Setting IPSec pada mikrotik
Setting IPSec pada perangkat Mikrotik
Topologi sederhana yang akan kita implementasikan adalah sebagai berikut.
R-ISP
[admin@MikroTik] > system identity set name=R-ISP
[admin@R-ISP] > ip address add address=100.100.100.5/30 interface=ether1
[admin@R-ISP] > ip address add address=200.200.200.5/30 interface=ether2
R-Site-A
[admin@MikroTik] > system identity set name=R-Site-A
[admin@R-Site-A] > ip address add address=100.100.100.6/30 interface=ether1
[admin@R-Site-A] > ip address add address=192.168.10.1/24 interface=ether2
[admin@R-Site-A] > ip route add dst-address=0.0.0.0/0 gateway=100.100.100.5
R-Site-B
[admin@MikroTik] > system identity set name=R-Site-B
[admin@R-Site-B] > ip address add address=200.200.200.6/30 interface=ether1
[admin@R-Site-B] > ip address add address=192.168.50.1/24 interface=ether2
[admin@R-Site-A] > ip route add dst-address=0.0.0.0/0 gateway=200.200.200.5
C1-A
[admin@MikroTik] > system identity set name=C1-A
[admin@C1-A] > ip address add address=192.168.10.10/24 interface=ether1
[admin@C1-A] > ip route add dst-address=0.0.0.0/0 gateway=192.168.10.1
C1-B
[admin@MikroTik] > system identity set name=C1-B
[admin@C1-B] > ip address add address=192.168.50.50/24 interface=ether1
[admin@C1-B] > ip route add dst-address=0.0.0.0/0 gateway=192.168.50.1
Tahap kedua konfigurasi IP NAT Masquarade di R-Site-A dan R-Site-B[admin@R-Site-A] > ip firewall nat add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.50.0/24 action=accept
[admin@R-Site-A] > ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
R-Site-B
[admin@R-Site-B] > ip firewall nat add chain=srcnat src-address=192.168.50.0/24 dst-address=192.168.10.0/24 action=accept
[admin@R-Site-B] > ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
Tahap ketiga konfigurasi ip sec policy da nip sec peer di router R-Site-A dan R-Site-B
R-Site-A
[admin@R-Site-A] > ip ipsec policy add src-address=192.168.10.0/24 dst-address=192.168.50.0/24 action=encrypt tunnel=yes sa-src-address=100.100.100.6 sa-dst-address=200.200.200.6 proposal=default
[admin@R-Site-A] > ip ipsec peer add address=200.200.200.6 port=500 auth-method=pre-shared-key secret=ngonfig nat-traversal=yes
R-Site-B
[admin@R-Site-B] > ip ipsec policy add src-address=192.168.50.0/24 dst-address=192.168.10.0/24 sa-src-address=200.200.200.6 sa-dst-address=100.100.100.6 action=encrypt tunnel=yes proposal=default
[admin@R-Site-B] > ip ipsec peer add address=100.100.100.6 port=500 auth-method=pre-shared-key secret=ngonfig nat-traversal=yes
Tahap keempat lihat koneksi apakah sudah tersambung
R-Site-A
[admin@R-Site-A] > ip ipsec remote-peers pr
0 local-address=100.100.100.6 remote-address=200.200.200.6 state=established side=responder established=2m35s
R-Site-B
[admin@R-Site-B] > ip ipsec remote-peers pr
0 local-address=200.200.200.6 remote-address=100.100.100.6 state=established side=initiator established=2m44s
Tahap keempat uji konfigurasi ipsec dengan mencoba ping dari C1-A ke C1-B ataupun sebaliknya
C1-A
[admin@C1-A] > ping 192.168.50.50
HOST SIZE TTL TIME STATUS
192.168.50.50 56 62 25ms
192.168.50.50 56 62 23ms
192.168.50.50 56 62 20ms
192.168.50.50 56 62 19ms
192.168.50.50 56 62 22ms
sent=5 received=5 packet-loss=0% min-rtt=19ms avg-rtt=21ms max-rtt=25ms
C1-B
[admin@C1-B] > ping 192.168.10.10
HOST SIZE TTL TIME STATUS
192.168.10.10 56 62 51ms
192.168.10.10 56 62 20ms
192.168.10.10 56 62 19ms
192.168.10.10 56 62 19ms
192.168.10.10 56 62 18ms
192.168.10.10 56 62 28ms
sent=6 received=6 packet-loss=0% min-rtt=18ms avg-rtt=25ms max-rtt=51ms
Demikian sedikit sharing dari saya.
Reference :ngonfig
0 Response to "Setting IPSec pada mikrotik"
Post a Comment