Koneksi IPSec dapat dilakukan dengan cara host to host n network to network, namun metode dan configurasi penerapannya hampir sama.
Saat ini kita mencoba untuk mengkonfigur IPSec dengan metode host to host di ubuntu 8.04 (C), adapun skemanya sbb :
#apt-get install racoon
pilih direct pada pilihan racoon
#edit /etc/racoon/racoon.conf
path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;
log notify;
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen
{
isakmp C [500];
}
timer
{
# These value can be changed per remote node.
counter 5;
interval 20 sec;
persend 1;
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
## IKE phase 1
remote B
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address C ;
nonce_size 16;
lifetime time 24 hour;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
}
}
## IKE phase 2 & Domain Access List
sainfo address C/32 any address B/32 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address C/32 any address B/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
ok selesai sudah untuk mengkonfigure racoon.conf, sekarang waktunya mengkonfigure ipsec-tool.conf
#edit /etc/ipsec-tool.conf
flush;
spdflush;
spdadd C/32[any] B/32[any] any -P out ipsec
esp/tunnel/C-B/require;
spdadd B/32[any] C/32[any] any -P in ipsec
esp/tunnel/B- C/require;
setelah ipsec-tool kita harus melengkapi PreSharedKey di file PSK.txt
#edit /etc/racoon/PSK.txt
B password
setalah mengkonfigure racoon.conf, ipsec-tool.conf dan PSK.txt aktifkan aplikasinya
#/etc/init.d/setkey restart
#/etc/init.d/racoon restart
Naah sekarang selesai deh konfigurasi IPSec dengan menggunakan racoon, konfigurasi diatas hanya untuk membuat koneksi anata B dan C sedang kan koneksi A dan D tinggal tambahkan saja di racoon dan ipsec-tool.
No comments:
Post a Comment