Setting IPsec Site to Site VPN with NAT Cisco – GNS3 LAB9

Setting IPsec Site to Site VPN dengan NAT Cisco – GNS3 LAB9

  • R1 FastEthernet 0/0 : 10.10.10.1
  • R1 FastEthernet 0/1 : 192.168.10.1
  • PC1 : 192.168.10.2 (NAT)
  • R2 FastEthernet 0/0 : 10.10.10.2
  • R2 FastEthernet 0/1 : 20.20.20.2
  • R3 FastEthetnet 0/0 : 20.20.20.1
  • R3 FastEthernet 0/1 : 192.168.20.1
  • PC2 : 192.168.20.2 (NAT)
  • Encryption : aes 256
  • Hash: sha

Setting IP address

  • R1
R1# configure terminal
R1(config)# interface fastEthernet 0/0
R1(config-if)# ip address 10.10.10.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit

R1(config)# interface fastEthernet 0/1
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit

R1(config)# do show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.10.10.1      YES manual up                    up
FastEthernet0/1            192.168.10.1    YES manual up                    up
  • R2
R2# configure terminal
R2(config)# interface fastEthernet 0/0
R2(config-if)# ip address 10.10.10.2 255.255.255.0
R2(config-if)# no shutdown
R2(config-if)# exit

R2(config)# interface fastEthernet 0/1
R2(config-if)# ip address 20.20.20.2 255.255.255.0
R2(config-if)# no shutdown
R2(config-if)# exit

R2(config)# do show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.10.10.2      YES manual up                    up
FastEthernet0/1            20.20.20.2      YES manual up                    up
  • R3
R3# configure terminal
R3(config)# interface fastEthernet 0/0
R3(config-if)# ip address 20.20.20.1 255.255.255.0
R3(config-if)# no shutdown
R3(config-if)# exit

R3(config)# interface fastEthernet 0/1
R3(config-if)# ip address 192.168.20.1 255.255.255.0
R3(config-if)# no shutdown
R3(config-if)# exit

R3(config)# do show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            20.20.20.1      YES manual up                    up
FastEthernet0/1            192.168.20.1    YES manual up                    up

Setting Default Gateway

  • R1
R1(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.2

R1(config)# do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.10.10.2 to network 0.0.0.0

C    192.168.10.0/24 is directly connected, FastEthernet0/1
     10.0.0.0/24 is subnetted, 1 subnets
C       10.10.10.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 10.10.10.2
  • R3
R3(config)# ip route 0.0.0.0 0.0.0.0 20.20.20.2

R3(config)# do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 20.20.20.2 to network 0.0.0.0

     20.0.0.0/24 is subnetted, 1 subnets
C       20.20.20.0 is directly connected, FastEthernet0/0
C    192.168.20.0/24 is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via 20.20.20.2
  • Test Ping dari R1 ke R3 (20.20.20.1) dan dari R3 ke R1 (10.10.10.1)
R1# ping 20.20.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/64 ms


R3# ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/57/64 ms

Setting Phase 1, Preshared Key dan Access List

  • R1
R1# configure terminal
R1(config)# crypto isakmp policy 5
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# exit

R1(config)# crypto isakmp key sysops address 20.20.20.1

R1(config)# access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0  0.0.0.255
  • R3
R3# configure terminal
R3(config)# crypto isakmp policy 5
R3(config-isakmp)# hash sha
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# encryption aes 256
R3(config-isakmp)# group 2
R3(config-isakmp)# lifetime 86400
R3(config-isakmp)# exit

R3(config)# crypto isakmp key sysops address 10.10.10.1

R3(config)# access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0  0.0.0.255

Setting Phase 2 dan Cypto Map

  • R1
R1(config)# crypto ipsec transform-set sysops1set esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)# exit

R1(config)#crypto map sysops1map 5 ipsec-isakmp
R1(config-crypto-map)# set peer 20.20.20.1
R1(config-crypto-map)# set transform-set sysops1set
R1(config-crypto-map)# match address 100
R1(config-crypto-map)# set pfs group2
R1(config-crypto-map)# exit
  • R3
R3(config)# crypto ipsec transform-set sysops2set esp-aes 256 esp-sha-hmac
R3(cfg-crypto-trans)# exit

R3(config)# crypto map sysops2map 5 ipsec-isakmp
R3(config-crypto-map)# set peer 10.10.10.1
R3(config-crypto-map)# set transform-set sysops2set
R3(config-crypto-map)# match address 100
R3(config-crypto-map)# set pfs group2
R3(config-crypto-map)# exit

Apply Konfigurasi

  • R1
R1(config)# interface fastEthernet 0/0
R1(config-if)# crypto map sysops1map
R1(config-if)# exit
  • R3
R3(config)# interface fastEthernet 0/0
R3(config-if)# crypto map sysops2map
R3(config-if)# exit

Cek Konfigurasi VPN

  • R1
R1# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.
1     10.10.10.1      20.20.20.1               ACTIVE aes  sha  psk  2  23:51:40
       Connection-id:Engine-id =  1:1(software)
  • R3
R3# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.
1     20.20.20.1      10.10.10.1               ACTIVE aes  sha  psk  2  23:51:33
       Connection-id:Engine-id =  1:1(software)

Pengujian VPN

  • PC1
  • Setting static IP : 192.168.10.2
  • tes ping ke 10.10.10.1 > berhasil
  • tes ping ke default gateway 10.10.10.2 > gagal, karena tidak ada NAT
  • tes ping ke PC2 192.168.20.2 > berhasil (vpn berhasil terhubung)
  • PC2
  • Setting static IP : 192.168.20.2
  • tes ping ke 20.20.20.1 > berhasil
  • tes ping ke default gateway 20.20.20.2 > gagal, karena tidak ada NAT
  • tes ping ke PC1 192.168.10.2 > berhasil (vpn berhasil terhubung)

Setting NAT

  • R1
R1# configure terminal
R1(config)# ip nat inside source list 101 interface fastEthernet 0/0 overload
R1(config)# access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
R1(config)# access-list 101 permit ip 192.168.10.0 0.0.0.255 any

R1(config)# interface fastEthernet 0/0
R1(config-if)# ip nat outside
R1(config-if)# exit

R1(config)# interface fastEthernet 0/1
R1(config-if)# ip nat inside
R1(config-if)# exit
  • R3
R3# configure terminal
R3(config)# ip nat inside source list 101 interface fastEthernet 0/0 overload
R3(config)# access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
R3(config)# access-list 101 permit ip 192.168.10.0 0.0.0.255 any

R3(config)# interface fastEthernet 0/0
R3(config-if)# ip nat outside
R3(config-if)# exit

R3(config)# interface fastEthernet 0/1
R3(config-if)# ip nat inside
R3(config-if)# exit

Pengujian NAT

  • PC1
  • tes ping ke default gateway 10.10.10.2 > berhasil
  • tes ping ke R3 20.20.20.1 > berhasil
  • tes ping ke PC2 192.168.20.2 > berhasil
  • PC2
  • tes ping ke default gateway 20.20.20.2 > berhasil
  • tes ping ke R1 10.10.10.1 > berhasil
  • tes ping ke PC1 192.168.10.2 > berhasil

herdiana3389

A system administrator with skills in system administration, virtualization, linux, windows, networking, cloud computing, container, etc.