Mei 03, 2025
Rufaidah-network
Topologi:
+-------------------+ +---------------------------+
| | | |
| Customer Network | | SAP HANA Enterprise Cloud |
| (MikroTik) | | (HEC) |
| 192.168.88.0/24 | | 10.10.0.0/16 |
| IP:198.51.100.2 | | IP:203.0.113.1 |
+--------+----------+ +-----------+---------------+
| |
| Internet |
+----------------+-----------------------+
|
IPSec VPN Tunnel
|
+----------------+-----------------------+
| |
+--------v----------+ +-----------v---------------+
| VPN Gateway | | L3 Router |
| (203.0.113.1) |---------------->| |
+-------------------+ +-----------+---------------+
|
+--------------+-------------+
| |
+------------v------+ +-------------v-----+
| SAP App Server | | SAP DB Server |
+------------------+ +--------------------+
Tujuan:
Membangun koneksi IPSec Site-to-Site VPN yang aman antara MikroTik (Customer) dan SAP HEC, dengan keamanan tingkat tinggi.
1. Persiapan Data yang Dibutuhkan:
Dari SAP HEC:
-
IP Publik VPN Gateway SAP HEC:
203.0.113.1 -
Network di SAP HEC:
10.10.0.0/16 -
Pre-shared key (PSK):
StrongSAPvpnKey123
Dari Customer:
-
IP Publik MikroTik:
198.51.100.2 -
Network lokal Customer:
192.168.88.0/24
2. Konfigurasi di MikroTik (Customer Network)
a. Konfigurasi Phase 1 (IKE Policy)
/ip ipsec proposal
add name="sap-proposal" auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h
/ip ipsec peer
add address=203.0.113.1/32 name=sap-peer exchange-mode=ike2 secret=StrongSAPvpnKey123 \
policy-template-group=default send-initial-contact=yes nat-traversal=yes dpd-interval=2m \
dpd-maximum-failures=5 ike-version=2
/ip ipsec identity
add peer=sap-peer auth-method=pre-shared-key secret=StrongSAPvpnKey123 generate-policy=port-strict
b. Konfigurasi Phase 2 (IPSec Policy)
/ip ipsec policy
add src-address=192.168.88.0/24 dst-address=10.10.0.0/16 sa-dst-address=203.0.113.1 sa-src-address=198.51.100.2 \
proposal=sap-proposal tunnel=yes action=encrypt
c. Firewall Configuration (Optional but recommended)
/ip firewall filter
add chain=input protocol=udp port=500,4500 src-address=203.0.113.1 action=accept comment="Allow IPSec VPN"
add chain=input protocol=ipsec-esp src-address=203.0.113.1 action=accept comment="Allow IPSec ESP"
add chain=input protocol=ipsec-ah src-address=203.0.113.1 action=accept comment="Allow IPSec AH"
3. Validasi dan Monitoring
/ip ipsec active-peers
/ip ipsec installed-sa
Pastikan status tunnel = established dan paket dapat mengalir ke network SAP.
4. Security Tips:
-
Gunakan PSK yang kuat dan rahasiakan.
-
Batasi akses VPN hanya dari IP Gateway SAP.
-
Monitor trafik dan log koneksi IPsec secara berkala.
-
Gunakan firewall rule untuk membatasi akses antar subnet.
-
Pertimbangkan penggunaan certificate (X.509) jika SAP mendukung, untuk keamanan tambahan.
Selesai.
Kini jaringan lokal Anda bisa berkomunikasi dengan layanan SAP HEC secara aman dan terenkripsi via IPSec VPN.
Untuk peningkatan visibilitas, bisa digabungkan dengan monitoring tools seperti The Dude, Zabbix, atau Prometheus-Grafana untuk tunnel status.
0 Comments:
Posting Komentar