野蛮模式

IKE 协商的第一阶段有两种模式主模式和野蛮模式:

野蛮模式/积极模式协商过程:

IKE野蛮模式/积极模式只进行3次交换以便协商密钥和进行验证,从而提高了IKE事务处理的速度。然而,速度的提高是以牺牲一定的安全性为代价的。

在第一条消息中,发起方发送ISAKMP报头、安全关联、DH公开值、临时值(nonce )和身份ID (IDi )。

在第二条消息中,应答方用选定提议的所有参数和DH公开值进行应答。该消息被验证,但没有加密。

第三条消息由发起方发回给应答方, 该消息被验证,让应答方能够确定其中的散列值是否与计算得到的散列值相同,进而确定消息是否有问题(预共享密钥验证/数字证书验证)。野蛮模式/积极模式主要供远程接人IP不固定场景下的IKE使用,在这种情况下,应答方预先并不知道发起方的地址,且使用的验证方法是预共享密钥。积极模式没有主模式安全,因为身份是以明文方式传输的。

野蛮模式由于可以提前获知对端的Peer-ID,这样就可以在多条动态IPsec隧道中区分彼此的连接。

什么时候我们需要使用到野蛮模式:

1.存在多条动态拨号的IPsec VPN,此时由于拨号VPN的目的IP都是any(0.0.0.0),此时根本无法区分这两条IPsec VPN隧道,不知道拨号用户到底是匹配Dia_VPN1还是匹配Dia_VPN2(FGT的处理是优先匹配靠前的Dia_VPN),因此为了区分本地的多条动态拨号VPN,则需要配置Peer ID参数,以便区分这本地的多条动态IPsec VPN隧道,例如:

Dia_VPN1:动态拨号VPN 野蛮模式 Local ID BJ  Peer ID:South-FGT
Dia_VPN2:动态拨号VPN 野蛮模式 Local ID BJ  Peer ID:North-FGT

如果对方拨号用户1填写的Local ID是South-FGT则连接到Dia_VPN1
如果对方拨号用户2填写的Local ID是North-FGT则连接到Dia_VPN2

这样就可以将不通的拨号用户进行区分和分离,方便进行独立的VPN隧道、独立的策略进行控制。而不是像HUB&SPOKE一样,所有拨入用户都是使用的一条拨号VPN隧道。

在这种需求的情况下:首先需要舍弃掉主模式,用野蛮模式,同时使用不同的Peer-ID来区分不同的动态VPN隧道。

2.Forticlient等IPsec VPN客户端拨号时候需要使用野蛮模式,一般按照模板进行配置即可,模板自动会调整为野蛮模式。

其他的场景下,我们统统推荐大家使用更加安全的主模式。

一、组网需求

     如图所示,某公司总部内部有一台OA服务器,其余分2个支机构都需要通过vpn拨入总部内网对OA服务器进行访问,总部需要区分SPOKE1(SH)和SPOKE2(GZ)的身份,通过Peer ID 来区分两个SPOKE,通过Peer ID+预共享密钥来验证对方的身份,可以通过不通的安全策略控制不同的SPOKE的业务访问,同时SPOKE之间所有的流量也需要通过HUB进行中转。

二、网络拓扑

HUB创建两条拨号方式的IPsec VPN,通过不同的Peer ID来区分彼此,同时区分拨号方,SPOKE之间相互的流量全部通过HUB进行中装,配置举例拓扑图: 


三、配置要点

1、配置FortiGate1

    1)基本上网配置

    2)HUB端IPsec VPN的配置

2、配置FortiGate2

    1)基本上网配置

    2)SPOKE(SH)端的IPsec VPN的配置s

3、配置FortiGate3

    1)基本上网配置

    2)SPOKE(GZ)端的IPsec VPN的配置

说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

四、配置步骤

1、配置FortiGate1 (BJ)---HUB--- FortiGate1-HQ-BJ

1) 基本上网配置

配置详细过程请参照 "路由模式典型功能--单线上网--静态地址线路上网配置"一节:

接口IP配置如下:

    

路由配置如下

2)HUB端的IPsec VPN的配置

配置与SPOKE1(SH)对接的动态IPsec VPN:



配置与SPOKE2(GZ)对接的动态IPsec VPN:

IPsec VPN配置命令行:

config vpn ipsec phase1-interface
    edit "Dia_VPN_1"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype one
        set proposal des-md5 des-sha1
        set localid "BJ"
        set dpd on-idle
        set peerid "SH"
        set psksecret Fortinet123#
        set dpd-retryinterval 60
    next
    edit "Dia_VPN_2"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype one
        set proposal des-md5 des-sha1
        set localid "BJ"
        set dpd on-idle
        set peerid "GZ"
        set psksecret Fortinet123#
        set dpd-retryinterval 60
    next
end

config vpn ipsec phase2-interface
    edit "Dia_VPN_1"
        set phase1name "Dia_VPN_1"
        set proposal des-md5 des-sha1
        set keepalive enable
    next
    edit "Dia_VPN_2"
        set phase1name "Dia_VPN_2"
        set proposal des-md5 des-sha1
        set keepalive enable
    next
end

策略配置

配置BJ与SH之间的VPN业务数据策略:

 

配置BJ到GZ的VPN业务数据策略:

 

配置SH到GZ的VPN业务数据策略:

 

注意:一定注意配置SPOKE之间的放通策略

策略配置命令行:
config firewall policy
    edit 2
        set name "LOCAL-TO-VPN-SH"
        set srcintf "port2"
        set dstintf "Dia_VPN_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 3
        set name "VPN-SH-TO-LOCAL"
        set srcintf "Dia_VPN_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 4
        set name "LOCAL-TO-VPN-GZ"
        set srcintf "port2"
        set dstintf "Dia_VPN_2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 5
        set name "VPN-GZ-TO-LOCAL"
        set srcintf "Dia_VPN_2"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 6
        set name "SH-TO-GZ"
        set srcintf "Dia_VPN_1"
        set dstintf "Dia_VPN_2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 7
        set name "GZ-TO-SH"
        set srcintf "Dia_VPN_2"
        set dstintf "Dia_VPN_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
end

VPN路由配置:HUB 端路由自动学习并生成去往SPOKE感兴趣流的回程路由,因此无需再配置去往SPOKE的路由。

----FortiGate1(BJ)的配置全部完成----

2、配置FortiGate2 (SH)---SPOKE--- FortiGate2-Branch-SH

1) 基本上网配置

    接口IP配置如下:          

     

 路由通过DHCP自动获取到默认路由:

2)SPOKE(SH)端的IPsec VPN的配置

配置IPsec VPN第一阶段

配置IPsec VPN第二阶段

命令行:

config vpn ipsec phase1-interface
    edit "TO-HUB"
        set interface "port1"
        set mode aggressive
        set peertype one
        set proposal des-md5 des-sha1
        set localid "SH"
        set dpd on-idle
        set remote-gw 100.1.1.1
        set peerid "BJ"
        set psksecret Fortinet123#
    next
end
config vpn ipsec phase2-interface
    edit "TO-HUB"
        set phase1name "TO-HUB"
        set proposal des-md5 des-sha1
        set auto-negotiate enable
        set src-subnet 192.168.1.0 255.255.255.0
    next
end

配置IPsec VPN的策略:

 

命令行:

config firewall policy
    edit 2
        set name "LOCAL-TO-VPN-HUB"
        set srcintf "port2"
        set dstintf "TO-HUB"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 3
        set name "VPN-HUB-TO-LOCAL"
        set srcintf "TO-HUB"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
end

配置IPsec VPN的路由:

命令行:

config router static
    edit 1
        set dst 192.168.0.0 255.255.0.0
        set device "TO-HUB"
    next
    edit 2
        set dst 192.168.0.0 255.255.0.0
        set distance 254
        set blackhole enable
    next
end

----FortiGate2(SH)的配置全部完成----

3、配置FortiGate3 (GZ)---SPOKE--- FortiGate3-Branch-GZ

1) 基本上网配置

 接口IP配置如下:          

路由通过PPPOE自动获取到默认路由:

2)SPOKE(GZ)端的ADVPN的配置

配置IPsec VPN第一阶段

配置IPsec VPN第二阶段

命令行:

config vpn ipsec phase1-interface
    edit "TO-HUB"
        set interface "port1"
        set mode aggressive
        set peertype one
        set proposal des-md5 des-sha1
        set localid "GZ"
        set dpd on-idle
        set remote-gw 100.1.1.1
        set peerid "BJ"
        set psksecret Fortinet123#
    next
end
config vpn ipsec phase2-interface
    edit "TO-HUB"
        set phase1name "TO-HUB"
        set proposal des-md5 des-sha1
        set auto-negotiate enable
        set src-subnet 192.168.2.0 255.255.255.0
    next
end

配置IPsec VPN的策略:

 

命令行:

config firewall policy
    edit 2
        set name "LOCAL-TO-VPN-HUB"
        set srcintf "port2"
        set dstintf "TO-HUB"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 4
        set name "VPN-HUB-TO-LOCAL"
        set srcintf "TO-HUB"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
end

配置IPsec VPN的路由:

命令行:

config router static
    edit 1
        set dst 192.168.0.0 255.255.0.0
        set device "TO-HUB"
    next
    edit 2
        set dst 192.168.0.0 255.255.0.0
        set distance 254
        set blackhole enable
    next
end

----FortiGate3(GZ)的配置全部完成----

以上HUB/Spoke1/Spoke2全部配置完毕。

五、检查配置结果

在HUB/SPOKE1/SPOKE2状态观察:

HUB(BJ)状态

HUB IPsec VPN建立情况:

Monitor--->IPsec Monitor

HUB路由学习情况:

Monitor--->Routing Monitor

FortiGate1-HQ-BJ #  get router info routing-table all

S*      0.0.0.0/0 [10/0] via 100.1.1.254, port1
C       100.1.1.0/24 is directly connected, port1
C       192.168.0.0/24 is directly connected, port2
S       192.168.1.0/24 [15/0] via 101.1.1.1, Dia_VPN_1
S       192.168.2.0/24 [15/0] via 102.1.1.1, Dia_VPN_2

SPOKE1(SH)状态

SPOKE1 IPsec VPN建立情况(只和HUB建立IPsec):

Monitor--->IPsec Monitor

SPOKE1路由学习情况:

Monitor--->Routing Monitor

FortiGate2-Branch-SH # get router info routing-table all

S*      0.0.0.0/0 [5/0] via 101.1.1.254, port1
C       101.1.1.0/24 is directly connected, port1
S       192.168.0.0/16 [10/0] is directly connected, TO-HUB
C       192.168.1.0/24 is directly connected, port2

SPOKE2(GZ)状态

SPOKE2 IPsec VPN建立情况(只和HUB建立IPsec):

Monitor--->IPsec Monitor


SPOKE2路由学习情况:

Monitor--->Routing Monitor

FortiGate3-Branch-GZ # get router info routing-table all

S*      0.0.0.0/0 [5/0] via 102.1.1.254, ppp0
C       102.1.1.1/32 is directly connected, ppp0
C       102.1.1.254/32 is directly connected, ppp0
S       192.168.0.0/16 [10/0] is directly connected, TO-HUB
C       192.168.2.0/24 is directly connected, port2

业务访问测试

SPOKE1192.168.1.99)访问HUB192.168.0.99):

FortiGate2-Branch-SH #
FortiGate2-Branch-SH # execute ping-options source 192.168.1.99

FortiGate2-Branch-SH # execute ping 192.168.0.99
PING 192.168.0.99 (192.168.0.99): 56 data bytes
64 bytes from 192.168.0.99: icmp_seq=0 ttl=255 time=2.2 ms
64 bytes from 192.168.0.99: icmp_seq=1 ttl=255 time=1.4 ms
64 bytes from 192.168.0.99: icmp_seq=2 ttl=255 time=1.2 ms
64 bytes from 192.168.0.99: icmp_seq=3 ttl=255 time=1.4 ms
64 bytes from 192.168.0.99: icmp_seq=4 ttl=255 time=1.5 ms

--- 192.168.0.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.2/1.5/2.2 ms

在HUB上抓包:
FortiGate1-HQ-BJ # diagnose sniffer packet any "icmp" 4
interfaces=[any]
filters=[icmp]
2.464818 Dia_VPN_1 in 192.168.1.99 -> 192.168.0.99: icmp: echo request
2.464909 Dia_VPN_1 out 192.168.0.99 -> 192.168.1.99: icmp: echo reply
3.478489 Dia_VPN_1 in 192.168.1.99 -> 192.168.0.99: icmp: echo request
3.478530 Dia_VPN_1 out 192.168.0.99 -> 192.168.1.99: icmp: echo reply
4.487863 Dia_VPN_1 in 192.168.1.99 -> 192.168.0.99: icmp: echo request
4.487903 Dia_VPN_1 out 192.168.0.99 -> 192.168.1.99: icmp: echo reply
5.497287 Dia_VPN_1 in 192.168.1.99 -> 192.168.0.99: icmp: echo request
5.497326 Dia_VPN_1 out 192.168.0.99 -> 192.168.1.99: icmp: echo reply
6.506914 Dia_VPN_1 in 192.168.1.99 -> 192.168.0.99: icmp: echo request
6.506954 Dia_VPN_1 out 192.168.0.99 -> 192.168.1.99: icmp: echo reply

SPOKE1192.168.1.99)访问SPOKE2192.168.2.99):

FortiGate2-Branch-SH # execute ping-options source 192.168.1.99
FortiGate2-Branch-SH # execute ping 192.168.2.99
PING 192.168.2.99 (192.168.2.99): 56 data bytes
64 bytes from 192.168.2.99: icmp_seq=0 ttl=254 time=2.7 ms
64 bytes from 192.168.2.99: icmp_seq=1 ttl=254 time=2.2 ms
64 bytes from 192.168.2.99: icmp_seq=2 ttl=254 time=1.9 ms
64 bytes from 192.168.2.99: icmp_seq=3 ttl=254 time=2.3 ms
64 bytes from 192.168.2.99: icmp_seq=4 ttl=254 time=2.3 ms

--- 192.168.2.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.9/2.2/2.7 ms
FortiGate2-Branch-SH #

在HUB上抓包:
FortiGate1-HQ-BJ # diagnose sniffer packet any "icmp" 4
interfaces=[any]
filters=[icmp]
2.640652 Dia_VPN_1 in 192.168.1.99 -> 192.168.2.99: icmp: echo request
2.640855 Dia_VPN_2 out 192.168.1.99 -> 192.168.2.99: icmp: echo request
2.642251 Dia_VPN_2 in 192.168.2.99 -> 192.168.1.99: icmp: echo reply
2.642360 Dia_VPN_1 out 192.168.2.99 -> 192.168.1.99: icmp: echo reply
3.653507 Dia_VPN_1 in 192.168.1.99 -> 192.168.2.99: icmp: echo request
3.653567 Dia_VPN_2 out 192.168.1.99 -> 192.168.2.99: icmp: echo request
3.654513 Dia_VPN_2 in 192.168.2.99 -> 192.168.1.99: icmp: echo reply
3.654534 Dia_VPN_1 out 192.168.2.99 -> 192.168.1.99: icmp: echo reply
4.662893 Dia_VPN_1 in 192.168.1.99 -> 192.168.2.99: icmp: echo request
4.662909 Dia_VPN_2 out 192.168.1.99 -> 192.168.2.99: icmp: echo request
4.663698 Dia_VPN_2 in 192.168.2.99 -> 192.168.1.99: icmp: echo reply
4.663705 Dia_VPN_1 out 192.168.2.99 -> 192.168.1.99: icmp: echo reply
5.672198 Dia_VPN_1 in 192.168.1.99 -> 192.168.2.99: icmp: echo request
5.672214 Dia_VPN_2 out 192.168.1.99 -> 192.168.2.99: icmp: echo request
5.673367 Dia_VPN_2 in 192.168.2.99 -> 192.168.1.99: icmp: echo reply
5.673376 Dia_VPN_1 out 192.168.2.99 -> 192.168.1.99: icmp: echo reply
6.681687 Dia_VPN_1 in 192.168.1.99 -> 192.168.2.99: icmp: echo request
6.681701 Dia_VPN_2 out 192.168.1.99 -> 192.168.2.99: icmp: echo request
6.682741 Dia_VPN_2 in 192.168.2.99 -> 192.168.1.99: icmp: echo reply
6.682749 Dia_VPN_1 out 192.168.2.99 -> 192.168.1.99: icmp: echo reply