一、组网需求

如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现192.168.17.0/24与192.168.21.0/24两个网段的通信。  与H3C防火墙进行IPsec VPN对接。

二、网络拓扑

   

三、配置要点

1、配置FortiGate防火墙

    1)基本上网配置

    2)配置IPsec VPN

2、配置H3C防火墙

    1)基本上网配置

    2)配置IPsec VPN

说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

四、配置步骤

     1、配置FortiGate

     1) 基本上网配置

     


 
     
     
     

     2) 配置IPsec VPN

     进入:虚拟专网--IPSEC隧道--"新建"

    

     选择IPsec VPN自定义模板进行配置:

   

   IPsec 第一阶段配置:

   

   IPsec 第二阶段配置:

   

GUI配置所对应的命令行:

config vpn ipsec phase1-interface
    edit "to-branch"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 101.100.1.21
        set psksecret Fortinet123#
    next
end
config vpn ipsec phase2-interface
    edit "to-branch"
        set phase1name "to-branch"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set auto-negotiate enable
        set src-subnet 192.168.17.0 255.255.255.0      
        set dst-subnet 192.168.21.0 255.255.255.0
    next
end
// 不像和Cisco/PA/Juniper/山石,感兴趣流是全0,国内防火墙的主流都是明细感兴趣流的。H3C通常都是写明细的感兴趣流,一种比较老的实现方式。(类似于fgt的策略模式VPN)

      3) 配置VPN相关的策略
      
     
     
     
    命令行:
    配置防火墙策略:

config firewall policy
    edit 1
        set name "TO-Internet-Policy"  // 内网用户上互联网的策略
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
        set nat enable
    next
    edit 2
        set name "vpn-to-branch-out"   // VPN out方向策略
        set srcintf "port1"
        set dstintf "to-branch"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
    next
    edit 3
        set name "vpn-to-branch-in"   // VPN in方向策略
        set srcintf "to-branch"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
    next
end

    4)配置VPN业务网段的静态路由

    

    

    

     命令行:

config router static
    edit 1
        set gateway 202.100.1.192
        set device "port2"
    next
    edit 2
        set dst 192.168.21.0 255.255.255.0
        set device "to-branch"
    next
    edit 3
        set dst 192.168.21.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

说明:相关VPN的路由配置中“黑洞路由的意义”:

你可能会遇到以下的VPN业务问题:通过VPN的SIP电话,时不时中断,无法向服务器成功注册 ?通过VPN的Radius认证无法经常会无法认证成功? 通过VPN的AP注册到总部时不时会中断?持续的PRGT监控ping总部的服务器,时不时会显示中断?

VPN有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE重新连接更换公网IP地址等,VPN tunnel此时会出现短暂的DOWN,而去往对方的VPN业务网段的路由也会短暂消失,此时VPN的业务流量(SIP注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了  WAN1(Internet),从而产生了错误的UDP-NAT-Seesion,此时即便VPN tunnel再次UP,VPN业务网段的路由再次恢复,SIP等VPN旧的业务流量依旧会走到错误的Session上去,从而引起该业务异常。

排查思路:通过diagnose sniffer H3C “port 5060”4 以及查看session (diagnose sys session list)去判断问题。
解决此类问题的办法有三种:
办法一:配置去往VPN业务网段的“黑洞路由”,管理距离为254,VPN正常的情况下此黑洞路由不生效,而当VPN中断的时候,黑洞路由浮起来并且生效,将VPN中断时候的VPN流量丢弃,避免将流量转发到互联网而产生错误的session。// 配置VPN的备份黑洞路由的意义在此。
办法二:配置源接口:LAN,目的接口:WAN1,源IP:本地内网网段,目的IP:对端内网网段,动作:丢包的策略。将此去往Internet的私网(无用的)流量丢弃掉,避免FGT产生这种错误的session,从而避免了UDP业务时不时中断的问题。
办法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话flag置位为“Dirty”,清除路由缓存并重新查找目的IP的下一跳地址,这样VPN隧道恢复的时候,流量也会相应的切换到VPN隧道里面来。
FGT # config system global
FGT (global) # set snat-route-change enable
FGT (global) # end 
三种方式任意选择一种即可。推荐使用黑洞路由方式。

----FortiGate的配置全部完成----   

  2、配置H3C防火墙

   1) 基本上网配置

 

  
  默认路由:
  
  
#IP和路由部分#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.21.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 101.100.1.21 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
ip address 192.168.91.21 255.255.255.0
#
ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 101.100.1.192
#
#网管部分#
object-policy ip mgmt
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/4
#
zone-pair security source Any destination Local
object-policy apply ip mgmt
#
zone-pair security source Local destination Any
object-policy apply ip mgmt
#
local-user admin class manage
password Fortinet123#
service-type ssh telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip http enable
ip https enable
ssh server enable
telnet server enable
#


[H3C-FW]display ip routing-table

Destinations : 21       Routes : 21

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           101.100.1.192   GE1/0/1
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
101.100.1.0/24     Direct  0   0           101.100.1.21    GE1/0/1
101.100.1.0/32     Direct  0   0           101.100.1.21    GE1/0/1
101.100.1.21/32    Direct  0   0           127.0.0.1       InLoop0
101.100.1.255/32   Direct  0   0           101.100.1.21    GE1/0/1
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.0/32       Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
192.168.21.0/24    Direct  0   0           192.168.21.1    GE1/0/0
192.168.21.0/32    Direct  0   0           192.168.21.1    GE1/0/0
192.168.21.1/32    Direct  0   0           127.0.0.1       InLoop0
192.168.21.255/32  Direct  0   0           192.168.21.1    GE1/0/0
192.168.91.0/24    Direct  0   0           192.168.91.21   GE1/0/4
192.168.91.0/32    Direct  0   0           192.168.91.21   GE1/0/4
192.168.91.21/32   Direct  0   0           127.0.0.1       InLoop0
192.168.91.255/32  Direct  0   0           192.168.91.21   GE1/0/4
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
[H3C-FW]

  策略:  
  

  NAT:
  
  
  #
security-policy ip
rule 0 name to-Internet-Policy
  action pass 
  logging enable
  counting enable
  source-zone Trust
  destination-zone Untrust

rule 2 name Untrust-to-Loacl
  action pass
  source-zone Untrust
  destination-zone Local

rule 3 name Management-to-Local
  action pass
  source-zone Management
  destination-zone Local

rule 4 name Trust-to-local
  action pass
  source-zone Trust
  destination-zone Local

rule 5 name Local-to-any
  action pass
  source-zone Local
#
object-group ip address vpn_local_192.168.21.0/24
0 network subnet 192.168.21.0 255.255.255.0
#
object-group ip address vpn_remote_192.168.17.0/24
0 network subnet 192.168.17.0 255.255.255.0
#
#
nat policy
rule name to_Internet_Snat
  source-ip vpn_local_192.168.21.0/24
  outbound-interface GigabitEthernet1/0/1
  action easy-ip port-preserved
#
  以上配置可以实现内网PC上网正常。

 2) H3C防火墙IPsec VPN的配置
  第一阶段算法自定义(第一阶段IKE proposal):1 :Pre-share + SHA256 + AES256 + Group5 (适配FortiGate的第一阶段默认算法)
  
  
  配置IPsec VPN策略:
  
  
  
  
  
#
ike profile to-fgt_IPv4_1
keychain to-fgt_IPv4_1
dpd interval 3 periodic
match remote identity address 202.100.1.17 255.255.255.255
match local address GigabitEthernet1/0/1
proposal 1
#
ike proposal 1
encryption-algorithm aes-cbc-256
dh group5
authentication-algorithm sha256
#
ike keychain to-fgt_IPv4_1
match local address GigabitEthernet1/0/1
pre-shared-key address 202.100.1.17 255.255.255.255 key cipher $c$3$/1T1s4OENycwLBIUMY0FlK2UKwCbPinMGoyrXsY6fA==
#
#             
acl advanced name IPsec_to-fgt_IPv4_1
rule 1 permit ip source 192.168.21.0 0.0.0.255 destination 192.168.17.0 0.0.0.255
#
#
ipsec transform-set to-fgt_IPv4_1
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
pfs dh-group5
#
ipsec policy to-fgt 1 isakmp
transform-set to-fgt_IPv4_1
security acl name IPsec_to-fgt_IPv4_1
local-address 101.100.1.21
remote-address 202.100.1.17
ike-profile to-fgt_IPv4_1
sa duration time-based 43200
#
 IPsec VPN的策略配置:
 
需要移动到所有策略的最前面:
 #
security-policy ip
rule 6 name to-fgt-vpn-out
  action pass 
  logging enable
  counting enable
  source-zone Trust
  destination-zone Untrust
  source-ip vpn_local_192.168.21.0/24
  destination-ip vpn_remote_192.168.17.0/24
rule 7 name to-fgt-vpn-in
  action pass
  logging enable
  counting enable
  source-zone Untrust
  destination-zone Trust
  source-ip vpn_remote_192.168.17.0/24
  destination-ip vpn_local_192.168.21.0/24
rule 0 name to-Internet-Policy
  action pass
  logging enable
  counting enable
  source-zone Trust
  destination-zone Untrust
#
  VPN的路由不需要的,H3C并不产生VPN隧道接口,以及相应的VPN路由,因此不需要配置VPN的路由。
  上述配置完毕其实可以看到IPsec VPN已经可以协商成功了:
  
  但是此时你会发现业务是不通的:
  
  具体原因是什么呢?需要新增一个什么样的配置才可以让VPN的业务正常可通呢?
  原因是:H3C防火墙是先SNAT,然后再IPsec VPN的,也就是说,如果按照我们之前配置的SNAT规则,VPN的流量192.168.21.100去访问192.168.17.100的流量会被SNAT成101.100.1.21到192.168.17.100,然后再进入到IPsec VPN流程,这个时候是无法匹配感兴趣流的,因此流量将无法成功送到VPN隧道里面去。解决办法也很简单,就是再配置一个VPN流量bypass的SNAT规则,让VPN流量不做SNAT转换,然后将其放置到最前面,优先匹配即可。具体配置如下:
 
 
 最终效果如下:
 

#
nat policy
rule name bypass_vpn_flow
  source-ip vpn_local_192.168.21.0/24
  destination-ip vpn_remote_192.168.17.0/24
  outbound-interface GigabitEthernet1/0/1
  action no-nat
rule name to_Internet_Snat
  source-ip vpn_local_192.168.21.0/24
  outbound-interface GigabitEthernet1/0/1
  action easy-ip port-preserved
#
----H3C防火墙的配置全部完成----

五、检查配置结果
    VPN状态查看:
    FGT的VPN状态查看:
    查看VPN监视器,观察状态: 进入"监视器"--"IPsec监测"
    
   路由状态查看:
   
命令行查看FGT状态:
FGVM04TM19005798 # get vpn ike gateway to-branch

vd: root/0
name: to-branch
version: 1
interface: port2 6
addr: 202.100.1.17:500 -> 101.100.1.21:500
created: 8s ago
IKE SA  created: 1/1  established: 1/1  time: 480/480/480 ms
IPsec SA  created: 1/1  established: 2/2  time: 470/235/470 ms

  id/spi: 0 cee4fa69bb0a4237/67b034f31e39caca
  direction: initiator
  status: established 8-8s ago = 480ms
  proposal: aes-256-sha256
  key: 0d35ca535764e88f-d67ac633609bd40b-366ef35a3a3640a4-b11e99a7458b2ae1
  lifetime/rekey: 86400/86091
  DPD sent/recv: 00000000/00004a13


FGVM04TM19005798 # get vpn ipsec tunnel name to-branch

gateway
  name: 'to-branch'
  type: route-based
  local-gateway: 202.100.1.17:0 (static)
  remote-gateway: 101.100.1.21:0 (static)
  mode: ike-v1
  interface: 'port2' (6)
  rx  packets: 1387  bytes: 171988  errors: 0
  tx  packets: 1617  bytes: 97020  errors: 1
  dpd: on-idle/negotiated  idle: 20000ms  retry: 3  count: 0
  selectors
    name: 'to-branch'
    auto-negotiate: enable
    mode: tunnel
    src: 0:192.168.17.0/255.255.255.0:0
    dst: 0:192.168.21.0/255.255.255.0:0
    SA
      lifetime/rekey: 43200/42848  
      mtu: 1438
      tx-esp-seq: 34
      replay: enabled
      qat: 0
      inbound
        spi: 32cd6111
        enc:  aes-cb  65a729dfb01427904fa122aa2e37a1ef8a39027f61e0d43e85f7631633d7b99c
        auth: sha256  d5a278c047e952dd93ada61bb50093fc92a47d41e78b0653a4cd21f6ef896235
      outbound
        spi: 08f17977
        enc:  aes-cb  f1d533b68eac37c4d42094e4efbaa91865fd1e4cef6b548d91df8bff9d6ae616
        auth: sha256  67e1ad4e582279241bd23a042431923fca8713756e461604a0b43e09a56d517d

FGVM04TM19005798 # diagnose vpn ike gateway  list

vd: root/0
name: to-branch
version: 1
interface: port2 6
addr: 202.100.1.17:500 -> 101.100.1.21:500
created: 72s ago
IKE SA: created 1/1  established 1/1  time 480/480/480 ms
IPsec SA: created 1/1  established 2/2  time 470/235/470 ms

  id/spi: 0 cee4fa69bb0a4237/67b034f31e39caca
  direction: initiator
  status: established 72-72s ago = 480ms
  proposal: aes256-sha256
  key: 0d35ca535764e88f-d67ac633609bd40b-366ef35a3a3640a4-b11e99a7458b2ae1
  lifetime/rekey: 86400/86027
  DPD sent/recv: 00000000/00004a28



FGVM04TM19005798 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=to-branch ver=1 serial=5 202.100.1.17:0->101.100.1.21:0 dst_mtu=1500
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0
stat: rxp=1426 txp=1656 rxb=176824 txb=99360
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-branch proto=0 sa=1 ref=3 serial=1 auto-negotiate
  src: 0:192.168.17.0/255.255.255.0:0
  dst: 0:192.168.21.0/255.255.255.0:0
  SA:  ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42809/0B replaywin=2048
       seqno=5b esn=0 replaywin_lastseq=0000005a itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42900/43200
  dec: spi=32cd6111 esp=aes key=32 65a729dfb01427904fa122aa2e37a1ef8a39027f61e0d43e85f7631633d7b99c
       ah=sha256 key=32 d5a278c047e952dd93ada61bb50093fc92a47d41e78b0653a4cd21f6ef896235
  enc: spi=08f17977 esp=aes key=32 f1d533b68eac37c4d42094e4efbaa91865fd1e4cef6b548d91df8bff9d6ae616
       ah=sha256 key=32 67e1ad4e582279241bd23a042431923fca8713756e461604a0b43e09a56d517d
  dec:pkts/bytes=90/5400, enc:pkts/bytes=90/11160
run_tally=1

FGVM04TM19005798 # get router info routing-table  all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 202.100.1.192, port2
C       192.168.17.0/24 is directly connected, port1
S       192.168.21.0/24 [10/0] is directly connected, to-branch
C       192.168.91.0/24 is directly connected, port4
C       202.100.1.0/24 is directly connected, port2

FGT IKE debug 命令:
首先,sniffer抓包确认UDP 500/4500 双方通信是否正常       
diagnose sniffer packet any "host 101.100.1.21 and  ( port 500 or port 4500)" 4  //IP换成对方公网IP                                                               
UDP 500 或 UDP 4500 这两个端口是IPsec VPN协商协议IKE会使用的端口,一定要互通要通畅,否则VPN无法正常建立,确认互通正常在进行下一步定位
                                                                                  
然后,通过日志,debug app ike 确认问题是出在第一阶段还是第二阶段                                                                       
diagnose vpn ike log-filter dst-addr4 101.100.1.21  //IP换成对方公网IP                                                                
diagnose debug  application ike -1                                                               
diagnose debug  enable                                                                        
debug具体可参考IPsec VPN排错部分内容。

FortiGate侧业务测试:
FGVM04TM19005798 # execute ping-options source 192.168.17.1  // 在FGT测试IPsec-VPN的业务流量是否可通,需要携带源IP,由于VPN tunnel没有配置IP,必须携带源IP进行业务测试。

FGVM04TM19005798 # execute ping 192.168.21.1
PING 192.168.21.1 (192.168.21.1): 56 data bytes
64 bytes from 192.168.21.1: icmp_seq=0 ttl=255 time=78.4 ms
64 bytes from 192.168.21.1: icmp_seq=1 ttl=255 time=77.9 ms
64 bytes from 192.168.21.1: icmp_seq=2 ttl=255 time=78.2 ms
64 bytes from 192.168.21.1: icmp_seq=3 ttl=255 time=78.0 ms
64 bytes from 192.168.21.1: icmp_seq=4 ttl=255 time=78.3 ms

--- 192.168.21.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 77.9/78.1/78.4 ms

--- 192.168.116.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 76.9/77.0/77.1 ms

FGVM04TM19005798 # execute ping 192.168.21.100
PING 192.168.21.100 (192.168.21.100): 56 data bytes
64 bytes from 192.168.21.100: icmp_seq=0 ttl=127 time=79.6 ms
64 bytes from 192.168.21.100: icmp_seq=1 ttl=127 time=79.5 ms
64 bytes from 192.168.21.100: icmp_seq=2 ttl=127 time=87.2 ms
64 bytes from 192.168.21.100: icmp_seq=3 ttl=127 time=78.9 ms
64 bytes from 192.168.21.100: icmp_seq=4 ttl=127 time=79.1 ms

--- 192.168.21.100 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 78.9/80.8/87.2 ms
FGVM04TM19005798 # 

H3C防火墙VPN业务状态:

H3C防火墙VPN状态命令行状态查询:

[H3C-FW]display ike sa  verbose
   -----------------------------------------------
   Connection ID: 339
   Outside VPN:
   Inside VPN:
   Profile: to-fgt_IPv4_1
   Transmitting entity: Responder
   Initiator cookie: cee4fa69bb0a4237
   Responder cookie: 67b034f31e39caca
   -----------------------------------------------
   Local IP: 101.100.1.21
   Local ID type: IPV4_ADDR
   Local ID: 101.100.1.21

   Remote IP: 202.100.1.17
   Remote ID type: IPV4_ADDR
   Remote ID: 202.100.1.17

   Authentication-method: PRE-SHARED-KEY
   Authentication-algorithm: SHA256
   Encryption-algorithm: AES-CBC-256

   Life duration(sec): 86400
   Remaining key duration(sec): 85628
   Exchange-mode: Main
   Diffie-Hellman group: Group 5
   NAT traversal: Not detected

   Extend authentication: Disabled
   Assigned IP address:
   Vendor ID index:0xffffffff
   Vendor ID sequence number:0x0
[H3C-FW]  

[H3C-FW]display  ipsec sa 
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------

  -----------------------------
  IPsec policy: to-fgt
  Sequence number: 1
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect Forward Secrecy: dh-group14
    Inside VPN:
    Extended Sequence Numbers enable: N
    Traffic Flow Confidentiality enable: N
    Path MTU: 1424
    Tunnel:
        local  address: 101.100.1.21
        remote address: 202.100.1.17
    Flow:
        sour addr: 192.168.21.0/255.255.255.0  port: 0  protocol: ip
        dest addr: 192.168.17.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]
      SPI: 150042999 (0x08f17977)
      Connection ID: 30064771077
      Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA256
      SA duration (kilobytes/sec): 1843200/43200
      SA remaining duration (kilobytes/sec): 1843145/42380
      Max received sequence-number: 854
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: N
      Status: Active

    [Outbound ESP SAs]
      SPI: 852320529 (0x32cd6111)
      Connection ID: 777389080580
      Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA256
      SA duration (kilobytes/sec): 1843200/43200
      SA remaining duration (kilobytes/sec): 1843147/42380
      Max sent sequence-number: 839
      UDP encapsulation used for NAT traversal: N
      Status: Active
[H3C-FW]
[H3C-FW]display ipsec  tunnel
Tunnel ID: 0
Status: Active
Perfect forward secrecy: dh-group14
Inside vpn-instance:
SA's SPI:
    outbound:  852320529   (0x32cd6111)   [ESP]  
    inbound:   150042999   (0x08f17977)   [ESP]  
Tunnel:
    local  address: 101.100.1.21
    remote address: 202.100.1.17
Flow:
        sour addr: 192.168.21.0/255.255.255.0  port: 0  protocol: ip
        dest addr: 192.168.17.0/255.255.255.0  port: 0  protocol: ip
[H3C-FW] 

H3C IPsec VPN排错指南链接:
http://www.h3c.com/cn/d_201411/921533_30005_0.htm

H3C防火墙侧业务测试(VPN业务测试同样需要携带源IP进行ping的业务测试):
[H3C-FW]ping  -a 192.168.21.1 192.168.17.1
Ping 192.168.17.1 (192.168.17.1) from 192.168.21.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.17.1: icmp_seq=0 ttl=255 time=79.000 ms
56 bytes from 192.168.17.1: icmp_seq=1 ttl=255 time=78.000 ms
56 bytes from 192.168.17.1: icmp_seq=2 ttl=255 time=78.000 ms
56 bytes from 192.168.17.1: icmp_seq=3 ttl=255 time=79.000 ms
56 bytes from 192.168.17.1: icmp_seq=4 ttl=255 time=78.000 ms

--- Ping statistics for 192.168.17.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 78.000/78.400/79.000/0.490 ms

[H3C-FW]ping  -a 192.168.21.1 192.168.17.100
Ping 192.168.17.100 (192.168.17.100) from 192.168.21.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.17.100: icmp_seq=0 ttl=127 time=79.000 ms
56 bytes from 192.168.17.100: icmp_seq=1 ttl=127 time=81.000 ms
56 bytes from 192.168.17.100: icmp_seq=2 ttl=127 time=80.000 ms
56 bytes from 192.168.17.100: icmp_seq=3 ttl=127 time=78.000 ms
56 bytes from 192.168.17.100: icmp_seq=4 ttl=127 time=77.000 ms

--- Ping statistics for 192.168.17.100 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 77.000/79.000/81.000/1.414 ms
[H3C-FW]

FGT侧的192.168.17.100去访问H3C侧的192.168.21.100过程:

抓包:
FGVM04TM19005798 # dia sni pa any "host 192.168.21.100 or host 101.100.1.21" 4 0 l
interfaces=[any]
2020-05-14 18:10:56.619473 port1 in 192.168.17.100 -> 192.168.21.100: icmp: echo request
2020-05-14 18:10:56.619563 to-branch out 192.168.17.100 -> 192.168.21.100: icmp: echo request
2020-05-14 18:10:56.619594 port2 out 202.100.1.17 -> 101.100.1.21: ESP(spi=0x08f17977,seq=0x4cc)

2020-05-14 18:10:56.698465 port2 in 101.100.1.21 -> 202.100.1.17: ESP(spi=0x32cd6111,seq=0x4bd)
2020-05-14 18:10:56.698491 to-branch in 192.168.21.100 -> 192.168.17.100: icmp: echo reply
2020-05-14 18:10:56.698515 port1 out 192.168.21.100 -> 192.168.17.100: icmp: echo reply

一次ping的sniffer完整过程。

说明:关于sniffer抓VPN业务和ESP的包
抓取IPsec VPN的IKE协商包:
diagnose sniffer packet any "host 101.100.1.21 and (port 500 or port 4500)" 4

抓取IPsec VPN的ESP加密数据包:
diagnose sniffer packet any "host 101.100.1.21 and esp" 4

抓取IPsec VPN的明文业务数据包:
diagnose sniffer packet any "host 192.168.21.100 and icmp" 4

注意:由于存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:
FortiGate1_BeiJing # config vpn ipsec phase1-interface        
FortiGate1_BeiJing (phase1-interface) # edit VPN                  
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # set npu-offload disable                                                                        
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # end
这个部分具体可以查看IPsec VPN排错的内容。

FGT/H3C设备上会话状态查询:



[H3C-FW]display session table  ipv4  protocol icmp
Slot 1:
Initiator:
  Source      IP/port: 192.168.21.100/768
  Destination IP/port: 192.168.17.100/2048
  DS-Lite tunnel peer: -
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: ICMP(1)
  Inbound interface: GigabitEthernet1/0/0
  Source security zone: Trust

Initiator:
  Source      IP/port: 192.168.17.100/512
  Destination IP/port: 192.168.21.100/2048
  DS-Lite tunnel peer: -
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: ICMP(1)
  Inbound interface: GigabitEthernet1/0/1
  Source security zone: Untrust

Total sessions found: 2
[H3C-FW]