gateway jakarta
set security ipsec vpn jakarta ike ipsec-policy pol-jakarta
dan yang terakhir konfigurasi security policy di router semarang
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy to-jakarta match source-address semarang
set security policies from-zone trust to-zone untrust policy to-jakarta match destination-address jakarta
set security policies from-zone trust to-zone untrust policy to-jakarta match application any
set security policies from-zone trust to-zone untrust policy to-jakarta then permit tunnel ipsec-vpn jakarta
set security policies from-zone trust to-zone untrust policy to-jakarta then permit tunnel pair-policy to-semarang
set security policies from-zone trust to-zone untrust policy permit-any match source-address any
set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
set security policies from-zone trust to-zone untrust policy permit-any match application any
set security policies from-zone trust to-zone untrust policy permit-any then permit
set security policies from-zone untrust to-zone trust policy to-semarang match source-address jakarta
set security policies from-zone untrust to-zone trust policy to-semarang match destination-address semarang
set security policies from-zone untrust to-zone trust policy to-semarang match application any
set security policies from-zone untrust to-zone trust policy to-semarang then permit tunnel ipsec-vpn jakarta
set security policies from-zone untrust to-zone trust policy to-semarang then permit tunnel pair-policy to-jakarta
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
Oke Konfigurasi di kedua router sudah selesai, cek establish tunnel IPSec menggunakan perintah run show security ipsec security-association seperti verifikasi berikut.[edit]
root@jakarta# run show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<2 ESP:aes-128/sha1 33cfefa5 1240/ unlim U root 500 2.2.2.2
>2 ESP:aes-128/sha1 c7d03888 1240/ unlim U root 500 2.2.2.2
ohh ya.. Agar kita tahu bahwa tunnel tersebut berjalan maka kita bisa test ping client diantara site, maka paket yang lewat akan terenkripsi bisa kita lihat dengan perintah run show ip sec statistics, seperti berikut.
[edit]
root@jakarta# run show security ipsec statistics
ESP Statistics:
Encrypted bytes: 509352
Decrypted bytes: 277788
Encrypted packets: 3351
Decrypted packets: 3307
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
oke mungkin sekian dari saya semoga bermanfaat dan terimakasih sudah berkunjung.
0 Response to "Juniper : Configuring Policy-Based VPN"
Post a Comment