GRE Over IPsec
传统的策略模式IPsec VPN无法运行组播、广播等数据,因此像OSPF/RIP等协议无法通过IPsec VPN直接运行,而需要借用GRE协议的辅助,GRE协议可封装组播、广播等数据,而IPsec又可将GRE协议封装在里面并且安全的加密,这样实现了通过互联网VPN安全的跑组播、广播等数据。
飞塔的接口模式IPsec VPN可以直接运行OSPF/RIP协议,因此如果都是FortiGate设备则无需使用GRE Over IPsec,而直接使用接口模式的IPsec VPN即可实现GRE Over IPsec一样的功能。与友商对接的时候也应该优先选择接口模式,友商基本上都有类似FortiGate接口模式的IPsec VPN(思科叫VIT-Virtual Tunnel Interface模式的IPsec VPN),而不要再选择的GRE OVER IPsec,这个旧的技术基本上可以被接口模式完全替代。
那么什么时候需要用到GRE Over IPsec 呢?
1.替换友商运行了GRE over IPsec的设备
2.或者对端设备为友商设备(且只能用GRE over IPsec进行对接)
如果全部都是飞塔防火墙,则推荐使用接口模式IPsec VPN直接运行路由协议即可。如果存在友商设备场景下,且必须用 GRE over IPsec,那就选择此方式进行对接和部署。
GRE Over IPsec 配置举例:
一、组网需求
如图所示,通过GRE OVER IPsec VPN将2个局域网连接起来,实现192.168.111.0/24与192.168.112.0/24两个网段的通信。
二、网络拓扑
三、配置要点
1、配置FortiGate1
1)基本上网配置
2)GRE OVER IPsec配置(VPN的配置只能使用命令行)
2、配置Cisco Router
1)基本上网配置
2)GRE OVER IPsec配置
说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。
四、配置步骤
1、配置FortiGate1
1) 基本上网配置
2) GRE OVER IPsec配置(VPN的配置只能使用命令行)
VPN第一阶段的配置:
config vpn ipsec phase1-interface
edit "VPN-TO-Side1"
set interface "port1"
set peertype any
set proposal 3des-md5 aes128-sha1
set dhgrp 2 5 14
set encapsulation gre
set remote-gw 101.100.1.1
set psksecret Fortinet123#
next
end
VPN第二阶段的配置:
config vpn ipsec phase2-interface
edit "VPN-TO-Side1"
set phase1name "VPN-TO-Side1"
set proposal 3des-md5 aes128-sha1
set dhgrp 2 5 14
set auto-negotiate enable
set encapsulation transport-mode
set protocol 47
next
end
将GRE OVER IPsec的隧道地址复用到IPsec VPN tunnel接口上:
config system interface
edit "VPN-TO-Side1"
set ip 1.1.1.1 255.255.255.255
set remote-ip 1.1.1.2 255.255.255.0
set allowaccess ping
next
end
配置防火墙策略:
config firewall address
edit "Local_192.168.111.0/24"
set allow-routing enable
set subnet 192.168.111.0 255.255.255.0
next
edit "Remote_192.168.112.0/24"
set allow-routing enable
set subnet 192.168.112.0 255.255.255.0
next
end
config firewall policy
edit 4
set name "Deny_VPN_Flow_to_Internet" // 和黑洞路由效果类似,为了避免当VPN中断的时候,VPN的流量走向互联网出口,而产生错误的session,以至于VPN恢复的时候业务不通。放置到最前面,优先匹配。
set srcintf "port2"
set dstintf "port1"
set srcaddr "Local_192.168.111.0/24"
set dstaddr "Remote_192.168.112.0/24"
set action deny
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
edit 1
set name "TO-Internet" //内网上互联网的策略
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
edit 2
set name "VPN-Local-TO-SIDE1"
set srcintf "port2"
set dstintf "VPN-TO-Side1"
set srcaddr "Local_192.168.111.0/24"
set dstaddr "Remote_192.168.112.0/24"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
edit 3
set name "VPN-Side1-to-LOCAL"
set srcintf "VPN-TO-Side1"
set dstintf "port2"
set srcaddr "Remote_192.168.112.0/24"
set dstaddr "Local_192.168.111.0/24"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
end
配置OSPF将整网路由打通:
依旧低端设备需要GUI隐藏了OSPF路由功能,需要开启:
命令行调整和优化OSPF的配置:
config router ospf
set router-id 1.1.1.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "gre-over-ipsec-tunnel"
set interface "VPN-TO-Side1"
set dead-interval 40
set hello-interval 10
set mtu-ignore enable 防止tunnel MTU不匹配导致OSPF无法建立起邻居,思科tunnel的MTU默认和FGT可能不一致
set network-type point-to-point
next
end
config network
edit 1
set prefix 1.1.1.0 255.255.255.0
next
edit 2
set prefix 192.168.111.0 255.255.255.0
next
end
end
2、配置Cisco Router
1) 基本上网配置
interface Ethernet0/0
ip address 101.100.1.1 255.255.255.0
ip nat outside
!
interface Ethernet0/1
ip address 192.168.112.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 101.100.1.254
!
!
!
access-list 101 permit ip any any
2) GRE over IPsec的配置
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 5
crypto isakmp key Fortinet123# address 202.106.1.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set MY-Trans esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile MY-IPsec-Pro
set transform-set MY-Trans
set pfs group5
!
!
!
interface Tunnel0
ip address 1.1.1.2 255.255.255.0
ip mtu 1400
ip ospf mtu-ignore
tunnel source Ethernet0/0
tunnel destination 202.106.1.1
tunnel protection ipsec profile MY-IPsec-Pro
!
!
router ospf 10
router-id 1.1.1.2
network 1.1.1.0 0.0.0.255 area 0
network 192.168.112.0 0.0.0.255 area 0
!
五、检查配置结果
FortiGate_Center侧状态查看:
Center # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
1.1.1.2 1 Full/ - 00:00:38 1.1.1.2 VPN-TO-Side1
Center # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 202.106.1.254, port1
C 1.1.1.0/24 is directly connected, VPN-TO-Side1
C 1.1.1.1/32 is directly connected, VPN-TO-Side1
C 192.168.111.0/24 is directly connected, port2
O 192.168.112.0/24 [110/110] via 1.1.1.2, VPN-TO-Side1, 00:13:56
C 202.106.1.0/24 is directly connected, port1
Center # get vpn ike gateway
vd: root/0
name: VPN-TO-Side1
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 101.100.1.1:500
created: 997s ago
IKE SA created: 2/2 established: 2/2 time: 20/10535/21050 ms
IPsec SA created: 2/3 established: 1/1 time: 30/30/30 ms
id/spi: 50 4e99d6040b0fd034/0e08876d1052f34d
direction: responder
status: established 985-985s ago = 20ms
proposal: 3des-md5
key: 270ba865933965f6-e22301080e4e34a5-68667e9af08f8c3a
lifetime/rekey: 86400/85144
DPD sent/recv: 00000000/00000000
id/spi: 49 4f588d0c8efe83d6/6a125190cd6fa718
direction: initiator
status: established 997-976s ago = 21050ms
proposal: 3des-md5
key: def8a1f5a33a0a86-a5f3d05b94562b91-54aa53fac2b08dc8
lifetime/rekey: 86400/85123
DPD sent/recv: 00000003/00000000
Center # get vpn ipsec tunnel details
gateway
name: 'VPN-TO-Side1'
type: route-based
local-gateway: 202.106.1.1:0 (static)
remote-gateway: 101.100.1.1:0 (static)
mode: ike-v1
interface: 'port1' (3)
rx packets: 3123 bytes: 497216 errors: 0
tx packets: 3130 bytes: 309388 errors: 2
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'VPN-TO-Side1'
auto-negotiate: enable
mode: transport
src: 47:0.0.0.0/0.0.0.0:0
dst: 47:0.0.0.0/0.0.0.0:0
SA
lifetime/rekey: 3600/2346
mtu: 1446
tx-esp-seq: c3b
replay: enabled
inbound
spi: 9e324961
enc: 3des 5c695804127b0260ac04f2e171c41d2823302eff53ba1ee6
auth: md5 1a16f8091aadfdcd29022d7a90d180ab
outbound
spi: 427072e7
enc: 3des 3cf656f3f75d851eb6a64121cadf1bc3d5b71862e6130bd0
auth: md5 70cf2b3504455f9d077b158d1b1c85f9
业务测试情况:
Cisco_Router_Side1侧状态查看:
Side-1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 0 FULL/ - 00:00:34 1.1.1.1 Tunnel0
Side-1#
Side-1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 101.100.1.254 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 101.100.1.254
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, Tunnel0
L 1.1.1.2/32 is directly connected, Tunnel0
101.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 101.100.1.0/24 is directly connected, Ethernet0/0
L 101.100.1.1/32 is directly connected, Ethernet0/0
O 192.168.111.0/24 [110/1001] via 1.1.1.1, 00:19:50, Tunnel0
192.168.112.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.112.0/24 is directly connected, Ethernet0/1
L 192.168.112.1/32 is directly connected, Ethernet0/1
Side-1#
Side-1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.100.1.1 202.106.1.1 QM_IDLE 1002 ACTIVE
202.106.1.1 101.100.1.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
Side-1#
Side-1#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 101.100.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (101.100.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (202.106.1.1/255.255.255.255/47/0)
current_peer 202.106.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3166, #pkts encrypt: 3166, #pkts digest: 3166
#pkts decaps: 3170, #pkts decrypt: 3170, #pkts verify: 3170
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 101.100.1.1, remote crypto endpt.: 202.106.1.1
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x9E324961(2654095713)
PFS (Y/N): Y, DH group: group5
inbound esp sas:
spi: 0x427072E7(1114665703)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: SW:1, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4222760/2257)
IV size: 8 bytes
replay detection support: Y
ecn bit support: Y status: off
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9E324961(2654095713)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: SW:2, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4222760/2257)
IV size: 8 bytes
replay detection support: Y
ecn bit support: Y status: off
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Side-1#
Side-1# show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec 3DES+MD5 0 3174 3177 101.100.1.1
2 IPsec 3DES+MD5 3170 0 0 101.100.1.1
1001 IKE MD5+3DES 0 0 0 101.100.1.1
1002 IKE MD5+3DES 0 0 0 101.100.1.1
业务测试情况:
抓包查看:
Center # dia sni pa any "host 192.168.112.100 or host 101.100.1.1" 4
interfaces=[any]
filters=[host 192.168.112.100 or host 101.100.1.1]
3.041043 port2 in 192.168.111.100 -> 192.168.112.100: icmp: echo request
3.041103 VPN-TO-Side1 out 192.168.111.100 -> 192.168.112.100: icmp: echo request
3.041134 port1 out 202.106.1.1 -> 101.100.1.1: ESP(spi=0x427072e7,seq=0xd18)
3.042415 port1 in 101.100.1.1 -> 202.106.1.1: ESP(spi=0x9e324961,seq=0xd15)
3.042439 VPN-TO-Side1 in 192.168.112.100 -> 192.168.111.100: icmp: echo reply
3.042455 port2 out 192.168.112.100 -> 192.168.111.100: icmp: echo reply
4.043225 port2 in 192.168.111.100 -> 192.168.112.100: icmp: echo request
4.043298 VPN-TO-Side1 out 192.168.111.100 -> 192.168.112.100: icmp: echo request
4.043331 port1 out 202.106.1.1 -> 101.100.1.1: ESP(spi=0x427072e7,seq=0xd19)
4.044671 port1 in 101.100.1.1 -> 202.106.1.1: ESP(spi=0x9e324961,seq=0xd16)
4.044695 VPN-TO-Side1 in 192.168.112.100 -> 192.168.111.100: icmp: echo reply
4.044708 port2 out 192.168.112.100 -> 192.168.111.100: icmp: echo reply
5.045694 port2 in 192.168.111.100 -> 192.168.112.100: icmp: echo request
5.045773 VPN-TO-Side1 out 192.168.111.100 -> 192.168.112.100: icmp: echo request
5.045805 port1 out 202.106.1.1 -> 101.100.1.1: ESP(spi=0x427072e7,seq=0xd1a)
5.047271 port1 in 101.100.1.1 -> 202.106.1.1: ESP(spi=0x9e324961,seq=0xd17)
5.047296 VPN-TO-Side1 in 192.168.112.100 -> 192.168.111.100: icmp: echo reply
5.047312 port2 out 192.168.112.100 -> 192.168.111.100: icmp: echo reply
6.048179 port2 in 192.168.111.100 -> 192.168.112.100: icmp: echo request
6.048321 VPN-TO-Side1 out 192.168.111.100 -> 192.168.112.100: icmp: echo request
6.048359 port1 out 202.106.1.1 -> 101.100.1.1: ESP(spi=0x427072e7,seq=0xd1b)
6.049981 port1 in 101.100.1.1 -> 202.106.1.1: ESP(spi=0x9e324961,seq=0xd18)
6.050004 VPN-TO-Side1 in 192.168.112.100 -> 192.168.111.100: icmp: echo reply
6.050017 port2 out 192.168.112.100 -> 192.168.111.100: icmp: echo reply
7.051520 port2 in 192.168.111.100 -> 192.168.112.100: icmp: echo request
7.051592 VPN-TO-Side1 out 192.168.111.100 -> 192.168.112.100: icmp: echo request
7.051624 port1 out 202.106.1.1 -> 101.100.1.1: ESP(spi=0x427072e7,seq=0xd1c)
7.053337 port1 in 101.100.1.1 -> 202.106.1.1: ESP(spi=0x9e324961,seq=0xd19)
7.053365 VPN-TO-Side1 in 192.168.112.100 -> 192.168.111.100: icmp: echo reply
7.053384 port2 out 192.168.112.100 -> 192.168.111.100: icmp: echo reply
其实全程实际上是看不到GRE数据包的,GRE被封装在IPsec的ESP包中,被加密保护起来了。
参考文档:
GRE OVER IPsec 新版本配置方法(本章节基于此文档编写):
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD40312&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=113996731&stateId=0%200%20113994905
GRE OVER IPsec 旧版本配置方法(配置相对比较复杂,不建议参考,除非太旧的版本,没有办法才使用此方式):
https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD40311&languageId=
