一、组网需求
如图所示,通过IPsec VPN(策略模式)将2个局域网连接起来,实现192.168.0.0/24与192.168.1.0/24两个网段的通信
二、网络拓扑
三、配置要点
1、配置FortiGate1
1)基本上网配置
2)开启IPsec VPN“策略模式”功能特性(默认被GUI隐藏)
3)根据自定义模板类型配置IPsec VPN(默认模板均为IPSEC接口模式,策略模式的IPsec VPN必须手工创建)
4) 配置特殊的IPsec VPN 感兴趣流匹配策略
2、配置FortiGate2
1)基本上网配置
2)开启IPsec VPN“策略模式”功能特性(默认被GUI隐藏)
3)根据自定义模板类型配置IPsec VPN(默认模板均为IPSEC接口模式,策略模式的IPsec VPN必须手工创建)
4) 配置特殊的IPsec VPN 感兴趣流匹配策略
说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。
四、配置步骤
1、配置FortiGate1 (BJ)
1) 基本上网配置
配置详细过程请参照 "路由模式典型功能--单线上网--静态地址线路上网配置"一节:
接口IP配置如下:
路由配置如下
2)开启IPsec VPN“策略模式”功能特性(默认在GUI上是隐藏的)
菜单:系统管理--可见功能--基于策略的IPsec VPN,点击"开启"按钮
3) 根据自定义模板类型配置IPsec VPN(默认模板均为IPSEC接口模式,策略模式的IPsec VPN必须手工创建)
菜单:虚拟专网--IPSEC隧道,点击"新建" --- 填写“名称”并点击“自定义”
第一阶段参数配置:
“启动IPsec 接口模式” 这个勾 去掉即为 “IPsec 策略模式”,默认为勾上状态。
第二阶段参数配置:
4) 配置特殊的IPsec VPN 感兴趣流匹配策略
说明:入接口/出接口、源IP和目的IP需要选择感兴趣的VPN流量,同时策略动作选择“IPsec”,将流量送到“VPN-TO-SH”这条IPsec VPN去处理。另外需要注意的是:需要将此策略移动策略的最前面,让感兴趣流优先匹配VPN策略,否则流量可能无法送到VPN隧道里。
附:FortiGate1(BJ) 相关配置的命令行:
config vpn ipsec phase1
edit "VPN-TO-SH"
set interface "wan1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set remote-gw 200.1.1.2
set psksecret Fortinet123#
next
end
config vpn ipsec phase2
edit "VPN-TO-SH"
set phase1name "VPN-TO-SH"
set proposal aes128-sha1 aes256-sha1 aes256-sha256
set auto-negotiate enable
set src-subnet 192.168.0.0 255.255.255.0
set dst-subnet 192.168.1.0 255.255.255.0
next
end
config firewall address
edit "VPN-TO-SH_local_subnet_1"
set allow-routing enable
set subnet 192.168.0.0 255.255.255.0
next
edit "VPN-TO-SH_remote_subnet_1"
set allow-routing enable
set subnet 192.168.1.0 255.255.255.0
next
end
config firewall policy
edit 2
set name "VPN-TO-SH"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "VPN-TO-SH_local_subnet_1"
set dstaddr "VPN-TO-SH_remote_subnet_1"
set action ipsec
set schedule "always"
set service "ALL"
set fsso disable
set inbound enable
set vpntunnel "VPN-TO-SH"
next
edit 1
set name "TO-Internet"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set dsri enable
set nat enable
next
end
2、配置FortiGate2 (SH)
1) 基本上网配置
配置详细过程请参照 "路由模式典型功能--单线上网--静态地址线路上网配置"一节:
接口IP配置如下:
路由配置如下
2)开启IPsec VPN“策略模式”功能特性(默认被GUI隐藏)
菜单:系统管理--可见功能--基于策略的IPsec VPN,点击"开启"按钮
3) 根据自定义模板类型配置IPsec VPN(默认模板均为IPSEC接口模式,策略模式的IPsec VPN必须手工创建)
菜单:虚拟专网--IPSEC隧道,点击"新建" --- 填写“名称”并点击“自定义”
第一阶段参数配置:
“启动IPsec 接口模式” 这个勾 去掉即为 “IPsec 策略模式”,默认为勾上状态。
第二阶段参数配置:
4) 配置特殊的IPsec VPN 感兴趣流匹配策略
说明:入接口/出接口、源IP和目的IP需要选择感兴趣的VPN流量,同时策略动作选择“IPsec”,将流量送到“VPN-TO-BJ”这条IPsec VPN去处理。另外需要注意的是:需要将此策略移动策略的最前面,让感兴趣流优先匹配VPN策略,否则流量可能无法送到VPN隧道里。
附:FortiGate2(SH) 相关配置的命令行:
config vpn ipsec phase1
edit "VPN-TO-BJ"
set interface "wan1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set remote-gw 100.1.1.2
set psksecret Fortinet123#
next
end
config vpn ipsec phase2
edit "VPN-TO-BJ"
set phase1name "VPN-TO-BJ"
set proposal aes128-sha1 aes256-sha1 aes128-sha256
set auto-negotiate enable
set src-subnet 192.168.1.0 255.255.255.0
set dst-subnet 192.168.0.0 255.255.255.0
next
end
config firewall address
edit "VPN-TO-BJ_local_subnet_1"
set allow-routing enable
set subnet 192.168.1.0 255.255.255.0
next
edit "VPN-TO-BJ_remote_subnet_1"
set allow-routing enable
set subnet 192.168.0.0 255.255.255.0
next
end
config firewall policy
edit 2
set name "VPN-TO-BJ"
set srcintf "internal"
set dstintf "wan1"
set srcaddr "VPN-TO-BJ_local_subnet_1"
set dstaddr "VPN-TO-BJ_remote_subnet_1"
set action ipsec
set schedule "always"
set service "ALL"
set fsso disable
set inbound enable
set vpntunnel "VPN-TO-BJ"
next
edit 1
set name "TO-Internet"
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
set nat enable
next
五、检查配置结果
查看监视器,观察状态: 监视器----IPsec监视器:
两个网络采用 ping测试方式,192.168.0.0/24和192.168.1.0/24两个内网可以相互访问。
FortiGate1_BeiJing # diagnose sniffer packet any "host 192.168.1.111 and icmp" 4
interfaces=[any]
filters=[host 192.168.1.111 and icmp]
4.480722 lan in 192.168.0.111 -> 192.168.1.111: icmp: echo request
4.481847 wan1 in 192.168.1.111 -> 192.168.0.111: icmp: echo reply
4.481910 lan out 192.168.1.111 -> 192.168.0.111: icmp: echo reply
5.491545 lan in 192.168.0.111 -> 192.168.1.111: icmp: echo request
5.492468 wan1 in 192.168.1.111 -> 192.168.0.111: icmp: echo reply
5.492496 lan out 192.168.1.111 -> 192.168.0.111: icmp: echo reply
6.505476 lan in 192.168.0.111 -> 192.168.1.111: icmp: echo request
6.506471 wan1 in 192.168.1.111 -> 192.168.0.111: icmp: echo reply
6.506496 lan out 192.168.1.111 -> 192.168.0.111: icmp: echo reply
7.519482 lan in 192.168.0.111 -> 192.168.1.111: icmp: echo request
7.520102 wan1 in 192.168.1.111 -> 192.168.0.111: icmp: echo reply
7.520128 lan out 192.168.1.111 -> 192.168.0.111: icmp: echo reply
FortiGate1_BeiJing # diagnose sniffer packet any "host 100.1.1.2 and esp" 4
interfaces=[any]
filters=[host 100.1.1.2 and esp]
2.480779 wan1 out 100.1.1.2 -> 200.1.1.2: ESP(spi=0x99cf70d9,seq=0x6)
2.481351 wan1 in 200.1.1.2 -> 100.1.1.2: ESP(spi=0x66bd3632,seq=0x6)
3.482851 wan1 out 100.1.1.2 -> 200.1.1.2: ESP(spi=0x99cf70d9,seq=0x7)
3.483574 wan1 in 200.1.1.2 -> 100.1.1.2: ESP(spi=0x66bd3632,seq=0x7)
4.496890 wan1 out 100.1.1.2 -> 200.1.1.2: ESP(spi=0x99cf70d9,seq=0x8)
4.497592 wan1 in 200.1.1.2 -> 100.1.1.2: ESP(spi=0x66bd3632,seq=0x8)
5.510851 wan1 out 100.1.1.2 -> 200.1.1.2: ESP(spi=0x99cf70d9,seq=0x9)
5.511575 wan1 in 200.1.1.2 -> 100.1.1.2: ESP(spi=0x66bd3632,seq=0x9)
FortiGate1_BeiJing # get vpn ike gateway
vd: root/0name: VPN-TO-SHversion: 1interface: wan1 7addr: 100.1.1.2:500 -> 200.1.1.2:500created: 104s agoIKE SA created: 1/1 established: 1/1 time: 20/20/20 msIPsec SA created: 2/2 established: 3/3 time: 20/30/70 ms
id/spi: 0 2a6a40ecb750a416/fec3d7539b6157be direction: initiator status: established 104-104s ago = 20ms proposal: aes-128-sha256 key: 30c39c1aec885fa3-d8145a45c2f548d9 lifetime/rekey: 86400/85995 DPD sent/recv: 00000000/0000007e
FortiGate1_BeiJing #FortiGate1_BeiJing #FortiGate1_BeiJing # get vpn ipsec tunnel details
gateway name: 'VPN-TO-SH' type: policy-based local-gateway: 100.1.1.2:0 (static) remote-gateway: 200.1.1.2:0 (static) mode: ike-v1 interface: 'wan1' (7) rx packets: 8 bytes: 960 errors: 0 tx packets: 8 bytes: 480 errors: 0 dpd: on-idle/negotiated idle: 20000ms retry: 3 count: 0 selectors name: 'VPN-TO-SH' auto-negotiate: enable mode: tunnel src: 0:192.168.0.0/255.255.255.0:0 dst: 0:192.168.1.0/255.255.255.0:0 SA lifetime/rekey: 43200/42794 mtu: 1438 tx-esp-seq: 9 replay: enabled inbound spi: 66bd3631 enc: aes-cb 72423716c2b7f96c23e2671b61304fd8 auth: sha1 42f769d6bdbdf0005fa9e01405c4077f356f54f4 outbound spi: 99cf70d9 enc: aes-cb 63cc3b32fd97982575c74b0b4129449e auth: sha1 82185eaede7642da97c6805e49203b9e00dd4d1a NPU acceleration: none SA lifetime/rekey: 43200/42825 mtu: 1438 tx-esp-seq: 1 replay: enabled inbound spi: 66bd3632 enc: aes-cb aaf6d0ab60adc48b743c0498d25124b3 auth: sha1 56262618a1914ef89f30e008c76a5da8e39db8ed outbound spi: 99cf70d8 enc: aes-cb 5e297067374a3a4277adea5820c9522c auth: sha1 f20174350509afa0a5677226ef9905a088cb5c66 NPU acceleration: none
FortiGate1_BeiJing #
说明:关于sniffer抓VPN业务和ESP的包抓取IPsec VPN的IKE协商包:diagnose sniffer packet any "host 202.1.1.2 and (port 500 or port 4500)" 4
抓取IPsec VPN的ESP加密数据包:diagnose sniffer packet any "host 200.1.1.2 and esp" 4
抓取IPsec VPN的明文业务数据包:diagnose sniffer packet any "host 192.168.1.111 and icmp" 4
注意:由于存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:FortiGate1_BeiJing # config vpn ipsec phase1-interface FortiGate1_BeiJing (phase1-interface) # edit VPN-TO-SH FortiGate1_BeiJing (VPN-TO-SH) # set npu-offload disable FortiGate1_BeiJing (VPN-TO-SH) # end
六、注意事项
问:IPSEC VPN策略模式,只需要建立一条策略,勾选"允许从远端站点发起流量"就可以实现互访?
答:配置的VPN策略则允许本地发起vpn连接。 勾选" 允许从远端站点发起流量"策略则允许远端发起vpn连接,策略可以分别控制2个方向是否可以发起vpn连接。具体访问的控制是通过策略实现的。
部署建议:尽量使用“接口模式”的IPsec VPN,而不要选择这种“策略模式”的IPsec VPN。