Pada halaman kali ini kita akan menkonfigurasi VPN site to site SSTP pada mikrotik. Langusng saja ke topologi dan konfigurasi:
¶ Topologi
¶ Konfigurasi
¶ Konfigurasi Awal
/system identity set name="R1"
/ip address
add address=192.168.1.1/24 interface=ether2
/ip dhcp-server setup
Public IP
[admin@R1] > ip dhcp-client print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ether1 yes yes bound 10.0.137.186/24
/system identity set name="R2"
/ip address
add address=192.168.2.1/24 interface=ether2
/ip dhcp-server setup
Public IP
[admin@R2] > ip dhcp-client print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ether1 yes yes bound 10.0.137.92/24
¶ R1
- Konfigurasi SSTP server
/interface sstp-server server
set enabled=yes default-profile=default-encryption
- Create Secret
/ppp secret
add name=sstp-user password=password profile=default-encryption service=sstp local-address=172.16.1.1 remote-address=172.16.1.2
¶ R2
- Konfigurasi SSTP client
/interface/sstp-client> add name=sstp-out1 connect-to=10.0.137.186 user=sstp-user password=password disabled=no
¶ Menambah Keamanan dengan certificate
¶ R1
- Pembuatan certificate
/certificate
add name=myCA common-name=myCA key-usage=key-cert-sign,crl-sign
sign myCA
/certificate
add name=server-cert common-name=server
sign server-cert ca=myCA
/certificate
add name=client-cert common-name=client
sign client-cert ca=myCA
- Enable certifcate sstp
/interface sstp-server server
set certificate=server-cert enabled=yes
- Export certificate
/certificate
export-certificate myCA
export-certificate client-cert export-passphrase=12345678
Download certificate *.crt dan *.keydan upload ke R2
¶ R2
- Import Certificate
/certificate
import file-name=cert_export_myCA.crt passphrase=12345678
import file-name=cert_export_client-cert.crt passphrase=12345678
import file-name=cert_export_client-cert.key passphrase=12345678
Hapus sstp client sebelumnya dan tambahkan lagi
/interface sstp-client
add name=sstp-out1 connect-to=10.0.137.186 user=sstp-user password=password certificate=cert_export_client-cert.crt_0 profile=default-encryption disabled=no
¶ Tambahkan static routing
- R1
/ip route
add dst-address=192.168.2.0/24 gateway=172.16.1.2
- R2
/ip route
add dst-address=192.168.1.0/24 gateway=172.16.1.1
¶ Verify
[admin@R1] > ip address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 D 10.0.137.186/24 10.0.137.0 ether1
1 192.168.1.1/24 192.168.1.0 ether2
2 D 172.16.1.1/32 172.16.1.2 <sstp-sstp-user>
LAN1 to LAN2
PC1> ip dhcp
DORA IP 192.168.1.254/24 GW 192.168.1.1
PC1> ping 192.168.2.254
84 bytes from 192.168.2.254 icmp_seq=1 ttl=62 time=2.431 ms
84 bytes from 192.168.2.254 icmp_seq=2 ttl=62 time=2.636 ms
84 bytes from 192.168.2.254 icmp_seq=3 ttl=62 time=2.033 ms
84 bytes from 192.168.2.254 icmp_seq=4 ttl=62 time=2.727 ms
84 bytes from 192.168.2.254 icmp_seq=5 ttl=62 time=2.783 ms
PC2> ip dhcp
DORA IP 192.168.2.254/24 GW 192.168.2.1
PC2> ping 192.168.1.254
84 bytes from 192.168.1.254 icmp_seq=1 ttl=62 time=3.342 ms
84 bytes from 192.168.1.254 icmp_seq=2 ttl=62 time=2.181 ms
84 bytes from 192.168.1.254 icmp_seq=3 ttl=62 time=2.470 ms
84 bytes from 192.168.1.254 icmp_seq=4 ttl=62 time=2.283 ms
84 bytes from 192.168.1.254 icmp_seq=5 ttl=62 time=1.873 ms
PC2> trace 192.168.1.254
trace to 192.168.1.254, 8 hops max, press Ctrl+C to stop
1 192.168.2.1 0.646 ms 0.465 ms 0.448 ms
2 172.16.1.1 1.797 ms 1.691 ms 1.221 ms
3 *192.168.1.254 2.022 ms (ICMP type:3, code:3, Destination port unreachable)