Kurusetra Computer Linux VPN MPLS
Transcript of Kurusetra Computer Linux VPN MPLS
Linux VPN MPLS
Daftar IsiOpenVPN...................................................................................................................3
Konfigurasi Server VPN.......................................................................................4Konfigurasi Static IP Client..................................................................................5Konfigurasi klien VPN Linux...............................................................................5
OpenVPN GUI MS Windows XP/Vista......................................................................6Konfigurasi Klien MS Windows..........................................................................6
BGP Routing..............................................................................................................9External BGP.........................................................................................................9Internal BGP.......................................................................................................10
MPLS Virtual WAN.................................................................................................11Virtual Wide Area Networking.........................................................................11BGP Inside OpenVPN..........................................................................................12Topologi Lengkap Virtual WAN........................................................................13Konfigurasi Virtual WAN...................................................................................14
PC Router Kantor Surabaya...........................................................................14PC Router Kantor Madiun.............................................................................17
-- 2 --
Linux VPN MPLS
Konfigurasi Server VPN
aptget install openvpn opensshservercd /usr/share/doc/openvpn/examples/easyrsa/ cd 1.0/ vim varsexport KEY_COUNTRY=ID export KEY_PROVINCE=JT export KEY_CITY=MAGETAN export KEY_ORG="Kurusetra Computer" export KEY_EMAIL="[email protected]" source ./vars ./cleanall ./buildca ./buildkeyserver ./buildkeyserver server ./buildkey client1 ./buildkey client2 ./buildkey client3./buildkey client4./builddh
cp keys/* /etc/openvpn/ cd /usr/share/doc/openvpn/examples/sampleconfigfiles/cp server.conf.gz /etc/openvpn/ cd /etc/openvpn/ gunzip server.conf.gz vim server.conf
port 1194 proto udpdev tapca ca.crt cert server.crt key server.key dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfigpoolpersist ipp.txt clienttoclient keepalive 10 120 complzo persistkey persisttun status openvpnstatus.log verb 3 cd /usr/share/doc/openvpn/examples/easyrsa/2.0/keys/scp r client1.* root@ipclient1:/etc/openvpn/ scp r dh1024.pem root@ipclient1:/etc/openvpn/ scp r ca.* root@ipclient1:/etc/openvpn/
-- 4 --
Linux VPN MPLS
Konfigurasi Static IP Client
vim /etc/openvpn/server.confclient-config-dir /etc/openvpn/ccd
mkdir /etc/openvpn/ccdvim /etc/openvpn/ccd/client1 (nama file sesuai sertifikat)
ifconfig-push 10.8.0.21 255.255.255.0/etc/init.d/openvpn restart
Konfigurasi klien VPN Linux
aptget install openvpn opensshservercd /usr/share/doc/openvpn/examples/sampleconfigfiles/ cp client.conf /etc/openvpn/ cd /etc/openvpnvim client.conf
client dev tun proto udp remote IP_VPN_SERVER 1194 resolvretry infinite nobind persistkey persisttun ca ca.crt cert client1.crt key client1.key complzo verb 3
-- 5 --
Linux VPN MPLS
OpenVPN GUI MS Windows XP/Vista
Konfigurasi Klien MS Windows
1. Download OpenVPN GUI dihttp://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
2. Install OpenVPN GUISewaktu ada peringatan install driver PilihContinue Anyway
-- 6 --
Linux VPN MPLS
3. Masuk ke Folder OpenVPN Sample Configuration Files dan copy file client.ovpn ke Folder OpenVPN configuration file directory. Bersama file sertifikat dan key nya.
4. Setelah di copy file hasilnya seperti dibawah ini
5. Edit file client.ovpn dan sesuaikan parameter beserta sertifikatnya
clientdev tapproto udpremote 148.6.64.1 1194ca ca.crtcert magetan.crtkey magetan.key
-- 7 --
Linux VPN MPLS
6. Kemudian pada taskbar MS Windows sebelah kanan bawah klik kanan icon OpenVPN dan pilih connect
-- 8 --
Linux VPN MPLS
BGP Routing
External BGP
Router A (IP: 10.8.1.1)hostname router_arouter bgp 65000router-id 10.8.1.1network 192.168.1.0/24network 10.8.1.0/24neigbor 10.8.1.100 remote-as 65002 !#Router Dneigbor 10.8.1.101 remote-as 65001 !#Router Cneigbor 192.168.1.2 remote-as 65000 !#Router B iBGP
Router C (10.8.1.101)hostname router_crouter bgp 65001router-id 10.8.1.101network 192.168.6.0/24neigbor 10.8.1.100 remote-as 65002 !#Router Dneigbor 10.8.1.1 remote-as 65000 !#Router A
Router D (10.8.1.100)hostname router_drouter bgp 65002router-id 10.8.1.100network 192.168.10.0/24neigbor 10.8.1.101 remote-as 65001 !#Router Cneigbor 192.168.10.2 remote-as 65002 !#Router E iBGPneigbor 10.8.1.1 remote-as 65000 !#Router A
-- 9 --
Linux VPN MPLS
Internal BGP
Router B (192.168.1.2)hostname router_drouter bgp 65000router-id 192.168.1.2network 192.168.1.0/24network 192.168.3.0/24neigbor 192.168.1.1 remote-as 65000 !#Router A
Router E (192.168.10.2)hostname router_drouter bgp 65002router-id 192.168.10.2network 192.168.10.0/24network 192.168.9.0/24neigbor 192.168.10.1 remote-as 65002 !#Router D
Router F (192.168.10.3)hostname router_drouter bgp 65002router-id 192.168.10.3network 192.168.10.0/24network 192.168.9.0/24neigbor 192.168.10.1 remote-as 65002 !#Router D
-- 10 --
Linux VPN MPLS
MPLS Virtual WAN
Virtual Wide Area Networking
Wide Area Networking adalah suatu area luas (kota / wilayah) yang berbeda geografis yang saling terhubung satu dengan lain dalam suatu topologi jaringan komputer. Pada artikel ini kita akan membahas mengenai Virtual WAN (Virtual Wide Area Networking), yang bertujuan menghubungkan beberapa subnet wilayah, kota ataupun kantor perusahaan menjadi satu topologi. Subnet yang akan kita hubungkan menggunakan alamat IP Private 192.xxx.xxx.xxx yang tidak dikenal oleh internet. Jadi Virtual WAN lebih ditujukan untuk pemakaian pribadi (personal atau corporate). Hubungan antar subnet mirip dengan internet atau WAN, pengguna dapat langsung melakukan sharing data antar komputer beda subnet, printer dan pemanfaatan aplikasi. Gambar dibawah ini merupakan contoh topologi subnet kantor surabaya, madiun dan ponorogo, kita akan menggabungkan menjadi satu topologi Virtual WAN menggunakan kombinasi OpenVPN dan BGP Routing Protocol.
-- 11 --
Linux VPN MPLS
BGP Inside OpenVPN
Diagram dibawah ini menunjukkan pemanfaatan teknologi Tunneling VPN (garis biru) untuk membawa BGP routing protocol yang menghubungkan jaringan antar subnet. Setiap AS Number (ASN) dihubungkan oleh jalur tunnel VPN, paket data routing BGP yang melintas selalu dibungkus (encapsulation) dan di enkripsi (encryption), sehingga meningkatkan keamanan komunikasi data antar subnet.
Madiun = ASN 1003Ponorogo = ASN 1002Surabaya = ASN 1001
-- 12 --
Linux VPN MPLS
Topologi Lengkap Virtual WAN
Gambar dibawah ini menunjukkan penggabungan topologi antar subnet dengan diagram BGP routing inside OpenVPN. Setiap perangkat PC Router Linux terpasang aplikasi OpenVPN dan Quagga Routing Daemon, hanya saja pada kantor surabaya router kita fungsikan sebagai OpenVPN Server dan harus memakai IP Publik Statis. Koneksi kantor madiun maupun ponorogo bisa memakai koneksi IP dinamis dan kita fungsikan sebagai VPN Client. Berikut ini data koneksi setiap PC Router.
Kantor SurabayaKoneksi Internet : Dedicated Leased Line 512kbps – 1MbpsIP Publik : 122.200.52.41Subnet LAN : 192.168.0.0/24IP VPN : 10.8.1.1ASN : 1001
Kantor MadiunKoneksi Internet : Telkom Speedy UnlimitedIP Telkom Speedy : 125.22.156.45 (IP dinamis)Subnet LAN : 192.168.10.0/24IP VPN : 10.8.1.3ASN : 1003
Kantor PonorogoKoneksi Internet : FastNet First MediaIP FastNet : 122.34.200.70 (IP dinamis)Subnet LAN : 192.168.1.0/24IP VPN : 10.8.1.4ASN : 1002
-- 13 --
Linux VPN MPLS
Konfigurasi Virtual WAN
PC Router Kantor Surabaya
vim /etc/openvpn/server.conf (OpenVPN Server)dev tap ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.8.1.0 255.255.255.0 ifconfigpoolpersist ipp.txt clienttoclient duplicatecn keepalive 10 120 persistkey persisttun status openvpnstatus.log verb 3
vim /etc/quagga/daemonszebra = yes bgpd = yes ospfd = no ospf6d = no ripd = no ripngd = no isisd = no
-- 14 --
Linux VPN MPLS
vim /etc/quagga/debian.confvtysh_enable=yes zebra_options=" daemon" bgpd_options=" daemon" ospfd_options=" daemon" ospf6d_options="daemon A ::1" ripd_options=" daemon" ripngd_options="daemon A ::1" isisd_options=" daemon A 127.0.0.1"
vim /etc/quagga/bgpd.conf hostname bgpd password zebra enable password ardelindo log stdout router bgp 1001 bgp routerid 10.8.1.1 network 122.200.50.0/24 network 192.168.0.0/24 neighbor 10.8.1.3 remoteas 1003 neighbor 10.8.1.4 remoteas 1002 line vty
############################# ##TEST KONFIGURASI##KANTOR SURABAYA############################# Router> show ip route Codes: K kernel route, C connected, S static, R RIP, O OSPF, I ISIS, B BGP, > selected route, * FIB route
K>* 0.0.0.0/0 via 122.200.52.1, eth1 C>* 10.8.1.0/24 is directly connected, tap0 C>* 122.200.52.0/25 is directly connected, eth1 C>* 127.0.0.0/8 is directly connected, lo C>* 192.168.0.0/24 is directly connected, eth3 K>* 192.168.0.218/32 via 10.8.1.2, tap0 B>* 192.168.1.0/24 [20/0] via 10.8.1.4, tap0, 03:29:27 B>* 192.168.10.0/24 [20/0] via 10.8.1.3, tap0, 15:03:25
bgpd> show ip bgp neighbors BGP neighbor is 10.8.1.3, remote AS 1003, local AS 1001, external link BGP version 4, remote router ID 10.8.1.3 BGP state = Established, up for 15:05:21 Last read 00:00:21, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Message statistics: Inq depth is 0 Outq depth is 0 Sent Rcvd Opens: 10 2 Notifications: 3 5 Updates: 15 5 Keepalives: 1521 1512 Route Refresh: 0 0 Capability: 0 0 Total: 1549 1524 Minimum time between advertisement runs is 30 seconds
-- 15 --
Linux VPN MPLS
For address family: IPv4 Unicast Community attribute sent to this neighbor(both) 1 accepted prefixes
Connections established 5; dropped 3 Last reset 1d00h58m, due to BGP Notification send Local host: 10.8.1.1, Local port: 179 Foreign host: 10.8.1.3, Foreign port: 42912 Nexthop: 10.8.1.1 Nexthop global: fe80::2ff:79ff:fe7c:31a8
-- 16 --
Linux VPN MPLS
############################# ##TEST KONFIGURASI##KANTOR MADIUN############################# Router> show ip route Codes: K kernel route, C connected, S static, R RIP, O OSPF, I ISIS, B BGP, > selected route, * FIB route
K>* 0.0.0.0/0 via 192.168.1.1, eth1 O 10.8.1.0/24 [110/10] is directly connected, tap0, 1d00h34m C>* 10.8.1.0/24 is directly connected, tap0 B>* 122.200.50.0/24 [20/0] via 10.8.1.1, tap0, 14:29:07 C>* 127.0.0.0/8 is directly connected, lo B>* 192.168.0.0/24 [20/0] via 10.8.1.1, tap0, 14:29:07 B 192.168.1.0/24 [20/0] via 10.8.1.4, tap0, 02:54:53 C>* 192.168.1.0/24 is directly connected, eth1 O 192.168.10.0/24 [110/10] is directly connected, eth2, 1d00h34m C>* 192.168.10.0/24 is directly connected, eth2
bgpd> show ip bgp summary BGP router identifier 10.8.1.3, local AS number 1003 RIB entries 7, using 448 bytes of memory Peers 1, using 2512 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.8.1.1 4 1001 1484 1499 0 0 0 14:32:29 3
Total number of neighbors 1 bgpd> show ip bgp neighbors BGP neighbor is 10.8.1.1, remote AS 1001, local AS 1003, external link BGP version 4, remote router ID 10.8.1.1 BGP state = Established, up for 14:33:09 Last read 00:00:56, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Message statistics: Inq depth is 0 Outq depth is 0 Sent Rcvd Opens: 7 3 Notifications: 7 0 Updates: 4 12 Keepalives: 1482 1469 Route Refresh: 0 0 Capability: 0 0 Total: 1500 1484 Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast Community attribute sent to this neighbor(both) 3 accepted prefixes
Connections established 4; dropped 0 Last reset never Local host: 10.8.1.3, Local port: 42912 Foreign host: 10.8.1.1, Foreign port: 179 Nexthop: 10.8.1.3 Nexthop global: fe80::2ff:9dff:fecd:a17b Nexthop local: :: BGP connection: non shared network Read thread: on Write thread: off
-- 17 --
Linux VPN MPLS
bgpd> show ip bgp summary BGP router identifier 10.8.1.3, local AS number 1003 RIB entries 7, using 448 bytes of memory Peers 1, using 2512 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.8.1.1 4 1001 1519 1534 0 0 0 15:07:23 3
Total number of neighbors 1
-- 18 --