ISAKMP - Miftah Rahman (Go) - Blog - How VPN Works (Especially Site2site One)
ISAKMP - Miftah Rahman (Go) - Blog - How VPN Works (Especially Site2site One)
com/tag/isakmp/
Home About Me Cisco Voice Computer Network Theory File-File Latihan Huawei JunOS My Youtube Video T
Network Design Other Stuff Routing and Switching Configuration Security useful computer network links
April 26,
2016
May 3, How VPN works (especially site2site one)
2016 Miftah Rahman Network Theory AH, CA, CHILD_SA, DPD, EAP, ESP, IKE,
IKEv2, IPsec, ISAKMP, NAT-T, PFS, PKI, PSK, SA, SLL, SPI, VPN 4 Comments
Well, another one of my note that left behind, I’ll make sure this one goes to my
blog as well…
Gua buat catetan ini karena banyak konfigurasi yang ga ngerti pas lagi buat VPN…
———————————————————-
The difference? I’ll explain it to you simply in one line: PPTP < L2TP < SSL < IPsec
Yang gunain PPTP rata2 adalah Microsoft Client (using Microsoft Windows
Platform) and this protocol is a weak one (but easier to use and configure), link
Yang gunain SSL adalah remote user untuk Remove VPN, user2 hanya perlu
komputer yang support “HTTPS” (clientless, ga perlu install macem2, cukup
browser aja)
Yang terakhir yang paling bagus adalah IPsec (RFC 4301)…jeleknya adalah
settingannya aga banyak, plus harus disetting on both side of network, that’s why
SSL more preferable in common user
——————————————————————
1 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
So…IPsec huh?
Because there must be some policy how to exchange and manage the key
Because there must be some protocol that can authenticate traffic
Or, there must be a protocol that CAN both encrypt and authenticate the
traffic
Tunnel mode: default, more secure, header packet (inget…yg CCNA, PDU
layer internet apa pada TCP/IP protocol?!?) juga di enkripsi
——————————————————–
Yang namanya VPN pasti ada tuker2an kunci (traffic VPN kan di enkripsi…cara
buka-nya gimana…validasi peering VPN-nya juga gimana)
2 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
Don’t worry…I’ll explain those Terminology used in this article on the bottom
chapter
Nah, IKE itu ada 2 versi…versi jadul yaitu IKEv1 dan versi robust and flexible one
which called IKEv2
—————————————————————
IKEv1 and v2
3 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
IKEv1
IKEv2
4 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
Di IKE…hacker bisa ngirim SPI* (lets say peer initiation) to victim router with
many spoofed IP address, hasilnya…consume CPU resources karena banyak “half
open” initiation yang masuk, klo ga ada mekanisme prevention DoS…maka ketika
victim router establish connection ke router peer DENGAN SPI/KEY YANG
DIKASI HACKER…wassalam, ketauan semua isinya, soalnya hacker bisa generate
sendiri key-nya (orang dia yang bikin) plus bisa decrypt traffic pake kunci itu
Di IKEv2, mereka pake cookies pas pertama kali peering VPN (ada semacam
fingerprint lah)…jadi klo hacker ngirim SPI intended for man-in-the-middle
attack…si victim router tinggal ngomong…”bener ga lu ngirim ginian?“
Ke router asli-nya….karena router asli-nya punya cookie pas pertama kali peering…
tinggal di cek…klo salah, di drop
Nah, di Cisco…mereka punya teknologi yang bernama FlexVPN* that relies heavily
on IKEv2…
—————————————————————
Terminology
Framework: i might have to explain this because I’ve used this words many times…
klo protocol itu aturan, nah framework itu adalah kumpulan peraturan2
Digital Certificate: tired remembering all the password for site A, site B, site C, and
so on…?? Or exhausted from bringing all keys in “Key-chain” to unlock all the
doors?…this is the solution, it like ID Card for US…as long as You (as ID Card
bearer) and Door Guard recognize the Card (who made it of course) then you ready
to go…
PKI (Public Key Infrastucture): this is a framework explaining how to create digital
certificate, which mentioned above
CA (Certificate Authority): ini server yang bikin digital certificate, dia yang bikin,
dia juga yang verifikasi keasliannya
RA (Registration Authority): ini optional, klo lu mau CA cuma bikin sertifikat dan
yang nge-cek validitasnya server lain…si RA ini untuk ngecek validitas certificate-
nya
SCEP (Simple Certificate Enrollment Protocol): Cisco punya, kek PKI Framework-
nya Cisco…simple, Cuma pake HTTP untuk ngirim dan nerima request dan
5 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
sertifikat
NAT-T (NAT Traversal): NAT and IPsec is not compatible each other, NAT itu kan
ganti IP…jelas akan break salah satu rules dari VPN yaitu integrity (make sure data
hasn’t been changed). NAT-T ini bikin header UDP di”depan”nya IPsec…jadi yang
dibaca UDP NAT-nya dulu bukan IPsec-nya…both side harus aware klo mereka
pake NAT-T (bahasa mudahnya…2-2nya harus dienable NAT-T klo mau pake
VPN). Workaround for NAT-T? just use IP PUBLIC on your Firewall/Gateway
Transform Set: isinya adalah metode yang akan digunakan oleh IPsec…mau pake
ESP apa AH
PFS (Perfect Forward Secrecy): ensure itu VPN peer ga make key yang sama klo
mau bikin session VPN baru
ESP (Encapsulation Security Payload): defined in RFC 4303 using IP Protocol* 50,
isinya bagaimana caranya kita bisa authenticate dan encrypt itu traffic lewat VPN
AH (Authentication Header): more fast but less secure than ESP, only authenticate
header with no encryption
DPD (Dead Peer Detection): teknologi untuk memastikan VPN peering kita ga
down…kek IP SLA-nya VPN lah (default di IKEv2 sudah bisa setting ginian, ga
perlu konfigurasi khusus kek di IKEv1)
——————–
References:
ISAKMP – https://tools.ietf.org/html/rfc2408
IKE – https://www.ietf.org/rfc/rfc2409.txt
IPsec – https://tools.ietf.org/html/rfc4303
IKEv2 – https://tools.ietf.org/html/rfc4306
http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.html
https://tools.ietf.org/html/draft-ietf-ipsec-ikev2-tutorial-01
http://www.juniper.net/documentation/en_US/junos12.3×48/topics/concept
/vpn-security-ikev2-understanding.html
http://security.stackexchange.com/questions/56434/understanding-the-details-
of-spi-in-ike-and-ipsec
https://supportforums.cisco.com/document/21746/what-extensible-
authentication-protocol
https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
6 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
Requirement:
GNS3
IOS 15 (search: C7200-ADVIPSERVICESK9-M Version 15.2(4), google it
yourself)
ASAv .vmdk (same, look it up yourself)
WinXP VM .vmdk (same, but you can use your loopback interface if you wish)
VPN knowledge
ASA basic configuration
———————
The Idea
Design
—————————
Ada baiknya baca kriptografi fundamental dulu…but if you want to skip, I’ll explain
it to you briefly
Before IKE, there was ISAKMP (Internet Security Association and Key
Management Protocol)…sebuah protocol yang berisi framework bagaimana cara
mengatur SA (security Association) dan metode2 kriptografi di jaringan
Apa itu SA? Parameter2 seperti hashing, enkripsi, authentikasi, dsb yang harus
dipenuhi dan disepakati oleh kedua belah pihak (peer) untuk bikin VPN
Nah, protocol ISAKMP itu hanya untuk securing “channel”nya (jaringannya saja,
phase 1), dengan IKE kita bisa securing traffic-nya juga (with IPsec, phase 2)
So, ISAKMP is a part of IKE, and IKEv2 add more robustness to Key Exchange
mechanism…one of them is by supporting EAP (Extensible Authentication
Protocol) by default, itu loh yang digunain ama 802.1x alias EAP over LAN alias
EAPOL, yang pake AAA Server itu
Sebenernya banyak lagi keunggulan IKEv2, hanya saja gw sendiri ga terlalu dig
deeper, perbedaan lebih banyak bisa dilihat disini
7 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
——————————-
The Configuration
On Cisco Router (mau bikin site2site VPN antar router juga bisa pake contoh ini)
The truth is, gw juga ga tau apa hubungannya domain & hostname dengan IKEv2
(di GNS3 dengan IOS yang gw punya…entah kenapa klo ga pake 2 command ini, ga
jalan IKEv2-nya)
Biasa…nego2 dulu sama peer sebelah…gw maunya pake enkripsi ini, pake hashing
anu…harus sama satu sama lain
Ibarat kata, klo mau pake IKEv2…harus ada policy (dimana policy-nya pake
proposal yang kita buat tadi)
8 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
Transform ini untuk IPsec yang mau kita gunakan apakah mau pake encapsulating
security payload (esp) yang mana…disini gw pake aes untuk authentikasi dan pake
sha512-hmac buat hashing key-nya
Kita bikin profile, klo mau ke peer pake authentikasi model apa (match address
local sama identity remote address), disini gw pake pre-shared-key
And last, taro itu crypto map di interface OUTSIDE alias yang ke WAN alias yang
kearah Peer VPN kita
On ASA
Untuk ASA sebenernya ada Site-to-Site VPN Wizards-nya, but im not gonna do that
way (menyusahkan diri sendiri sih)…in case of some troubleshooting…
(Disclaimer: entah kenapa kadang IKEv2 nya ga jalan…gw konfig IKEv1 dulu trus
bikin IKEv2 baru tuh traffic jalan, termasuk di Router-nya juga, kek ga mau
“ngangkat” gitu VPN-nya…pas IKEv2 udah jalan, gw apus yg IKEv1 masih normal2
aja, let me know why that happen)
Step2-nya adalah
Bikin Object group dulu (contoh: INSIDE-NET Object buat network 10.2.1.0-
nya kita)
Bikin ACL, biar INSIDE object (yg isinya network 10.2.1.0) bisa ke OUTSIDE
(bikin juga object ini, ke 10.1.1.0)
Routing nya jgn lupa (biar bisa ping lah -_- )
Bikin IKEv2 Policy dan Proposal
Pastikan koneksi IKEv2 dari luar di enable
Bikin group policy sama tunnel group
Dan bikin crypto-map nya
On Configuration (next to Home icon) > Firewall > Objects > Network
Objects/Groups > add
9 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
masuk ke Device Setup > Routing > Static Routes > add
Site-to-Site VPN > Advanced > IKE Policies > add (IKEv2 policies)
10 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
Versi CLI:
Jgn lupa di centang “Allow IKEv2 Access” (klo pake cli:”crypto ikev2 enable
outside“, gambar dibawah ini)
Next, the proposal…Site-to-Site VPN > Advanced > IPsec Proposals > add (IKE v2
IPsec Proposals)
Versi CLI:
Trus configure group policy-nya…klo mau konek ke peer 1.1.1.1 pake tunnel apa
(ikev1/ikev2)
11 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
Trus configure tunnel-group-nya on Site-to-Site VPN > Advanced > Tunnel Groups
> add
Last, define crypto map, Site-to-Site VPN > Advanced > Crypto Maps > add
12 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
————————————————————————–
Verification
On ASA…masuk ke Monitoring > VPN > VPN Connection Graphs > IPsec Tunnels
(atau sessions juga bisa)
——————————————-
References:
http://www.omnisecu.com/ccna-security/how-to-configure-site-to-site-ikev2-
ipsec-vpn-using-pre-shared-key-authentication.php
https://www.fir3net.com/Firewalls/Cisco/cisco-how-to-configure-an-ikev2-site-
to-site-vpn.html
http://rockhoppervpn.sourceforge.net/techdoc_ikev1vsikev2.html
13 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/
Older posts
14 of 14 10/19/2022, 7:24 AM