Configure Site-to-Site IPSec VPN

•March 18, 2009 • Leave a Comment

Configure Site-to-Site IPSec  VPN

Network Topology :

IPSec Site-to-Site VPN

Running Configuration Script ;
JAKARTA#show run
Building configuration…

Current configuration : 1578 bytes
!
!
hostname JAKARTA
!
enable secret 5 $1$1HnK$WK8y86i/tdidazXthnuVi1
!
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key fery123 address 20.20.20.1

!
!
crypto ipsec transform-set FERY esp-aes esp-sha-hmac
!

crypto map MAP 1 ipsec-isakmp
set peer 20.20.20.1
set transform-set FERY
set pfs group2
match address 101

!
!
interface Tunnel0
description *** TUNNEL TO BANDUNG ***
ip address 192.168.100.1 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 20.20.20.1
crypto map MAP
!
interface FastEthernet1/0
description *** LAN ***
ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet1/1
description *** TO ISP ***
ip address 10.10.10.1 255.255.255.0
crypto map MAP
!
ip route 20.20.20.0 255.255.255.0 10.10.10.2
ip route 192.168.20.0 255.255.255.0 192.168.100.2

!
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!

JAKARTA#
JAKARTA#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet1/0 192.168.10.1 YES NVRAM up up
FastEthernet1/1 10.10.10.1 YES NVRAM up up
Tunnel0 192.168.100.1 YES manual up up
JAKARTA#
*******************************************************************************
BANDUNG#show run
Building configuration…

Current configuration : 1639 bytes
!
hostname BANDUNG
!
enable secret 5 $1$.J4i$66Xm1vwYI85PL5YE/UdZw/
!
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key fery123 address 10.10.10.1

!
!
crypto ipsec transform-set FERY esp-aes esp-sha-hmac
!
crypto map MAP 1 ipsec-isakmp
set peer 10.10.10.1
set transform-set FERY
set pfs group2
match address 101

!
interface Tunnel0
description *** TUNNEL TO JAKARTA ***
ip address 192.168.100.2 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 10.10.10.1
crypto map MAP

!
interface FastEthernet1/0
description *** CONNECTION TO LAN ***
ip address 192.168.20.1 255.255.255.0
!
interface FastEthernet1/1
description *** CONNECTION TO ISP ***
ip address 20.20.20.1 255.255.255.0
crypto map MAP

!
ip route 0.0.0.0 0.0.0.0 20.20.20.2
ip route 10.10.10.0 255.255.255.0 20.20.20.2
ip route 192.168.10.0 255.255.255.0 192.168.100.1

!
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
end

BANDUNG#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet1/0 192.168.20.1 YES NVRAM up up
FastEthernet1/1 20.20.20.1 YES NVRAM up up
Tunnel0 192.168.100.2 YES manual up up
BANDUNG#
BANDUNG#

*******************************************************************************
Verification Command
*******************************************************************************

JAKARTA#show crypto session
Crypto session current status

Interface: FastEthernet1/1
Session status: UP-ACTIVE
Peer: 20.20.20.1 port 500
IKE SA: local 10.10.10.1/500 BANDUNG 20.20.20.1/500 Active
IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.20.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.20.0/255.255.255.0
Active SAs: 2, origin: crypto map

JAKARTA#
JAKARTA#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
20.20.20.1 10.10.10.1 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

JAKARTA#show crypto ipsec sa

interface: FastEthernet1/1
Crypto map tag: MAP, local addr 10.10.10.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
BANDUNG ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer 20.20.20.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.10.10.1, BANDUNG crypto endpt.: 20.20.20.1
path mtu 1500, ip mtu 1500
current outbound spi: 0x24C882F1(617120497)

….
….
JAKARTA#

*******************************************************************************

BANDUNG#show crypto session
Crypto session current status

Interface: FastEthernet1/1
Session status: UP-ACTIVE
Peer: 10.10.10.1 port 500
IKE SA: local 20.20.20.1/500 BANDUNG 10.10.10.1/500 Active
IPSEC FLOW: permit ip 192.168.20.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 192.168.20.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 2, origin: crypto map

BANDUNG#
BANDUNG#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
20.20.20.1 10.10.10.1 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

BANDUNG#
BANDUNG#
BANDUNG#
BANDUNG#show crypto ipsec sa

interface: FastEthernet1/1
Crypto map tag: MAP, local addr 20.20.20.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
BANDUNG ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 10.10.10.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 20.20.20.1, BANDUNG crypto endpt.: 10.10.10.1
path mtu 1500, ip mtu 1500
current outbound spi: 0x26162F42(638988098)

BANDUNG#

Cisco Banner

•March 18, 2009 • Leave a Comment

Cisco Banner

Sebagai Pelengkap kita bisa membuat banner, yaitu semacam pesan singkat yang muncul di saat kita melakukan telnet ke router, selain itu juga dapat menambahkan keterangan bahwa sedang mengakses router tersebut dan juga sebagai peringatan agar orang yang tidak memiliki akses ke router tidak mencoba login.

Banner dimulai dari karakter asteriks *, dan diakhiri dengan karakter itu juga.

Fery-Router(config)#banner motd *
Enter TEXT message. End with the character ‘*’.
—————————————————————————–
Router Fery, Jika Anda Tidak memiliki Otoritas, Dilarang Login
—————————————————————————–
Saat ini anda sedang mengakses $(hostname).$(domain)
Saat ini anda sedang mengakses line $(line)
$(line-desc)
—————————————————————————–
Router Fery, Jika Anda Tidak memiliki Otoritas, Dilarang Login
—————————————————————————–

*
Fery-Router(config)#exi
Fery-Router#exit

Press RETURN to get started.

—————————————————————————–
Router Fery, Jika Anda Tidak memiliki Otoritas, Dilarang Login
—————————————————————————–
Saat ini anda sedang mengakses Fery-Router.
Saat ini anda sedang mengakses line 0

—————————————————————————–
Router Fery, Jika Anda Tidak memiliki Otoritas, Dilarang Login
—————————————————————————–

User Access Verification

Password:

Fery-Router>

AAA, Authentication , Authorization, Accounting

•March 18, 2009 • Leave a Comment

AAA

Authentication , Authorization, Accounting

Implementasi Cisco AAA,
Authentication : Mem validasi apakah anda memiliki ototitas untuk mengakses router,
Authorization : Mendefinisikan apa saja yang bisa anda lakukan di router tersebut,
Accounting : Mencatat Semua aktifitas yang anda lakukan di router.

Perintah AAA :

Fery-Router(config)#aaa new-model
Fery-Router(config)#aaa authentication login default enable
Fery-Router(config)#aaa authentication enable default enable line
Fery-Router(config)#username fery privilege 15 secret fery1234512345
Fery-Router(config)#

NETWORK SECURITY MANAGEMENT ACCESS

•March 18, 2009 • Leave a Comment

LINE SECURITY

Fery-Router(config)#
1. Fery-Router(config)#security passwords min-length 10
2. Fery-Router(config)#line vty 0 4
3. Fery-Router(config-line)#password fery
% Password too short – must be at least 10 characters. Password configuration failed
Fery-Router(config-line)#password fery1234512345
Fery-Router(config-line)#login
Fery-Router(config-line)#logging synchronous
Fery-Router(config-line)#exit
4. Fery-Router(config)#username fery secret fery12345
% Password too short – must be at least 10 characters. Password configuration failed
Fery-Router(config)#username fery1 secret fery1234512345
5. Fery-Router(config)#security authentication failure rate 5 log
6. Fery-Router(config)#login block-for 100 attempts 5 within 60
7. Fery-Router(config)#login quiet-mode access-class 10
8. Fery-Router(config)#login on-failure log
Fery-Router(config)#

keterangan command ;

1. setting panjang pasword minimal 10 karakter
2. masuk ke line telnet
3. masukan passwod (panjang passwod kurang dari 10 karakter akan muncul errror)
4. buat username fery dengan secret 10 karakter
5. buat log jika gagal login sebanyak 5 kali
6. blok akses login selama 5 menit jika user gagal memcoba login 100 kali dalam 1 menit
7. selama router memblok akses login, definisikan network mana yang bisa login
selama masa bloking tersebut
8. buat log jika login gagal

VRRP Cisco And Mikrotik RouterOS

•February 23, 2009 • Leave a Comment

VRRP between Cisco And Mikrotik RouterOS

Full Configuration Script :

Cisco-R#show run
!
hostname Cisco-R
!

interface FastEthernet0/0
description *** WAN CONNECTION ***
ip address 10.0.0.1 255.255.255.0
duplex half
!
interface FastEthernet1/0
description *** Connection to LAN ***
ip address 10.8.8.215 255.255.255.0
duplex auto
speed auto
vrrp 5 description Master_VRRP_Gateway
vrrp 5 ip 10.8.8.213

Cisco-R#show vrrp int fa1/0
FastEthernet1/0 – Group 5
Master_VRRP_Gateway
State is Master
Virtual IP address is 10.8.8.213
Virtual MAC address is 0000.5e00.0105
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 10.8.8.215 (local), priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec

Cisco-R#

MIKROTIK CONFIGURATION
[admin@vrrp-mikrotik] > ip address print
Flags: X – disabled, I – invalid, D – dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.8.8.212/24 10.8.8.0 10.8.8.255 LAN
1 10.8.8.213/24 10.8.8.0 10.8.8.255 vrrp1-backup
2 20.0.0.1/24 20.0.0.0 20.0.0.255 WAN
[admin@vrrp-mikrotik] > interface vrrp

[admin@vrrp-mikrotik] > interface vrrp print
Flags: X – disabled, I – invalid, R – running, M – master, B – backup
0 RM name=”vrrp1-backup” mtu=1500 mac-address=00:00:5E:00:01:05 arp=enabled
interface=ether1 vrid=5 priority=90 interval=1 preemption-mode=yes
authentication=none password=”” on-backup=”” on-master=””
[admin@vrrp-mikrotik] > interface vrrp print value-list
name: “vrrp1-backup”
mtu: 1500
mac-address: 00:00:5E:00:01:05
arp: enabled
interface: ether1
vrid: 5
priority: 90
interval: 1
preemption-mode: yes
authentication: none
password: “”
on-backup:
on-master:
[admin@vrrp-mikrotik] >

Full Topology and Configuration

simple-vrrp-ciscomikrotik

Basic Hot Standby Router Protocol (HSRP)

•February 23, 2009 • Leave a Comment

Hot Standby Router Protocol (HSRP)

Full Configuration Script :

to-ISP-A#show run
!
hostname to-ISP-A
!
!
interface FastEthernet0/0
description *** CONNNECTION TO LAN ***
ip address 192.168.10.3 255.255.255.0
standby 10 priority 100
standby 10 ip 192.168.10.1
standby 10 preempt
standby 10 name MASTER_HSRP_GATEWAY
!
interface FastEthernet1/0
description *** CONNECTION TO ISP A ***
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
to-ISP-A#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.3 YES manual up up
FastEthernet1/0 10.0.0.1 YES manual up up
to-ISP-A#

to-ISP-B#show run
!
hostname to-ISP-B
!
!
interface FastEthernet0/0
description *** CONNECTION TO LAN ***
ip address 192.168.10.4 255.255.255.0
duplex auto
speed auto
standby 10 ip 192.168.10.1
standby 10 priority 50
standby 10 preempt
standby 10 name BACKUP_HSRP_GATEWAY
!
interface FastEthernet1/0
description *** CONNECTION TO ISP_B ***
ip address 20.0.0.1 255.255.255.0
duplex auto
speed auto
!
to-ISP-B#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.4 YES manual up up
FastEthernet1/0 20.0.0.1 YES manual up up
to-ISP-B#

VIRTUAL IP yang active di handling oleh Router to-ISP-A
to-ISP-A#show standby
FastEthernet0/0 – Group 10
Local state is Active, priority 100, may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.840
Virtual IP address is 192.168.10.1 configured
Active router is local
Standby router is 192.168.10.4 expires in 9.124
Virtual mac address is 0000.0c07.ac0a
4 state changes, last state change 00:00:31
IP redundancy name is “MASTER_HSRP_GATEWAY” (cfgd)
to-ISP-A#

dilihat disisi Router to-ISP-B,

to-ISP-B#show standby
FastEthernet0/0 – Group 10
Local state is Speak, priority 50, may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 1.942
Virtual IP address is 192.168.10.1 configured
Active router is 192.168.10.3, priority 100 expires in 8.940
Standby router is unknown
6 state changes, last state change 00:00:09
IP redundancy name is “BACKUP_HSRP_GATEWAY” (cfgd)
to-ISP-B#

ketika interface to-ISP-A down, maka active router nya adalah local
to-ISP-B#show standby
FastEthernet0/0 – Group 10
Local state is Active, priority 50, may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.530
Virtual IP address is 192.168.10.1 configured
Active router is local
Standby router is unknown
Virtual mac address is 0000.0c07.ac0a
8 state changes, last state change 00:00:08
IP redundancy name is “BACKUP_HSRP_GATEWAY” (cfgd)
to-ISP-B#

Full HSRP Topology and Configuration

simple-hsrp-configuration

Simple Cisco GRE Tunnel

•February 23, 2009 • Leave a Comment

SIMPLE GRE TUNNEL

JAKARTA#show run
!
hostname JAKARTA
!
!
interface Tunnel0
ip address 5.5.5.5 255.255.255.0
tunnel source Serial0/0
tunnel destination 20.0.0.1
!
interface Serial0/0
description *** CONNECTION TO ISP ***
ip address 10.0.0.1 255.255.255.0
serial restart-delay 0
!
interface FastEthernet1/0
description *** CONNECTION TO LAN ***
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 192.168.20.0 255.255.255.0 5.5.5.6

JAKARTA#

JAKARTA#sh ip int br
Interface                    IP-Address      OK?     Method    Status    Protocol
Serial0/0                    10.0.0.1              YES     manual    up                up
FastEthernet1/0   192.168.10.1     YES     manual    up                up
Tunnel0                     5.5.5.5                YES     manual    up                up
JAKARTA#

SURABAYA#show run
!
hostname SURABAYA
!
interface Tunnel0
ip address 5.5.5.6 255.255.255.0
tunnel source Serial0/0
tunnel destination 10.0.0.1
!
interface Serial0/0
description **** CONNECTION TO ISP ***
ip address 20.0.0.1 255.255.255.0
serial restart-delay 0
!
!
interface FastEthernet1/0
description desc *** CONNECTION TO LAN ***
ip address 192.168.20.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 20.0.0.2
ip route 192.168.10.0 255.255.255.0 5.5.5.5
!
SURABAYA#sh ip int br
Interface                    IP-Address     OK?       Method Status Protocol
Serial0/0                   20.0.0.1             YES        manual  up            up
FastEthernet1/0   192.168.20.1   YES        manual  up            up
Tunnel0                     5.5.5.6                YES       manual  up             up
SURABAYA#


full Image network topology

basic-gre-tunnel3