一、组网需求

如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现192.168.17.0/24与192.168.19.0/24两个网段的通信。  与Paloalto防火墙进行IPsec VPN对接。

二、网络拓扑

   

三、配置要点

1、配置FortiGate防火墙

    1)基本上网配置

    2)配置IPsec VPN

2、配置PA防火墙

    1)基本上网配置

    2)配置IPsec VPN

说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

四、配置步骤

     1、配置FortiGate

     1) 基本上网配置

     


 
     
     
     

     2) 配置IPsec VPN

     进入:虚拟专网--IPSEC隧道--"新建"

    

     选择IPsec VPN自定义模板进行配置:

   

   IPsec 第一阶段配置:

   

   IPsec 第二阶段配置:

   

GUI配置所对应的命令行:

config vpn ipsec phase1-interface
    edit "to-pa"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 101.100.1.19
        set psksecret Fortinet123#
    next
end
config vpn ipsec phase2-interface
    edit "to-pa"
        set phase1name "to-pa"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set auto-negotiate enable
    next
end

      3) 配置VPN相关的策略
      
     
     
     
    命令行:
    配置防火墙策略:

config firewall policy
    edit 1
        set name "TO-Internet-Policy"  // 内网用户上互联网的策略
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
        set nat enable
    next
    edit 2
        set name "vpn-to-pa-out"   // VPN out方向策略
        set srcintf "port1"
        set dstintf "to-pa"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
    next
    edit 3
        set name "vpn-to-pa-in"   // VPN in方向策略
        set srcintf "to-pa"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
    next
end

    4)配置VPN业务网段的静态路由

     

    

                  

     命令行:

config router static
    edit 1
        set gateway 202.100.1.192
        set device "port2"
    next
    edit 2
        set dst 192.168.19.0 255.255.255.0
        set device "to-pa"
    next
    edit 3
        set dst 192.168.19.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

说明:相关VPN的路由配置中“黑洞路由的意义”:

你可能会遇到以下的VPN业务问题:通过VPN的SIP电话,时不时中断,无法向服务器成功注册 ?通过VPN的Radius认证无法经常会无法认证成功? 通过VPN的AP注册到总部时不时会中断?持续的PRGT监控ping总部的服务器,时不时会显示中断?

VPN有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE重新连接更换公网IP地址等,VPN tunnel此时会出现短暂的DOWN,而去往对方的VPN业务网段的路由也会短暂消失,此时VPN的业务流量(SIP注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了  WAN1(Internet),从而产生了错误的UDP-NAT-Seesion,此时即便VPN tunnel再次UP,VPN业务网段的路由再次恢复,SIP等VPN旧的业务流量依旧会走到错误的Session上去,从而引起该业务异常。

排查思路:通过diagnose sniffer pa “port 5060”4 以及查看session (diagnose sys session list)去判断问题。
解决此类问题的办法有三种:
办法一:配置去往VPN业务网段的“黑洞路由”,管理距离为254,VPN正常的情况下此黑洞路由不生效,而当VPN中断的时候,黑洞路由浮起来并且生效,将VPN中断时候的VPN流量丢弃,避免将流量转发到互联网而产生错误的session。// 配置VPN的备份黑洞路由的意义在此。
办法二:配置源接口:LAN,目的接口:WAN1,源IP:本地内网网段,目的IP:对端内网网段,动作:丢包的策略。将此去往Internet的私网(无用的)流量丢弃掉,避免FGT产生这种错误的session,从而避免了UDP业务时不时中断的问题。
办法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话flag置位为“Dirty”,清除路由缓存并重新查找目的IP的下一跳地址,这样VPN隧道恢复的时候,流量也会相应的切换到VPN隧道里面来。
FGT # config system global
FGT (global) # set snat-route-change enable
FGT (global) # end 
三种方式任意选择一种即可。推荐使用黑洞路由方式。

----FortiGate的配置全部完成----   

  2、配置Paloalto防火墙

   1) 基本上网配置

 

  
  默认路由:
  
 
  

 策略:  
  

  NAT:
  
 2) IPsec VPN的配置
  第一阶段算法自定义:to-fgt-p1 :Pre-share + SHA256 + AES256 + Group5 (适配FortiGate的第一阶段默认算法)
  
  第二阶段算法自定义:to-fgt-p2 :SHA-256/AES-256 + PFS-Group5 (适配FortiGate的第二阶段默认算法)
  
  VPN对端列表定义:
  
  
  
  配置IPsec 隧道:
  
 
  IPsec已经绑定到了tunnel上,然后调整tunnel的配置:
  新建VPN-Zone的安全域:
 
将隧道接口加入到VPN-Zone:
  
 
  

  
  配置VPN的策略:
  
 
  添加到VPN业务网段的路由:
  
  点击提交配置生效:

  ----PA防火墙的配置全部完成----

五、检查配置结果
    VPN状态查看:
    FGT的VPN状态查看:
    查看VPN监视器,观察状态: 进入"监视器"--"IPsec监测"
    
   路由状态查看:
   
命令行查看FGT状态:
FGVM04TM19005798 # get vpn ike gateway to-pa

vd: root/0
name: to-pa
version: 1
interface: port2 6
addr: 202.100.1.17:500 -> 101.100.1.19:500
created: 1938s ago
IKE SA  created: 1/2  established: 1/2  time: 200/10745/21290 ms
IPsec SA  created: 1/127  established: 1/2  time: 90/90/90 ms

  id/spi: 1848 caffbb6e704650b3/2d9229e7887d2deb
  direction: responder
  status: established 366-366s ago = 200ms
  proposal: aes-256-sha256
  key: eee31bce2590dda2-c714cda03b40d543-f09a21c1cc4ca574-5928558c6e04b1a1
  lifetime/rekey: 28800/28163
  DPD sent/recv: 00000000/00000000

FGVM04TM19005798 # get vpn ipsec tunnel name to-pa

gateway
  name: 'to-pa'
  type: route-based
  local-gateway: 202.100.1.17:0 (static)
  remote-gateway: 101.100.1.19:0 (static)
  mode: ike-v1
  interface: 'port2' (6)
  rx  packets: 972  bytes: 116640  errors: 0
  tx  packets: 972  bytes: 58320  errors: 2
  dpd: on-idle/negotiated  idle: 20000ms  retry: 3  count: 0
  selectors
    name: 'to-pa'
    auto-negotiate: enable
    mode: tunnel
    src: 0:0.0.0.0/0.0.0.0:0
    dst: 0:0.0.0.0/0.0.0.0:0
    SA
      lifetime/rekey: 43200/41721  
      mtu: 1438
      tx-esp-seq: 3cd
      replay: enabled
      qat: 0
      inbound
        spi: 9258dd48
        enc:  aes-cb  2b6d04dfa09de7ea3b4423e91a30bd0d
        auth:   sha1  629ab8cc2854c3c5e104355c5e484c1267577ba4
      outbound
        spi: fb3233ce
        enc:  aes-cb  5a9b81381e528077d33fef0f69914a39
        auth:   sha1  976c2462e163e946e2bec3cb3dce3126fddde71a


FGVM04TM19005798 # diagnose vpn ike gateway  list

vd: root/0
name: to-pa
version: 1
interface: port2 6
addr: 202.100.1.17:500 -> 101.100.1.19:500
created: 2053s ago
IKE SA: created 1/2  established 1/2  time 200/10745/21290 ms
IPsec SA: created 1/127  established 1/2  time 90/90/90 ms

  id/spi: 1848 caffbb6e704650b3/2d9229e7887d2deb
  direction: responder
  status: established 481-481s ago = 200ms
  proposal: aes256-sha256
  key: eee31bce2590dda2-c714cda03b40d543-f09a21c1cc4ca574-5928558c6e04b1a1
  lifetime/rekey: 28800/28048
  DPD sent/recv: 00000000/00000000

FGVM04TM19005798 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=to-pa ver=1 serial=3 202.100.1.17:0->101.100.1.19:0 dst_mtu=1500
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0
stat: rxp=1059 txp=1059 rxb=127080 txb=63540
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=48
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-pa proto=0 sa=1 ref=3 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41634/0B replaywin=2048
       seqno=424 esn=0 replaywin_lastseq=00000423 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42899/43200
  dec: spi=9258dd48 esp=aes key=16 2b6d04dfa09de7ea3b4423e91a30bd0d
       ah=sha1 key=20 629ab8cc2854c3c5e104355c5e484c1267577ba4
  enc: spi=fb3233ce esp=aes key=16 5a9b81381e528077d33fef0f69914a39
       ah=sha1 key=20 976c2462e163e946e2bec3cb3dce3126fddde71a
  dec:pkts/bytes=1059/63540, enc:pkts/bytes=1059/127080
run_tally=1


FGVM04TM19005798 # get router info routing-table  all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 202.100.1.192, port2
C       192.168.17.0/24 is directly connected, port1
S       192.168.19.0/24 [10/0] is directly connected, to-pa
C       192.168.91.0/24 is directly connected, port4
C       202.100.1.0/24 is directly connected, port2


FGT IKE debug 命令:
首先,sniffer抓包确认UDP 500/4500 双方通信是否正常       
diagnose sniffer packet any "host 101.100.1.16 and  ( port 500 or port 4500)" 4  //IP换成对方公网IP                                                               
UDP 500 或 UDP 4500 这两个端口是IPsec VPN协商协议IKE会使用的端口,一定要互通要通畅,否则VPN无法正常建立,确认互通正常在进行下一步定位
                                                                                  
然后,通过日志,debug app ike 确认问题是出在第一阶段还是第二阶段                                                                       
diagnose vpn ike log-filter dst-addr4 101.100.1.16  //IP换成对方公网IP                                                                
diagnose debug  application ike -1                                                               
diagnose debug  enable                                                                        
debug具体可参考IPsec VPN排错部分内容。

FortiGate侧业务测试:
FGVM04TM19005798 # execute ping-options source 192.168.17.1  // 在FGT测试IPsec-VPN的业务流量是否可通,需要携带源IP,由于VPN tunnel没有配置IP,必须携带源IP进行业务测试。

FGVM04TM19005798 # execute ping 192.168.19.1
PING 192.168.19.1 (192.168.19.1): 56 data bytes
64 bytes from 192.168.19.1: icmp_seq=0 ttl=64 time=87.5 ms
64 bytes from 192.168.19.1: icmp_seq=1 ttl=64 time=86.7 ms
64 bytes from 192.168.19.1: icmp_seq=2 ttl=64 time=86.6 ms
64 bytes from 192.168.19.1: icmp_seq=3 ttl=64 time=88.5 ms
64 bytes from 192.168.19.1: icmp_seq=4 ttl=64 time=86.4 ms

--- 192.168.19.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 86.4/87.1/88.5 ms

FGVM04TM19005798 # execute ping 192.168.19.100
PING 192.168.19.100 (192.168.19.100): 56 data bytes
64 bytes from 192.168.19.100: icmp_seq=0 ttl=127 time=77.6 ms
64 bytes from 192.168.19.100: icmp_seq=1 ttl=127 time=77.1 ms
64 bytes from 192.168.19.100: icmp_seq=2 ttl=127 time=77.1 ms
64 bytes from 192.168.19.100: icmp_seq=3 ttl=127 time=77.3 ms
64 bytes from 192.168.19.100: icmp_seq=4 ttl=127 time=77.3 ms

--- 192.168.19.100 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 77.1/77.2/77.6 ms

FGVM04TM19005798 # 

PA防火墙VPN业务状态:





PA防火墙VPN状态命令行状态查询:
admin@PA-VM-8-1-0-91-19> show vpn ike-sa gateway to-fgt
IKEv1 phase-1 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm             Established     Expiration      V  ST Xt Phase2
--------------  ------------           ------------           ---- ---- ---------             -----------     ----------      -  -- -- ------
2               202.100.1.17           to-fgt                 Init Main PSK/DH14/A256/SHA256  May.09 09:47:06 May.09 17:47:06 v1 13 1  0     

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

IKEv1 phase-2 SAs
Gateway Name           TnID     Tunnel                 GwID/IP          Role Algorithm          SPI(in)  SPI(out) MsgID    ST Xt
------------           ----     ------                 -------          ---- ---------          -------  -------- -----    -- --
to-fgt                 5        ipsec-vpn-to-fgt       2                Resp ESP/ DH5/tunl/SHA1 FB3233CE 9258DD48 551D96D8 9  1  

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.
There is no IKEv2 SA found.


admin@PA-VM-8-1-0-91-19> show vpn ipsec-sa tunnel ipsec-vpn-to-fgt
GwID/client IP  TnID   Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)  SPI(out) life(Sec/
KB)           
--------------  ----   ------------           ---------------                                ---------          -------  -------- ---------
---           
2               5      202.100.1.17           ipsec-vpn-to-fgt(to-fgt)                       ESP/A128/SHA1      FB3233CE 9258DD48 38851/0 

Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

admin@PA-VM-8-1-0-91-19> show vpn flow
total tunnels configured:                                     1
filter - type IPSec, state any

total IPSec tunnel configured:                                1
total IPSec tunnel shown:                                     1

id    name                          state   monitor local-ip                      peer-ip                       tunnel-i/f 
--    ----                          -----   ------- --------                      -------                       ---------- 
5     ipsec-vpn-to-fgt              active  off     101.100.1.19                  202.100.1.17                  tunnel     

admin@PA-VM-8-1-0-91-19> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast


VIRTUAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS   
0.0.0.0/0                                   101.100.1.192                           10     A S              ethernet1/2                  
101.100.1.0/24                              101.100.1.19                            0      A C              ethernet1/2                  
101.100.1.19/32                             0.0.0.0                                 0      A H                                           
192.168.17.0/24                             0.0.0.0                                 10     A S              tunnel                       
192.168.19.0/24                             192.168.19.1                            0      A C              ethernet1/1                  
192.168.19.1/32                             0.0.0.0                                 0      A H                                           
total routes shown: 6

admin@PA-VM-8-1-0-91-19> 

PA IPsec VPN排错指南链接:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

PA防火墙IPsec VPN Debug:
> debug ike global on debug
> less mp-log ikemgr.log
> debug ike pcap on
> view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap
> debug ike pcap off

PA防火墙侧业务测试(由于tunnel上没有配置IP地址,因此同样需要携带源IP进行ping的业务测试):
admin@PA-VM-8-1-0-91-19> ping source 192.168.19.1 host 192.168.17.1
PING 192.168.17.1 (192.168.17.1) from 192.168.19.1 : 56(84) bytes of data.
64 bytes from 192.168.17.1: icmp_seq=1 ttl=255 time=83.1 ms
64 bytes from 192.168.17.1: icmp_seq=2 ttl=255 time=91.8 ms
64 bytes from 192.168.17.1: icmp_seq=3 ttl=255 time=80.8 ms
64 bytes from 192.168.17.1: icmp_seq=4 ttl=255 time=79.8 ms
64 bytes from 192.168.17.1: icmp_seq=5 ttl=255 time=78.5 ms
64 bytes from 192.168.17.1: icmp_seq=6 ttl=255 time=86.7 ms
64 bytes from 192.168.17.1: icmp_seq=7 ttl=255 time=85.4 ms
^C
--- 192.168.17.1 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6007ms
rtt min/avg/max/mdev = 78.508/83.778/91.859/4.297 ms
admin@PA-VM-8-1-0-91-19> ping source 192.168.19.1 host 192.168.17.100
PING 192.168.17.100 (192.168.17.100) from 192.168.19.1 : 56(84) bytes of data.
64 bytes from 192.168.17.100: icmp_seq=1 ttl=127 time=96.3 ms
64 bytes from 192.168.17.100: icmp_seq=2 ttl=127 time=85.0 ms
64 bytes from 192.168.17.100: icmp_seq=3 ttl=127 time=83.7 ms
64 bytes from 192.168.17.100: icmp_seq=4 ttl=127 time=82.5 ms
64 bytes from 192.168.17.100: icmp_seq=5 ttl=127 time=80.9 ms
^C
--- 192.168.17.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 80.918/85.706/96.329/5.483 ms
admin@PA-VM-8-1-0-91-19> 

FGT侧的192.168.17.100去访问PA侧的192.168.19.100过程:

抓包:
FGVM04TM19005798 # dia sni pa any "host 192.168.19.100 or host 101.100.1.19" 4 0 l
interfaces=[any]
filters=[host 192.168.19.100 or host 101.100.1.19]
2020-05-09 10:53:42.682109 port1 in 192.168.17.100 -> 192.168.19.100: icmp: echo request
2020-05-09 10:53:42.682235 to-pa out 192.168.17.100 -> 192.168.19.100: icmp: echo request
2020-05-09 10:53:42.682265 port2 out 202.100.1.17 -> 101.100.1.19: ESP(spi=0xfb3233ce,seq=0x11cc)

2020-05-09 10:53:42.759512 port2 in 101.100.1.19 -> 202.100.1.17: ESP(spi=0x9258dd48,seq=0x11cb)
2020-05-09 10:53:42.759534 to-pa in 192.168.19.100 -> 192.168.17.100: icmp: echo reply
2020-05-09 10:53:42.759567 port1 out 192.168.19.100 -> 192.168.17.100: icmp: echo reply

一次ping的sniffer完整过程。

说明:关于sniffer抓VPN业务和ESP的包
抓取IPsec VPN的IKE协商包:
diagnose sniffer packet any "host 101.100.1.19 and (port 500 or port 4500)" 4

抓取IPsec VPN的ESP加密数据包:
diagnose sniffer packet any "host 101.100.1.19 and esp" 4

抓取IPsec VPN的明文业务数据包:
diagnose sniffer packet any "host 192.168.19.100 and icmp" 4

注意:由于存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:
FortiGate1_BeiJing # config vpn ipsec phase1-interface        
FortiGate1_BeiJing (phase1-interface) # edit VPN                  
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # set npu-offload disable                                                                        
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # end
这个部分具体可以查看IPsec VPN排错的内容。

FGT/PA设备上会话状态查询:





补充拓扑测试:
不用静态路由打通路由,而使用OSPF协议发布双方的路由,拓扑图如下:

删除FGT的静态路由(黑洞路由保留):


此时是没有路由到VPN的对端的,相应的流量会被黑洞路由丢弃,业务是不通的。

然后我们将路由切换到OSPF动态路由协议相互学习到对端的路由:
1.配置ipsec vpn tunnel接口的IP地址
配置fortigate的vpn tunnel ip:


策略配置的是all,因此不需要调整:

配置PA的vpn tunnel ip:


配置完毕注意提交配置,PA的新增配置才会生效。


由于PA的策略配置的是all到all,因此策略可以不用调整。

那么这样tunnel之间的IP 10.10.10.1和10.10.10.2之间就可以互通了。
FGVM04TM19005798 # execute ping-options reset
FGVM04TM19005798 # 
FGVM04TM19005798 # execute ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=64 time=87.1 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=86.8 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=93.6 ms
64 bytes from 10.10.10.2: icmp_seq=3 ttl=64 time=87.6 ms
64 bytes from 10.10.10.2: icmp_seq=4 ttl=64 time=93.1 ms

--- 10.10.10.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 86.8/89.6/93.6 ms

FGVM04TM19005798 # 

admin@PA-VM-8-1-0-91-19> ping source 10.10.10.2 host 10.10.10.1
PING 10.10.10.1 (10.10.10.1) from 10.10.10.2 : 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=255 time=82.2 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=255 time=80.3 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=255 time=78.9 ms
64 bytes from 10.10.10.1: icmp_seq=4 ttl=255 time=78.0 ms
64 bytes from 10.10.10.1: icmp_seq=5 ttl=255 time=77.3 ms
64 bytes from 10.10.10.1: icmp_seq=6 ttl=255 time=85.9 ms
64 bytes from 10.10.10.1: icmp_seq=7 ttl=255 time=84.9 ms
^C
--- 10.10.10.1 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6007ms
rtt min/avg/max/mdev = 77.323/81.107/85.983/3.142 ms
admin@PA-VM-8-1-0-91-19> 

1.利用ipsec vpn tunnel接口的IP建立OSPF邻居
FGT配置OSPF:
低端型号FGT需要开启GUI的“高级路由”隐藏特性


命令行调整OSPF tunnel接口的MTU参数,避免不同场景tunnel接口MTU不一致,导致OSPF无法建立成功。(会卡在ExStart和EsChange状态)
FGVM04TM19005798 # get router info ospf neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.2        1   ExStart/ -      00:00:32    10.10.10.2      to-pa

调整tunnel接口的MTU属性:
FGVM04TM19005798 # config router ospf
FGVM04TM19005798 (ospf) # show
config router ospf
    set router-id 10.10.10.1
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "tunnel-to-pa"
            set interface "to-pa"
            set network-type point-to-point // FGT默认的tunnel的ospf接口类型默认是P2P
    end
    config network
        edit 1
            set prefix 10.10.10.0 255.255.255.252
        next
        edit 2
            set prefix 192.168.17.0 255.255.255.0
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end

FGVM04TM19005798 (ospf) # config ospf-interface
FGVM04TM19005798 (ospf-interface) # edit "tunnel-to-pa"
FGVM04TM19005798 (tunnel-to-pa) # set mtu
mtu           MTU for database description packets.
mtu-ignore    Enable/disable ignore MTU.
FGVM04TM19005798 (tunnel-to-pa) # set mtu-ignore enable  // 选择ospf协商期间忽略mtu大小的匹配检查
FGVM04TM19005798 (tunnel-to-pa) # set  mtu 1280  // 可选配置,双方配置为一致即可
FGVM04TM19005798 (tunnel-to-pa) # end
FGVM04TM19005798 (ospf) # end

PA配置OSPF:




修改tunnel1的MTU为1280(可选择,如果要修改,修改成一致即可):

提交配置:

PA的OSPF配置完毕!


3.查看OSPF邻居以及路由的学习状态
FGT侧:
FGVM04TM19005798 # get router info ospf neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.2        1   Full/ -         00:00:38    10.10.10.2      to-pa


FGVM04TM19005798 # get router info ospf route

OSPF process 0:
Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2

C  10.10.10.0/30 [100] is directly connected, to-pa, Area 0.0.0.0
C  192.168.17.0/24 [1] is directly connected, port1, Area 0.0.0.0
O  192.168.19.0/24 [110] via 10.10.10.2, to-pa, Area 0.0.0.0



FGVM04TM19005798 # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 202.100.1.192, port2
C       10.10.10.0/30 is directly connected, to-pa
C       10.10.10.1/32 is directly connected, to-pa
C       192.168.17.0/24 is directly connected, port1
O       192.168.19.0/24 [110/110] via 10.10.10.2, to-pa, 00:13:40
C       192.168.91.0/24 is directly connected, port4
C       202.100.1.0/24 is directly connected, port2

FGVM04TM19005798 # get router info ospf database router lsa
            OSPF Router with ID (10.10.10.1) (Process ID 0, VRF 0)

                Router Link States (Area 0.0.0.0)

  LS age: 20
  Options: 0x2 (*|-|-|-|-|-|E|-)
  Flags: 0x0
  LS Type: router-LSA
  Link State ID: 10.10.10.1
  Advertising Router: 10.10.10.1
  LS Seq Number: 8000000a
  Checksum: 0x58f6
  Length: 60
   Number of Links: 3

    Link connected to: another Router (point-to-point)
     (Link ID) Neighboring Router ID: 10.10.10.2
     (Link Data) Router Interface address: 10.10.10.1
      Number of TOS metrics: 0
       TOS 0 Metric: 100

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 10.10.10.0
     (Link Data) Network Mask: 255.255.255.252
      Number of TOS metrics: 0
       TOS 0 Metric: 100

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 192.168.17.0
     (Link Data) Network Mask: 255.255.255.0
      Number of TOS metrics: 0
       TOS 0 Metric: 1

  LS age: 21
  Options: 0x2 (*|-|-|-|-|-|E|-)
  Flags: 0x2 : ASBR
  LS Type: router-LSA
  Link State ID: 10.10.10.2
  Advertising Router: 10.10.10.2
  LS Seq Number: 80000008
  Checksum: 0x23d3
  Length: 60
   Number of Links: 3

    Link connected to: another Router (point-to-point)
     (Link ID) Neighboring Router ID: 10.10.10.1
     (Link Data) Router Interface address: 10.10.10.2
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 10.10.10.0
     (Link Data) Network Mask: 255.255.255.252
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 192.168.19.0
     (Link Data) Network Mask: 255.255.255.0
      Number of TOS metrics: 0
       TOS 0 Metric: 10


PA侧:
admin@PA-VM-8-1-0-91-19> show routing protocol ospf neighbor
  Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr LSA capability,
           N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS capability
  ==========
  virtual router:                default
  neighbor address:              10.10.10.1
  local address binding:         0.0.0.0
  type:                          dynamic
  status:                        full
  neighbor router ID:            10.10.10.1
  area id:                       0.0.0.0
  neighbor priority:             1
  lifetime remain:               35
  messages pending:              0
  LSA request pending:           0
  options:                       0x42: O E
  hello suppressed:              no
  restart helper status:         not helping
  restart helper time remaining: 0
  restart helper exit reason:    none

admin@PA-VM-8-1-0-91-19> 
admin@PA-VM-8-1-0-91-19> show routing route type ospf
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast


VIRTUAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS   
10.10.10.0/30                               0.0.0.0                                 10       Oi       217   tunnel                       
192.168.17.0/24                             10.10.10.1                              11     A Oi       199   tunnel                       
192.168.19.0/24                             0.0.0.0                                 10       Oi       217   ethernet1/1                  
total routes shown: 3

     
admin@PA-VM-8-1-0-91-19> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast


VIRTUAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS   
0.0.0.0/0                                   101.100.1.192                           10     A S              ethernet1/2                  
10.10.10.0/30                               0.0.0.0                                 10       Oi       243   tunnel                       
10.10.10.0/30                               10.10.10.2                              0      A C              tunnel                       
10.10.10.2/32                               0.0.0.0                                 0      A H                                           
101.100.1.0/24                              101.100.1.19                            0      A C              ethernet1/2                  
101.100.1.19/32                             0.0.0.0                                 0      A H                                           
192.168.17.0/24                             10.10.10.1                              11     A Oi       224   tunnel                       
192.168.19.0/24                             0.0.0.0                                 10       Oi       243   ethernet1/1                  
192.168.19.0/24                             192.168.19.1                            0      A C              ethernet1/1                  
192.168.19.1/32                             0.0.0.0                                 0      A H                                           
total routes shown: 10

admin@PA-VM-8-1-0-91-19> 

admin@PA-VM-8-1-0-91-19> show routing protocol ospf dumplsdb
VIRTUAL ROUTER: default (id 1)
  ==========
VR Area ID         Orig RTR ID     LS ID              LSA Type             Seq Number CheckSum     Age  Size
  1 0.0.0.0         10.10.10.1      10.10.10.1         type-1 (Router)      0x8000000A 0x000058F6   297    60
            Options: [External]
            Router LSA Options: [none]
              P2P Link: Neighbor (ID: 10.10.10.2) on Interface Index 10.10.10.1, tos 0, metric: 100
              Stub Network: 10.10.10.0 Netmask 255.255.255.252, tos 0, metric: 100
              Stub Network: 192.168.17.0 Netmask 255.255.255.0, tos 0, metric: 1

  1 0.0.0.0         10.10.10.2      10.10.10.2         type-1 (Router)      0x80000009 0x000021D4   269    60
            Options: [External]
            Router LSA Options: [ASBR]
              P2P Link: Neighbor (ID: 10.10.10.1) on Interface Index 10.10.10.2, tos 0, metric: 10
              Stub Network: 10.10.10.0 Netmask 255.255.255.252, tos 0, metric: 10
              Stub Network: 192.168.19.0 Netmask 255.255.255.0, tos 0, metric: 10


OSFP邻居和路由都学习正常。

4.业务测试
和之前的业务测试就没有什么区别了,不再详细描述

从FGT侧去访问PA侧业务:

从PA侧去访问FGT侧业务: