一、组网需求

如图所示,某公司总部内部有一台OA服务器,其余分2个支机构都需要通过vpn拨入总部内网对OA服务器进行访问,为了方便配置,总部不想有太多的配置,总部只建立一条vpn隧道,实现所有分支机构和总部的通讯。同时需要运行动态路由协议将总部和分支的路由全部打通。SPOKE所有的流量都通过HUB进行中转。非ADVPN。

二、网络拓扑

HUB and SPOKE通过动态路由学习到整网的业务网段路由,SPOKE之间相互的流量全部通过HUB进行中装,配置举例拓扑图:

VPN Tunnel IP地址分配,以及BGP的规划:

三、配置要点

1、配置FortiGate1

    1)基本上网配置

    2)HUB端IPsec VPN的配置

2、配置FortiGate2

    1)基本上网配置

    2)SPOKE(SH)端的IPsec VPN的配置

3、配置FortiGate3

    1)基本上网配置

    2)SPOKE(GZ)端的IPsec VPN的配置

说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

四、配置步骤

1、配置FortiGate1 (BJ)---HUB--- FortiGate1-HQ-BJ

1) 基本上网配置

配置详细过程请参照 "路由模式典型功能--单线上网--静态地址线路上网配置"一节:

接口IP配置如下:

    

路由配置如下

2)HUB端的IPsec VPN的配置 

配置IPsec VPN第一阶段 ( 注意 VPN的名字叫ADVPN,仅仅是名字叫ADVPN而已,但是这不是ADVPN的配置,ADVPN的配置讲ADVPN的章节)

config vpn ipsec phase1-interface

    edit "ADVPN"

        set type dynamic

        set interface "port1"

        set peertype any

        set proposal des-md5 des-sha1

        set dpd on-idle

        set exchange-interface-ip enable

        set add-route disable

        set net-device disable

        set tunnel-search nexthop

        set psksecret Fortinet123#

        set dpd-retryinterval 60

    next

end 

注意:

1.由于总部需要与各种不通类型(静态IP/PPPOE)的SPOKE之间建立IPsec VPN,因此HUB需选择dynamic模式

2.新版本ADVPN主模式和野蛮模式,旧版本不支持野蛮模式,通常我们选择主模式即可

3.必须开启“exchange-interface-ip enable”,没有使用ADVPN的时候,必须要开启这条命令,用于HUB告知Spoke自己的Overlay IP是10.10.10.1,以便对方路由的下一条更变为10.10.10.1,这是一种比mode-cfg更好的dia over bgp/ospf的实现方式。(diagnose vpn ike gateway list :virtual-interface-addr: 10.10.10.1 -> 10.10.10.2)

4.由于使用了BGP动态路由协议,因此需要关闭自动添加路由的功能“add-route disable

5.“net-device disable”是新版本的默认方式,保持默认的disable即可

5.“tunnel-search nexthop”由于需要通过路由去查找路由的下一跳,因此选择成nexthop,而不选择感兴趣流

配置IPsec VPN第二阶段

config vpn ipsec phase2-interface

    edit "ADVPN"

        set phase1name "ADVPN"

        set proposal des-md5 des-sha1

        set keepalive enable

    next

end

配置IPsec VPN隧道IP

config system interface

    edit "ADVPN"

        set vdom "root"

        set ip 10.10.10.1 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 10.10.10.254 255.255.255.0  10.10.10.254并非真实存在的一个IP,选择一个不存在的预留IP地址

        set role lan

        set interface "port1"

    next

end

注意:1.remote-ip 10.10.10.254是不被Spoke所使用的预留IPIPsec Tunnel是一个点对点的隧道,但是ADVPN中这条隧道需要同时对应多个SPOKE,因此不能将Remote IP写成一个存在的SPOKEIP

配置BGP和路由反射器

config router bgp

    set as 100

    set router-id 10.10.10.1

    config neighbor-group                                    --neighbor-group特性

        edit "ADVPN-PEERS"

            set remote-as 100

            set route-reflector-client enable                --设置RR(路由反射器)

        next

    end

    config neighbor-range

        edit 1

            set prefix 10.10.10.0 255.255.255.0          

            set neighbor-group "ADVPN-PEERS"

        next

    end

    config network

        edit 1

            set prefix 192.168.0.0 255.255.255.0           -发布路由

        next

    end

注意:1.利用BGP neighbor-group特性,只要匹配前缀列表10.10.10.0/24BGP-Peer均可以和HUB建立BGP邻居。

2.将邻居设置为Route-Reflector-Client,自己即为路由反射器(Route-Reflector,通过路由反射器原理实时同步整网路由。

策略配置

config firewall policy

    edit 2

        set name "VPN-IN"

        set srcintf "ADVPN"

        set dstintf "port2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

    edit 3

        set name "VPN-OUT"

        set srcintf "port2"

        set dstintf "ADVPN"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

    edit 4

        set name "SPOKE-TO-SPOKE"       

        set srcintf "ADVPN"

        set dstintf "ADVPN"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

end

                      

注意:一定注意配置SPOKE之间的放通策略

2、配置FortiGate2 (SH)---SPOKE--- FortiGate2-Branch-SH

1) 基本上网配置

    接口IP配置如下:          

     

 路由通过DHCP自动获取到默认路由:

2)SPOKE(SH)端的IPsec VPN的配置

配置IPsec VPN第一阶段  ( 注意 VPN的名字叫ADVPN,仅仅是名字叫ADVPN而已,但是这不是ADVPN的配置,ADVPN的配置讲ADVPN的章节)

config vpn ipsec phase1-interface

    edit "ADVPN"

        set interface "port1"

        set peertype any

        set proposal des-md5 des-sha1

        set exchange-interface-ip enable

        set remote-gw 100.1.1.1

        set psksecret Fortinet123#

    next

end

注意:

1.  由于总部HUB的公网IP是固定的,因此分部配置静态的IPsec VPN

2.  必须开启“exchange-interface-ip enable”,没有使用ADVPN的时候,必须要开启这条命令,用于SPOKE告知HUB自己的Overlay IP是10.10.10.2,以便对方路由的下一条更变为10.10.10.2,这是一种比mode-cfg更好的dia over bgp/ospf的实现方式。(diagnose vpn ike gateway list :virtual-interface-addr: 10.10.10.1 -> 10.10.10.2)

配置IPsec VPN第二阶段

config vpn ipsec phase2-interface

    edit "ADVPN"

        set phase1name "ADVPN"

        set proposal des-md5 des-sha1

        set auto-negotiate enable

    next

end

配置IPsec VPN隧道IP

config system interface

    edit "ADVPN"

        set vdom "root"

        set ip 10.10.10.2 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 10.10.10.1 255.255.255.0   // 指向HUB的隧道IP地址

        set role lan 

       set interface “port1”

    next

end

配置BGP并发布业务路由

config router bgp

    set as 100

    set router-id 10.10.10.2

    config neighbor

        edit "10.10.10.1"                      \\只需要与HUB建立BGP邻居即可

            set remote-as 100

        next

    end

    config network

        edit 1

            set prefix 192.168.1.0 255.255.255.0   \\发布业务网段

        next

end

策略配置

config firewall policy

    edit 2

        set name "VPN-IN"

        set srcintf "ADVPN"

        set dstintf "port2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

    edit 3

        set name "VPN-OUT"

        set srcintf "port2"

        set dstintf "ADVPN"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next 

3、配置FortiGate3 (GZ)---SPOKE--- FortiGate3-Branch-GZ

1) 基本上网配置

 接口IP配置如下:          

路由通过PPPOE自动获取到默认路由:

2)SPOKE(GZ)端的IPsec VPN的配置

配置IPsec VPN第一阶段  ( 注意 VPN的名字叫ADVPN,仅仅是名字叫ADVPN而已,但是这不是ADVPN的配置,ADVPN的配置讲ADVPN的章节)

config vpn ipsec phase1-interface

    edit "ADVPN"

        set interface "port1"

        set peertype any

        set proposal des-md5 des-sha1

        set exchange-interface-ip enable

        set remote-gw 100.1.1.1

        set psksecret Fortinet123#

    next

end

注意:

1.  由于总部HUB的公网IP是固定的,因此分部配置静态的IPsec VPN

2.  必须开启“exchange-interface-ip enable”,没有使用ADVPN的时候,必须要开启这条命令,用于SPOKE告知HUB自己的Overlay IP是10.10.10.3,以便对方路由的下一条更变为10.10.10.3,这是一种比mode-cfg更好的dia over bgp/ospf的实现方式。(diagnose vpn ike gateway list :virtual-interface-addr: 10.10.10.1 -> 10.10.10.3)

配置IPsec VPN第二阶段

config vpn ipsec phase2-interface

    edit "ADVPN"

        set phase1name "ADVPN"

        set proposal des-md5 des-sha1

        set auto-negotiate enable

    next

end

配置IPsec VPN隧道IP

config system interface

    edit "ADVPN"

        set vdom "root"

        set ip 10.10.10.3 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 10.10.10.1 255.255.255.0   // 指向HUB的隧道IP地址

        set role lan

           set interface “port1”

    next

end

配置BGP并发布业务路由

config router bgp

    set as 100

    set router-id 10.10.10.2

    config neighbor

        edit "10.10.10.1"                      \\只需要与HUB建立BGP邻居即可

            set remote-as 100

        next

    end

    config network

        edit 1

            set prefix 192.168.2.0 255.255.255.0   \\发布业务网段

        next

end

策略配置

config firewall policy

    edit 2

        set name "VPN-IN"

        set srcintf "ADVPN"

        set dstintf "port2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

    edit 3

        set name "VPN-OUT"

        set srcintf "port2"

        set dstintf "ADVPN"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next 


以上HUB/Spoke1/Spoke2全部配置完毕。

五、检查配置结果

在HUB/SPOKE1/SPOKE2状态观察:

HUB(BJ)状态

HUB IPsec VPN建立情况:

Monitor--->IPsec Monitor

HUB路由学习情况:

Monitor--->Routing Monitor

FortiGate1-HQ-BJ #  get router info routing-table all

S*      0.0.0.0/0 [10/0] via 100.1.1.254, port1

C       10.10.10.0/24 is directly connected, ADVPN

C       10.10.10.1/32 is directly connected, ADVPN

C       100.1.1.0/24 is directly connected, port1

C       192.168.0.0/24 is directly connected, port2

B       192.168.1.0/24 [200/0] via 10.10.10.2, ADVPN, 07:56:26

B       192.168.2.0/24 [200/0] via 10.10.10.3, ADVPN, 07:57:58

SPOKE1(SH)状态

SPOKE1 IPsec VPN建立情况(只和HUB建立IPsec):

Monitor--->IPsec Monitor

SPOKE1路由学习情况:

Monitor--->Routing Monitor

FortiGate2-Branch-SH # get router info routing-table all

S*      0.0.0.0/0 [5/0] via 101.1.1.254, port1

C       10.10.10.0/24 is directly connected, ADVPN

C       10.10.10.2/32 is directly connected, ADVPN

C       101.1.1.0/24 is directly connected, port1

B       192.168.0.0/24 [200/0] via 10.10.10.1, ADVPN, 07:55:45

C       192.168.1.0/24 is directly connected, port2

B       192.168.2.0/24 [200/0] via 10.10.10.3, ADVPN, 07:55:45

S       192.168.91.0/24 [10/0] is directly connected, port1

SPOKE2(GZ)状态

SPOKE2 IPsec VPN建立情况(只和HUB建立IPsec):

Monitor--->IPsec Monitor

SPOKE2路由学习情况:

Monitor--->Routing Monitor

FortiGate3-Branch-GZ # get router info routing-table all

S*      0.0.0.0/0 [5/0] via 102.1.1.254, ppp0

C       10.10.10.0/24 is directly connected, ADVPN

C       10.10.10.3/32 is directly connected, ADVPN

C       102.1.1.1/32 is directly connected, ppp0

C       102.1.1.254/32 is directly connected, ppp0

B       192.168.0.0/24 [200/0] via 10.10.10.1, ADVPN, 08:02:06

B       192.168.1.0/24 [200/0] via 10.10.10.2, ADVPN, 08:00:15

C       192.168.2.0/24 is directly connected, port2

S       192.168.91.0/24 [10/0] via 102.1.1.254, ppp0


HUB 侧 VPN状态查看:

FortiGate1-HQ-BJ # diagnose ip address list
IP=100.1.1.1->100.1.1.1/255.255.255.0 index=3 devname=port1
IP=192.168.0.99->192.168.0.99/255.255.255.0 index=4 devname=port2
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=7 devname=root
IP=10.10.10.1->10.10.10.254/255.255.255.0 index=9 devname=ADVPN
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=10 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=12 devname=vsys_fgfm

FortiGate1-HQ-BJ #
FortiGate1-HQ-BJ # diagnose vpn ike  gateway  list

vd: root/0
name: ADVPN_0
version: 1
interface: port1 3
addr: 100.1.1.1:500 -> 102.1.1.1:500
virtual-interface-addr: 10.10.10.1 -> 10.10.10.3
created: 6904s ago
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 1/1  established 1/1  time 10/10/10 ms

  id/spi: 0 acffde42398849aa/8bc3ec7da98feb75
  direction: responder
  status: established 6904-6904s ago = 10ms
  proposal: des-md5
  key: f8712d672738351c
  lifetime/rekey: 86400/79225
  DPD sent/recv: 00000000/00001767

vd: root/0
name: ADVPN_1
version: 1
interface: port1 3
addr: 100.1.1.1:500 -> 101.1.1.1:500
virtual-interface-addr: 10.10.10.1 -> 10.10.10.2
created: 6879s ago
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 1/1  established 1/1  time 10/10/10 ms

  id/spi: 1 0f23e05feaa875ac/10d2d491090983ca
  direction: responder
  status: established 6879-6879s ago = 10ms
  proposal: des-md5
  key: f573d6955b1c9f0b
  lifetime/rekey: 86400/79250
  DPD sent/recv: 00000000/000011bb

FortiGate1-HQ-BJ #
FortiGate1-HQ-BJ # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ADVPN_0 ver=1 serial=d 100.1.1.1:0->102.1.1.1:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/160 options[00a0]=search-nexthop rgwy-chg
parent=ADVPN index=0
proxyid_num=1 child_num=0 refcnt=6 ilast=4 olast=4 ad=/0
stat: rxp=1034 txp=333 rxb=123248 txb=21513
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ADVPN proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:0.0.0.0-255.255.255.255:0
  SA:  ref=3 options=227 type=00 soft=0 mtu=1446 expire=36281/0B replaywin=2048
       seqno=14e esn=0 replaywin_lastseq=0000040b itn=0
  life: type=01 bytes=0/0 timeout=43189/43200
  dec: spi=a30395c4 esp=des key=8 4b834b4063b3f0fe
       ah=md5 key=16 a3e5defc6c65b8531cf14aaf9232704e
  enc: spi=a4b67fda esp=des key=8 afcd5b6385b7d896
       ah=md5 key=16 47fad9b37148d4f3faf2617b7e065d82
  dec:pkts/bytes=1034/66009, enc:pkts/bytes=333/39536
------------------------------------------------------
name=ADVPN_1 ver=1 serial=e 100.1.1.1:0->101.1.1.1:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/160 options[00a0]=search-nexthop rgwy-chg
parent=ADVPN index=1
proxyid_num=1 child_num=0 refcnt=6 ilast=9 olast=9 ad=/0
stat: rxp=1033 txp=339 rxb=123136 txb=21907
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ADVPN proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:0.0.0.0-255.255.255.255:0
  SA:  ref=3 options=227 type=00 soft=0 mtu=1446 expire=36306/0B replaywin=2048
       seqno=154 esn=0 replaywin_lastseq=0000040a itn=0
  life: type=01 bytes=0/0 timeout=43189/43200
  dec: spi=a30395c5 esp=des key=8 3c52877b7955f7c8
       ah=md5 key=16 4670d5cfe996dd6420bb33fce7935bc1
  enc: spi=e6ec833d esp=des key=8 969ea5e07aeefa45
       ah=md5 key=16 dc73c2b9cb1922d6af08be3308e1585f
  dec:pkts/bytes=1033/65960, enc:pkts/bytes=339/40240
------------------------------------------------------
name=ADVPN ver=1 serial=1 100.1.1.1:0->0.0.0.0:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/32 options[0020]=search-nexthop
proxyid_num=0 child_num=2 refcnt=20 ilast=7412 olast=7412 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=2
ipv4 route tree:
10.10.10.2 1
10.10.10.3 0
101.1.1.1 1
102.1.1.1 0

FortiGate1-HQ-BJ # get vpn ipsec tunnel summary
'ADVPN_0' 102.1.1.1:0  selectors(total,up): 1/1  rx(pkt,err): 1035/0  tx(pkt,err): 333/0
'ADVPN_1' 101.1.1.1:0  selectors(total,up): 1/1  rx(pkt,err): 1034/0  tx(pkt,err): 339/0

FortiGate1-HQ-BJ # diagnose vpn ike status detailed
vd: root/0
name: ADVPN
version: 1
used-indices: 0-1
connection: 2/2
IKE SA: created 2/2  established 2/2  times 10/10/10 ms
IPsec SA: created 2/2  established 2/2  times 10/10/10 ms

FortiGate1-HQ-BJ # 

业务访问测试

FortiGate2-Branch-SH # execute ping-options source  192.168.1.99

FortiGate2-Branch-SH # execute ping 192.168.0.99
PING 192.168.0.99 (192.168.0.99): 56 data bytes
64 bytes from 192.168.0.99: icmp_seq=0 ttl=255 time=1.7 ms
64 bytes from 192.168.0.99: icmp_seq=1 ttl=255 time=1.3 ms
64 bytes from 192.168.0.99: icmp_seq=2 ttl=255 time=1.0 ms
64 bytes from 192.168.0.99: icmp_seq=3 ttl=255 time=1.0 ms
64 bytes from 192.168.0.99: icmp_seq=4 ttl=255 time=1.2 ms

--- 192.168.0.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.2/1.7 ms

在HUB上进行抓包:

FortiGate1-HQ-BJ # diagnose sniffer packet any "icmp or esp" 4
interfaces=[any]
filters=[icmp or esp]
2.110303 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x69b)
2.110333 ADVPN in 192.168.1.99 -> 192.168.0.99: icmp: echo request
2.110413 ADVPN out 192.168.0.99 -> 192.168.1.99: icmp: echo reply
2.110432 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x214)

3.117471 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x69d)
3.117495 ADVPN in 192.168.1.99 -> 192.168.0.99: icmp: echo request
3.117520 ADVPN out 192.168.0.99 -> 192.168.1.99: icmp: echo reply
3.117539 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x216)

4.126982 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x69e)
4.127010 ADVPN in 192.168.1.99 -> 192.168.0.99: icmp: echo request
4.127385 ADVPN out 192.168.0.99 -> 192.168.1.99: icmp: echo reply
4.127406 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x217)

5.136624 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x69f)
5.136654 ADVPN in 192.168.1.99 -> 192.168.0.99: icmp: echo request
5.136694 ADVPN out 192.168.0.99 -> 192.168.1.99: icmp: echo reply
5.136713 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x218)

5.606211 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x6a0)
6.145873 ADVPN in 192.168.1.99 -> 192.168.0.99: icmp: echo request
6.145951 ADVPN out 192.168.0.99 -> 192.168.1.99: icmp: echo reply
6.145971 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x219)
^C
24 packets received by filter
0 packets dropped by kernel

FortiGate1-HQ-BJ # 


SPOKE(SH) ping SPOKE(GZ):


FortiGate2-Branch-SH # execute ping 192.168.2.99
PING 192.168.2.99 (192.168.2.99): 56 data bytes
64 bytes from 192.168.2.99: icmp_seq=0 ttl=254 time=2.9 ms
64 bytes from 192.168.2.99: icmp_seq=1 ttl=254 time=2.3 ms
64 bytes from 192.168.2.99: icmp_seq=2 ttl=254 time=2.3 ms
64 bytes from 192.168.2.99: icmp_seq=3 ttl=254 time=2.1 ms
64 bytes from 192.168.2.99: icmp_seq=4 ttl=254 time=2.4 ms

--- 192.168.2.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 2.1/2.4/2.9 ms

FortiGate2-Branch-SH # 

在HUB上进行抓包(可以看到SPOKE1到SPOKE之间的数据通过了HUB的中转处理):
FortiGate1-HQ-BJ # diagnose sniffer packet any "esp or icmp" 4
interfaces=[any]
filters=[esp or icmp]
2.272500 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x6e3)
2.272517 ADVPN in 192.168.1.99 -> 192.168.2.99: icmp: echo request
2.272575 ADVPN out 192.168.1.99 -> 192.168.2.99: icmp: echo request
2.272591 port1 out 100.1.1.1 -> 102.1.1.1: ESP(spi=0xa4b67fda,seq=0x21e)
2.273625 port1 in 102.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c4,seq=0x6d4)
2.273640 ADVPN in 192.168.2.99 -> 192.168.1.99: icmp: echo reply
2.273656 ADVPN out 192.168.2.99 -> 192.168.1.99: icmp: echo reply
2.273668 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x233)

3.275331 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x6e4)
3.275354 ADVPN in 192.168.1.99 -> 192.168.2.99: icmp: echo request
3.275363 ADVPN out 192.168.1.99 -> 192.168.2.99: icmp: echo request
3.275382 port1 out 100.1.1.1 -> 102.1.1.1: ESP(spi=0xa4b67fda,seq=0x21f)
3.276542 port1 in 102.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c4,seq=0x6d5)
3.276557 ADVPN in 192.168.2.99 -> 192.168.1.99: icmp: echo reply
3.276563 ADVPN out 192.168.2.99 -> 192.168.1.99: icmp: echo reply
3.276577 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x234)

4.284529 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x6e5)
4.284553 ADVPN in 192.168.1.99 -> 192.168.2.99: icmp: echo request
4.284563 ADVPN out 192.168.1.99 -> 192.168.2.99: icmp: echo request
4.284583 port1 out 100.1.1.1 -> 102.1.1.1: ESP(spi=0xa4b67fda,seq=0x220)
4.285670 port1 in 102.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c4,seq=0x6d6)
4.285684 ADVPN in 192.168.2.99 -> 192.168.1.99: icmp: echo reply
4.285690 ADVPN out 192.168.2.99 -> 192.168.1.99: icmp: echo reply
4.285702 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x235)

5.249616 port1 in 102.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c4,seq=0x6d7)
5.293910 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x6e6)
5.293927 ADVPN in 192.168.1.99 -> 192.168.2.99: icmp: echo request
5.293935 ADVPN out 192.168.1.99 -> 192.168.2.99: icmp: echo request
5.293953 port1 out 100.1.1.1 -> 102.1.1.1: ESP(spi=0xa4b67fda,seq=0x221)
5.295038 port1 in 102.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c4,seq=0x6d8)
5.295052 ADVPN in 192.168.2.99 -> 192.168.1.99: icmp: echo reply
5.295057 ADVPN out 192.168.2.99 -> 192.168.1.99: icmp: echo reply
5.295070 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x236)
5.317357 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x237)
5.318650 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x6e7)

6.303428 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x6e8)
6.303448 ADVPN in 192.168.1.99 -> 192.168.2.99: icmp: echo request
6.303455 ADVPN out 192.168.1.99 -> 192.168.2.99: icmp: echo request
6.303473 port1 out 100.1.1.1 -> 102.1.1.1: ESP(spi=0xa4b67fda,seq=0x222)
6.304638 port1 in 102.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c4,seq=0x6d9)
6.304653 ADVPN in 192.168.2.99 -> 192.168.1.99: icmp: echo reply
6.304659 ADVPN out 192.168.2.99 -> 192.168.1.99: icmp: echo reply
6.304673 port1 out 100.1.1.1 -> 101.1.1.1: ESP(spi=0xe6ec833d,seq=0x238)
6.383254 port1 in 101.1.1.1 -> 100.1.1.1: ESP(spi=0xa30395c5,seq=0x6e9)
^C
46 packets received by filter
0 packets dropped by kernel

FortiGate1-HQ-BJ # 

此时VPN业务流量的走向:


附:运行OSPF

HUB(BJ)端配置调整:
1.去掉BGP的配置
FortiGate1-HQ-BJ # config router bgp
FortiGate1-HQ-BJ (bgp) # unset as
FortiGate1-HQ-BJ (bgp) # unset router-id
FortiGate1-HQ-BJ (bgp) # config neighbor-range
FortiGate1-HQ-BJ (neighbor-range) # purge
This operation will clear all table!
Do you want to continue? (y/n)y
FortiGate1-HQ-BJ (neighbor-range) # end
FortiGate1-HQ-BJ (bgp) # config neighbor-group
FortiGate1-HQ-BJ (neighbor-group) # purge
This operation will clear all table!
Do you want to continue? (y/n)y
FortiGate1-HQ-BJ (neighbor-group) # end
FortiGate1-HQ-BJ (bgp) # config network
FortiGate1-HQ-BJ (network) # purge
This operation will clear all table!
Do you want to continue? (y/n)y
FortiGate1-HQ-BJ (network) # end

2.配置OSPF

FortiGate2-Branch-SH (bgp) # unset as
FortiGate2-Branch-SH (neighbor) # end
FortiGate2-Branch-SH (network) # end

2.配置OSPF

命令行调整OSPF的参数:
config router ospf
    set router-id 10.10.10.2
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "VPN"
            set interface "ADVPN"
            set dead-interval 40
            set hello-interval 10
            set mtu-ignore enable
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 10.10.10.0 255.255.255.0
        next
        edit 2
            set prefix 192.168.1.0 255.255.255.0
        next
    end
end

2.配置OSPF

命令行调整OSPF的参数:
config router ospf
    set router-id 10.10.10.3
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "VPN"
            set interface "ADVPN"
            set dead-interval 40
            set hello-interval 10
            set mtu-ignore enable
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 10.10.10.0 255.255.255.0
        next
        edit 2
            set prefix 192.168.2.0 255.255.255.0
        next
    end
end
  
HUB/SPOKE1/SPOKE2的配置调整完毕,现在是使用Dia over IPsec建立起来的HUB&SPOKE组网。

查看HUB(BJ)侧的状态:
FortiGate1-HQ-BJ # get router info ospf  neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.2        1   Full/ -         00:00:34    10.10.10.2      ADVPN
10.10.10.3        1   Full/ -         00:00:38    10.10.10.3      ADVPN

FortiGate1-HQ-BJ # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 100.1.1.254, port1
C       10.10.10.0/24 is directly connected, ADVPN
C       10.10.10.1/32 is directly connected, ADVPN
C       100.1.1.0/24 is directly connected, port1
C       192.168.0.0/24 is directly connected, port2
O       192.168.1.0/24 [110/101] via 10.10.10.2, ADVPN, 00:07:03
O       192.168.2.0/24 [110/101] via 10.10.10.3, ADVPN, 00:02:35

查看SPOKE1(SH)侧的状态:
FortiGate2-Branch-SH # get router info ospf  neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.1        1   Full/ -         00:00:37    10.10.10.1      ADVPN


FortiGate2-Branch-SH # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [5/0] via 101.1.1.254, port1
C       10.10.10.0/24 is directly connected, ADVPN
O       10.10.10.1/32 [110/100] via 10.10.10.1, ADVPN, 00:07:53
C       10.10.10.2/32 is directly connected, ADVPN
C       101.1.1.0/24 is directly connected, port1
O       192.168.0.0/24 [110/101] via 10.10.10.1, ADVPN, 00:07:53
C       192.168.1.0/24 is directly connected, port2
O       192.168.2.0/24 [110/201] via 10.10.10.1, ADVPN, 00:03:29
S       192.168.91.0/24 [10/0] is directly connected, port1


查看SPOKE1(GZ)侧的状态:
FortiGate3-Branch-GZ # get router info ospf  neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.1        1   Full/ -         00:00:31    10.10.10.1      ADVPN


FortiGate3-Branch-GZ #
FortiGate3-Branch-GZ # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [5/0] via 102.1.1.254, ppp0
C       10.10.10.0/24 is directly connected, ADVPN
O       10.10.10.1/32 [110/100] via 10.10.10.1, ADVPN, 00:06:09
C       10.10.10.3/32 is directly connected, ADVPN
C       102.1.1.1/32 is directly connected, ppp0
C       102.1.1.254/32 is directly connected, ppp0
O       192.168.0.0/24 [110/101] via 10.10.10.1, ADVPN, 00:06:09
O       192.168.1.0/24 [110/201] via 10.10.10.1, ADVPN, 00:06:09
C       192.168.2.0/24 is directly connected, port2
S       192.168.91.0/24 [10/0] via 102.1.1.254, ppp0

说明:
老版本可以使用mode-cfg同样的去实现在动态VPN上运行动态路由协议,新版本我们推荐使用上述的方式进行配置。
mode-cfg方式的ospf over dynamic-ipsec-vpn可参考:OSPF over dynamic IPsec VPN (Expert)