一、组网需求

如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现192.168.17.0/24与192.168.116.0/24两个网段的通信。  与juniper防火墙进行IPsec VPN对接。

二、网络拓扑

   

三、配置要点

1、配置FortiGate防火墙

    1)基本上网配置

    2)配置IPsec VPN

2、配置juniper防火墙

    1)基本上网配置

    2)配置IPsec VPN

说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

四、配置步骤

     1、配置FortiGate

     1) 基本上网配置

     


 
     
     
     

     2) 配置IPsec VPN

     进入:虚拟专网--IPSEC隧道--"新建"

    

     选择IPsec VPN自定义模板进行配置:

   

   IPsec 第一阶段配置:

   

   IPsec 第二阶段配置:

   

GUI配置所对应的命令行:

config vpn ipsec phase1-interface
    edit "to-juniper"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 101.100.1.116
        set psksecret Fortinet123#
    next
end
config vpn ipsec phase2-interface
    edit "to-juniper"
        set phase1name "to-juniper"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set auto-negotiate enable
    next
end

      3) 配置VPN相关的策略
      
     
     
     
    命令行:
    配置防火墙策略:

config firewall policy
    edit 1
        set name "TO-Internet-Policy"  // 内网用户上互联网的策略
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
        set nat enable
    next
    edit 2
        set name "vpn-to-juniper-out"   // VPN out方向策略
        set srcintf "port1"
        set dstintf "to-juniper"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
    next
    edit 3
        set name "vpn-to-juniper-in"   // VPN in方向策略
        set srcintf "to-juniper"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
    next
end

    4)配置VPN业务网段的静态路由

    

    

    

     命令行:

config router static
    edit 1
        set gateway 202.100.1.192
        set device "port2"
    next
    edit 2
        set dst 192.168.19.0 255.255.255.0
        set device "to-juniper"
    next
    edit 3
        set dst 192.168.19.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

说明:相关VPN的路由配置中“黑洞路由的意义”:

你可能会遇到以下的VPN业务问题:通过VPN的SIP电话,时不时中断,无法向服务器成功注册 ?通过VPN的Radius认证无法经常会无法认证成功? 通过VPN的AP注册到总部时不时会中断?持续的PRGT监控ping总部的服务器,时不时会显示中断?

VPN有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE重新连接更换公网IP地址等,VPN tunnel此时会出现短暂的DOWN,而去往对方的VPN业务网段的路由也会短暂消失,此时VPN的业务流量(SIP注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了  WAN1(Internet),从而产生了错误的UDP-NAT-Seesion,此时即便VPN tunnel再次UP,VPN业务网段的路由再次恢复,SIP等VPN旧的业务流量依旧会走到错误的Session上去,从而引起该业务异常。

排查思路:通过diagnose sniffer juniper “port 5060”4 以及查看session (diagnose sys session list)去判断问题。
解决此类问题的办法有三种:
办法一:配置去往VPN业务网段的“黑洞路由”,管理距离为254,VPN正常的情况下此黑洞路由不生效,而当VPN中断的时候,黑洞路由浮起来并且生效,将VPN中断时候的VPN流量丢弃,避免将流量转发到互联网而产生错误的session。// 配置VPN的备份黑洞路由的意义在此。
办法二:配置源接口:LAN,目的接口:WAN1,源IP:本地内网网段,目的IP:对端内网网段,动作:丢包的策略。将此去往Internet的私网(无用的)流量丢弃掉,避免FGT产生这种错误的session,从而避免了UDP业务时不时中断的问题。
办法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话flag置位为“Dirty”,清除路由缓存并重新查找目的IP的下一跳地址,这样VPN隧道恢复的时候,流量也会相应的切换到VPN隧道里面来。
FGT # config system global
FGT (global) # set snat-route-change enable
FGT (global) # end 
三种方式任意选择一种即可。推荐使用黑洞路由方式。

----FortiGate的配置全部完成----   

  2、配置juniper防火墙

   1) 基本上网配置

 

  
  默认路由:
  
  
 interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.116.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 101.100.1.116/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 192.168.91.116/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 101.100.1.192;
    }
}


admin> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:45:34
                    >  to 101.100.1.192 via ge-0/0/1.0
101.100.1.0/24     *[Direct/0] 00:47:17
                    >  via ge-0/0/1.0
101.100.1.116/32   *[Local/0] 00:47:17
                       Local via ge-0/0/1.0
192.168.91.0/24    *[Direct/0] 01:09:29
                    >  via fxp0.0
192.168.91.116/32  *[Local/0] 01:09:29
                       Local via fxp0.0
192.168.116.0/24   *[Direct/0] 00:47:17
                    >  via ge-0/0/0.0
192.168.116.1/32   *[Local/0] 00:47:17
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 21:48:32
                       MultiRecv

admin> 

  策略:  
  

  NAT:
  
  
  以上配置可以实现内网PC上网正常。

 2) IPsec VPN的配置
  第一阶段算法自定义(第一阶段proposal):to-fgt-p1 :Pre-share + SHA256 + AES256 + Group5 (适配FortiGate的第一阶段默认算法)
  
  
  第二阶段算法自定义:to-fgt-p2 :SHA-256/AES-256 + PFS-Group5 (适配FortiGate的第二阶段默认算法)
  
  
  配置IPsec VPN的IKE 的IKE(第一阶段) Policy和Gateway(对端IP):
  
  
  
  配置IKE Gateway:
  
  
  配置IPsec VPN的IPsec(第二阶段)的IPsec Policy和VPN:
  
  
  配置IPsec VPN隧道,在配置IPsec VPN隧道之前先创建一个tunnel接口和一个安全域用于绑定到隧道上:
 
  
  
  
  然后再配置IPsec VPN的第二阶段VPN:
  
  
  

  配置VPN的策略:
  
  
  添加到VPN业务网段的路由:
  
  
  ----juniper防火墙的配置全部完成----

     ike {
        proposal to-fgt-p1 {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 86400;
        }
        policy to-fgt-ike-policy {
            mode main;
            description to-fgt;
            proposals to-fgt-p1;
            pre-shared-key ascii-text "$9$hBRylv2gJUi.oJ.5z6u0EcyrWxNdbY4a7Nbs"; ## SECRET-DATA
        }
        gateway to-fgt {
            ike-policy to-fgt-ike-policy;
            address 202.100.1.17;
            external-interface ge-0/0/1.0;
            version v1-only;
        }
    }
    ipsec {
        proposal to-fgt-p2 {
            protocol esp;
            authentication-algorithm hmac-sha-256-128;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 43200;
        }
        policy to-fgt-policy {
            description to-fgt-policy;
            perfect-forward-secrecy {
                keys group5;
            }
            proposals to-fgt-p2;
        }
        vpn to-fgt {
            bind-interface st0.1;
            vpn-monitor {
                optimized;
                source-interface ge-0/0/0.0;
                destination-ip 192.168.17.1;
            }
            ike {
                gateway to-fgt;
                ipsec-policy to-fgt-policy;
            }
            establish-tunnels immediately;
        }
    }                                   
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy to-Internet-Policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
        from-zone trust to-zone vpn_zone {
            policy vpn-to-fgt-out {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
        from-zone vpn_zone to-zone trust {
            policy vpn-to-fgt-in {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {                 
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
        default-policy {
            deny-all;
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
            application-tracking;
            source-identity-log;
        }
        security-zone untrust {
            tcp-rst;
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
            application-tracking;
            source-identity-log;
        }
        security-zone vpn_zone {
            description vpn_zone;      
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.1;
            }
            application-tracking;
            source-identity-log;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.116.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 101.100.1.116/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 192.168.91.116/24;
            }
        }
    }
    st0 {
        unit 1 {
            description to-fgt;
            family inet;
            family inet6;
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 101.100.1.192;
        route 192.168.17.0/24 next-hop st0.1;
    }
}

五、检查配置结果
    VPN状态查看:
    FGT的VPN状态查看:
    查看VPN监视器,观察状态: 进入"监视器"--"IPsec监测"
    
   路由状态查看:
   
命令行查看FGT状态:
FGVM04TM19005798 # get vpn ike gateway to-juniper

vd: root/0
name: to-juniper
version: 1
interface: port2 6
addr: 202.100.1.17:500 -> 101.100.1.116:500
created: 1229s ago
IKE SA  created: 1/2  established: 1/1  time: 180/180/180 ms
IPsec SA  created: 2/4  established: 1/2  time: 90/90/90 ms

  id/spi: 21493 8fc3685317282b7a/eb2a747d018aeae3
  direction: responder
  status: established 1207-1206s ago = 180ms
  proposal: aes-256-sha256
  key: ec9b699b968afbe2-8a3675aad399e196-8764a345384d65d5-aa81d4bd0c4f4ef1
  lifetime/rekey: 86400/84923
  DPD sent/recv: 00000000/00000000


FGVM04TM19005798 # get vpn ipsec tunnel name to-juniper

gateway
  name: 'to-juniper'
  type: route-based
  local-gateway: 202.100.1.17:0 (static)
  remote-gateway: 101.100.1.116:0 (static)
  mode: ike-v1
  interface: 'port2' (6)
  rx  packets: 603  bytes: 76660  errors: 0
  tx  packets: 603  bytes: 37596  errors: 1
  dpd: on-idle/negotiated  idle: 20000ms  retry: 3  count: 0
  selectors
    name: 'to-juniper'
    auto-negotiate: enable
    mode: tunnel
    src: 0:0.0.0.0/0.0.0.0:0
    dst: 0:0.0.0.0/0.0.0.0:0
    SA
      lifetime/rekey: 43200/42300  
      mtu: 1438
      tx-esp-seq: 200
      replay: enabled
      qat: 0
      inbound
        spi: f3e75fc3
        enc:  aes-cb  a1323a8617b6da9add57377410a4bb236dd111e7d0c413fc770aae34769378bf
        auth: sha256  767de80d06d512bbdfae2522cb47d319869f597e7dcf48fe56cf1e509100e9d8
      outbound
        spi: d16fa035
        enc:  aes-cb  c43c9ad6e8984de8d4a03f9f615f3ac43de3e1a1299a3df54ca11e52af816d9d
        auth: sha256  041a828b2c489e6a89eddd8669fb53819ec9d4546148092a3574905a08b784d2

FGVM04TM19005798 # diagnose vpn ike gateway  list

vd: root/0
name: to-juniper
version: 1
interface: port2 6
addr: 202.100.1.17:500 -> 101.100.1.116:500
created: 1293s ago
IKE SA: created 1/2  established 1/1  time 180/180/180 ms
IPsec SA: created 2/4  established 1/2  time 90/90/90 ms

  id/spi: 21493 8fc3685317282b7a/eb2a747d018aeae3
  direction: responder
  status: established 1271-1271s ago = 180ms
  proposal: aes256-sha256
  key: ec9b699b968afbe2-8a3675aad399e196-8764a345384d65d5-aa81d4bd0c4f4ef1
  lifetime/rekey: 86400/84858
  DPD sent/recv: 00000000/00000000


FGVM04TM19005798 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=to-juniper ver=1 serial=4 202.100.1.17:0->101.100.1.116:0 dst_mtu=1500
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0
stat: rxp=753 txp=753 rxb=95260 txb=46596
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-juniper proto=0 sa=1 ref=3 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42150/0B replaywin=2048
       seqno=296 esn=0 replaywin_lastseq=00000295 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42899/43200
  dec: spi=f3e75fc3 esp=aes key=32 a1323a8617b6da9add57377410a4bb236dd111e7d0c413fc770aae34769378bf
       ah=sha256 key=32 767de80d06d512bbdfae2522cb47d319869f597e7dcf48fe56cf1e509100e9d8
  enc: spi=d16fa035 esp=aes key=32 c43c9ad6e8984de8d4a03f9f615f3ac43de3e1a1299a3df54ca11e52af816d9d
       ah=sha256 key=32 041a828b2c489e6a89eddd8669fb53819ec9d4546148092a3574905a08b784d2
  dec:pkts/bytes=661/39852, enc:pkts/bytes=661/82220
run_tally=1


FGVM04TM19005798 # get router info routing-table  all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 202.100.1.192, port2
C       192.168.17.0/24 is directly connected, port1
C       192.168.91.0/24 is directly connected, port4
S       192.168.116.0/24 [10/0] is directly connected, to-juniper
C       202.100.1.0/24 is directly connected, port2

FGT IKE debug 命令:
首先,sniffer抓包确认UDP 500/4500 双方通信是否正常       
diagnose sniffer packet any "host 101.100.1.116 and  ( port 500 or port 4500)" 4  //IP换成对方公网IP                                                               
UDP 500 或 UDP 4500 这两个端口是IPsec VPN协商协议IKE会使用的端口,一定要互通要通畅,否则VPN无法正常建立,确认互通正常在进行下一步定位
                                                                                  
然后,通过日志,debug app ike 确认问题是出在第一阶段还是第二阶段                                                                       
diagnose vpn ike log-filter dst-addr4 101.100.1.116  //IP换成对方公网IP                                                                
diagnose debug  application ike -1                                                               
diagnose debug  enable                                                                        
debug具体可参考IPsec VPN排错部分内容。

FortiGate侧业务测试:
FGVM04TM19005798 # execute ping-options source 192.168.17.1  // 在FGT测试IPsec-VPN的业务流量是否可通,需要携带源IP,由于VPN tunnel没有配置IP,必须携带源IP进行业务测试。

FGVM04TM19005798 # execute ping 192.168.116.1
PING 192.168.116.1 (192.168.116.1): 56 data bytes
64 bytes from 192.168.116.1: icmp_seq=0 ttl=64 time=77.1 ms
64 bytes from 192.168.116.1: icmp_seq=1 ttl=64 time=77.0 ms
64 bytes from 192.168.116.1: icmp_seq=2 ttl=64 time=76.9 ms
64 bytes from 192.168.116.1: icmp_seq=3 ttl=64 time=77.0 ms
64 bytes from 192.168.116.1: icmp_seq=4 ttl=64 time=77.0 ms

--- 192.168.116.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 76.9/77.0/77.1 ms

FGVM04TM19005798 # execute ping 192.168.116.100
PING 192.168.116.100 (192.168.116.100): 56 data bytes
64 bytes from 192.168.116.100: icmp_seq=0 ttl=127 time=77.0 ms
64 bytes from 192.168.116.100: icmp_seq=1 ttl=127 time=77.1 ms
64 bytes from 192.168.116.100: icmp_seq=2 ttl=127 time=77.0 ms
64 bytes from 192.168.116.100: icmp_seq=3 ttl=127 time=77.2 ms
64 bytes from 192.168.116.100: icmp_seq=4 ttl=127 time=77.0 ms

--- 192.168.116.100 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 77.0/77.0/77.2 ms
FGVM04TM19005798 # 

juniper防火墙VPN业务状态:




juniper防火墙VPN状态命令行状态查询:

admin@VSRX> show security ike security-associations   
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address  
676433  UP     8fc3685317282b7a  eb2a747d018aeae3  Main           202.100.1.17 

admin@VSRX> show security ike security-associations 202.100.1.17 detail
IKE peer 202.100.1.17, Index 676433, Gateway Name: to-fgt
  Role: Initiator, State: UP
  Initiator cookie: 8fc3685317282b7a, Responder cookie: eb2a747d018aeae3
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 101.100.1.116:500, Remote: 202.100.1.17:500
  Lifetime: Expires in 84489 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Disabled, Size: 0
  Remote Access Client Info: Unknown Client
  Peer ike-id: 202.100.1.17
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha256-128
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha256
   Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                 2128
   Output bytes  :                 1816
   Input  packets:                    8
   Output packets:                    8
   Input  fragmentated packets:       0
   Output fragmentated packets:       0
  IPSec security associations: 2 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 101.100.1.116:500, Remote: 202.100.1.17:500
    Local identity: 101.100.1.116
    Remote identity: 202.100.1.17
    Flags: IKE SA is created

admin@VSRX> show security ipsec security-associations         
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway  
  <131073 ESP:aes-cbc-256/sha256 d16fa035 41742/ unlim U root 500 202.100.1.17   
  >131073 ESP:aes-cbc-256/sha256 f3e75fc3 41742/ unlim U root 500 202.100.1.17
 
admin@VSRX> show security ipsec security-associations vpn-name to-fgt detail
ID: 131073 Virtual-system: root, VPN Name: to-fgt
  Local Gateway: 101.100.1.116, Remote Gateway: 202.100.1.17
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1
  Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Wed May 13 2020 04:13:29: IPSec SA negotiation successfully completed (1 times)
    Wed May 13 2020 04:13:24: Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed (1 times)
    Wed May 13 2020 04:13:24: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared (1 times)
    Wed May 13 2020 04:03:01: IPSec SA negotiation successfully completed (1 times)
    Wed May 13 2020 04:03:01: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Wed May 13 2020 04:03:01: External interface's address received. Information updated (1 times)
    Wed May 13 2020 04:03:01: Bind-interface's zone received. Information updated (1 times)
    Wed May 13 2020 04:03:01: External interface's zone received. Information updated (1 times)
    Wed May 13 2020 04:03:01: IKE SA negotiation successfully completed (1 times)
  Direction: inbound, SPI: d16fa035, AUX-SPI: 0
                              , VPN Monitoring: UP
    Hard lifetime: Expires in 41989 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 41412 seconds
    Mode: Tunnel(10 10), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: f3e75fc3, AUX-SPI: 0
                              , VPN Monitoring: UP
    Hard lifetime: Expires in 41989 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 41412 seconds
    Mode: Tunnel(10 10), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

juniper IPsec VPN排错指南链接:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB10100&actp=METADATA

juniper防火墙IPsec VPN Debug:

# set system syslog file kmd-logs daemon info
# set system syslog file kmd-logs match KMD
# commit

开启debug

> show log kmd-logs

查看debug信息

or(旧版本)

> show log kmd | match 202.100.1.17  or  show log kmd | find 202.100.1.17

参考文档链接:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10097&actp=METADATA

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30548&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10099&actp=METADATA
juniper防火墙侧业务测试(由于tunnel上没有配置IP地址,因此同样需要携带源IP进行ping的业务测试):
admin@VSRX> ping source 192.168.116.1 192.168.17.1     
PING 192.168.17.1 (192.168.17.1): 56 data bytes
64 bytes from 192.168.17.1: icmp_seq=0 ttl=255 time=77.725 ms
64 bytes from 192.168.17.1: icmp_seq=1 ttl=255 time=77.736 ms
64 bytes from 192.168.17.1: icmp_seq=2 ttl=255 time=77.496 ms
64 bytes from 192.168.17.1: icmp_seq=3 ttl=255 time=77.516 ms
64 bytes from 192.168.17.1: icmp_seq=4 ttl=255 time=77.718 ms
^C
--- 192.168.17.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 77.496/77.638/77.736/0.108 ms

admin@VSRX> ping source 192.168.116.1 192.168.17.100   
PING 192.168.17.100 (192.168.17.100): 56 data bytes
64 bytes from 192.168.17.100: icmp_seq=0 ttl=127 time=77.912 ms
64 bytes from 192.168.17.100: icmp_seq=1 ttl=127 time=77.768 ms
64 bytes from 192.168.17.100: icmp_seq=2 ttl=127 time=77.772 ms
64 bytes from 192.168.17.100: icmp_seq=3 ttl=127 time=77.675 ms
64 bytes from 192.168.17.100: icmp_seq=4 ttl=127 time=77.799 ms
^C
--- 192.168.17.100 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 77.675/77.785/77.912/0.076 ms

admin@VSRX> 

FGT侧的192.168.17.100去访问juniper侧的192.168.19.100过程:

抓包:
FGVM04TM19005798 # dia sni pa any "host 192.168.116.100 or host 101.100.1.116" 4 0 l
interfaces=[any]
filters=[host 192.168.116.100 or host 101.100.1.116]
2020-05-13 12:57:58.735334 port1 in 192.168.17.100 -> 192.168.116.100: icmp: echo request
2020-05-13 12:57:58.735446 to-juniper out 192.168.17.100 -> 192.168.116.100: icmp: echo request
2020-05-13 12:57:58.735485 port2 out 202.100.1.17 -> 101.100.1.116: ESP(spi=0x9f320129,seq=0x36)

2020-05-13 12:57:58.812497 port2 in 101.100.1.116 -> 202.100.1.17: ESP(spi=0xf3e75fc4,seq=0x35)
2020-05-13 12:57:58.812516 to-juniper in 192.168.116.100 -> 192.168.17.100: icmp: echo reply
2020-05-13 12:57:58.812539 port1 out 192.168.116.100 -> 192.168.17.100: icmp: echo reply

一次ping的sniffer完整过程。

说明:关于sniffer抓VPN业务和ESP的包
抓取IPsec VPN的IKE协商包:
diagnose sniffer packet any "host 101.100.1.116 and (port 500 or port 4500)" 4

抓取IPsec VPN的ESP加密数据包:
diagnose sniffer packet any "host 101.100.1.116 and esp" 4

抓取IPsec VPN的明文业务数据包:
diagnose sniffer packet any "host 192.168.116.100 and icmp" 4

注意:由于存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:
FortiGate1_BeiJing # config vpn ipsec phase1-interface        
FortiGate1_BeiJing (phase1-interface) # edit VPN                  
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # set npu-offload disable                                                                        
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # end
这个部分具体可以查看IPsec VPN排错的内容。

FGT/juniper设备上会话状态查询:





补充拓扑测试:
不用静态路由打通路由,而使用OSPF协议发布双方的路由,拓扑图如下:

删除FGT的静态路由(黑洞路由保留):


此时是没有路由到VPN的对端的,相应的流量会被黑洞路由丢弃,业务是不通的。

然后我们将路由切换到OSPF动态路由协议相互学习到对端的路由:
1.配置ipsec vpn tunnel接口的IP地址
配置fortigate的vpn tunnel ip:


策略配置的是all,因此不需要调整:

配置juniper的vpn tunnel ip:


配置完毕注意提交配置,juniper的新增配置才会生效。
admin@VSRX# commit
commit complete
[edit]
admin@VSRX# 

由于juniper的策略配置的是all到all,因此策略可以不用调整。

那么这样tunnel之间的IP 10.10.10.1和10.10.10.2之间就可以互通了。
FGVM04TM19005798 # execute ping-options reset
FGVM04TM19005798 #
FGVM04TM19005798 # execute ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=64 time=76.9 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=76.9 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=76.9 ms
64 bytes from 10.10.10.2: icmp_seq=3 ttl=64 time=76.8 ms
64 bytes from 10.10.10.2: icmp_seq=4 ttl=64 time=76.9 ms

--- 10.10.10.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 76.8/76.8/76.9 ms

FGVM04TM19005798 # 

admin@VSRX> ping source 10.10.10.2 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=255 time=77.630 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=255 time=77.465 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=255 time=77.501 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=255 time=77.736 ms
64 bytes from 10.10.10.1: icmp_seq=4 ttl=255 time=77.473 ms
^C
--- 10.10.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 77.465/77.561/77.736/0.106 ms

admin@VSRX> 

1.利用ipsec vpn tunnel接口的IP建立OSPF邻居
FGT配置OSPF:
低端型号FGT需要开启GUI的“高级路由”隐藏特性


命令行调整OSPF tunnel接口的MTU参数,避免不同场景tunnel接口MTU不一致,导致OSPF无法建立成功。(会卡在ExStart和EsChange状态)
FGVM04TM19005798 # get router info ospf neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.2        1   ExStart/ -      00:00:32    10.10.10.2      to-juniper

调整tunnel接口的MTU属性:
FGVM04TM19005798 # config router ospf
FGVM04TM19005798 (ospf) # show
config router ospf
    set router-id 10.10.10.1
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "tunnel-to-juniper"
            set interface "to-juniper"
            set network-type point-to-point // FGT默认的tunnel的ospf接口类型默认是P2P
    end
    config network
        edit 1
            set prefix 10.10.10.0 255.255.255.252
        next
        edit 2
            set prefix 192.168.17.0 255.255.255.0
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end

FGVM04TM19005798 (ospf) # config ospf-interface
FGVM04TM19005798 (ospf-interface) # edit "tunnel-to-juniper"
FGVM04TM19005798 (tunnel-to-juniper) # set mtu
mtu           MTU for database description packets.
mtu-ignore    Enable/disable ignore MTU.
FGVM04TM19005798 (tunnel-to-juniper) # set mtu-ignore enable  // 选择ospf协商期间忽略mtu大小的匹配检查
FGVM04TM19005798 (tunnel-to-juniper) # set  mtu 1280  // 可选配置,双方配置为一致即可
FGVM04TM19005798 (tunnel-to-juniper) # end
FGVM04TM19005798 (ospf) # end

juniper配置OSPF:
admin@VSRX# set routing-options router-id 10.10.10.2 
admin@VSRX# set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 
admin@VSRX# set protocols ospf area 0.0.0.0 interface st0.1
admin@VSRX# set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2p (juniper 隧道接口默认ospf类型就是p2p,可以不敲)

admin@VSRX# show protocols ospf   
preference 10;
external-preference 150;
area 0.0.0.0 {
    interface ge-0/0/0.0;
    interface st0.1 {
        interface-type p2p;
    }
}

[edit]
admin@VSRX# 



修改tunnel1的TCP_MSS为1240(MTU是1280,则TCP_MSS为1240,可选择,如果要修改,修改成一致即可):
admin@VSRX# set security flow tcp-mss ipsec-vpn mss 1240    

提交配置:
admin@VSRX# commit
commit complete

[edit]
admin@VSRX# 

juniper的OSPF配置完毕!


3.查看OSPF邻居以及路由的学习状态
FGT侧:
FGVM04TM19005798 # get router info ospf neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.2      128   Full/ -         00:00:33    10.10.10.2      to-juniper

FGVM04TM19005798 # get router info ospf route

OSPF process 0:
Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2

C  10.10.10.0/30 [100] is directly connected, to-juniper, Area 0.0.0.0
C  192.168.17.0/24 [1] is directly connected, port1, Area 0.0.0.0
O  192.168.116.0/24 [101] via 10.10.10.2, to-juniper, Area 0.0.0.0

FGVM04TM19005798 # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 202.100.1.192, port2
C       10.10.10.0/30 is directly connected, to-juniper
C       10.10.10.1/32 is directly connected, to-juniper
C       192.168.17.0/24 is directly connected, port1
C       192.168.91.0/24 is directly connected, port4
O       192.168.116.0/24 [110/101] via 10.10.10.2, to-juniper, 00:15:01
C       202.100.1.0/24 is directly connected, port2

FGVM04TM19005798 # get router info ospf database router lsa
            OSPF Router with ID (10.10.10.1) (Process ID 0, VRF 0)

                Router Link States (Area 0.0.0.0)

  LS age: 935
  Options: 0x2 (*|-|-|-|-|-|E|-)
  Flags: 0x0
  LS Type: router-LSA
  Link State ID: 10.10.10.1
  Advertising Router: 10.10.10.1
  LS Seq Number: 80000073
  Checksum: 0x7f66
  Length: 60
   Number of Links: 3

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 192.168.17.0
     (Link Data) Network Mask: 255.255.255.0
      Number of TOS metrics: 0
       TOS 0 Metric: 1

    Link connected to: another Router (point-to-point)
     (Link ID) Neighboring Router ID: 10.10.10.2
     (Link Data) Router Interface address: 10.10.10.1
      Number of TOS metrics: 0
       TOS 0 Metric: 100

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 10.10.10.0
     (Link Data) Network Mask: 255.255.255.252
      Number of TOS metrics: 0
       TOS 0 Metric: 100

  LS age: 936
  Options: 0x22 (*|-|DC|-|-|-|E|-)
  Flags: 0x0
  LS Type: router-LSA
  Link State ID: 10.10.10.2
  Advertising Router: 10.10.10.2
  LS Seq Number: 80000004
  Checksum: 0xfa9b
  Length: 60
   Number of Links: 3

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 192.168.116.0
     (Link Data) Network Mask: 255.255.255.0
      Number of TOS metrics: 0
       TOS 0 Metric: 1

    Link connected to: another Router (point-to-point)
     (Link ID) Neighboring Router ID: 10.10.10.1
     (Link Data) Router Interface address: 10.10.10.2
      Number of TOS metrics: 0
       TOS 0 Metric: 1

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 10.10.10.0
     (Link Data) Network Mask: 255.255.255.252
      Number of TOS metrics: 0
       TOS 0 Metric: 1


juniper侧:

admin@VSRX> show ospf interface
Interface           State   Area            DR ID           BDR ID          Nbrs
ge-0/0/0.0          DR      0.0.0.0         10.10.10.2      0.0.0.0            0
st0.1               PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1

admin@VSRX> show ospf neighbor   
Address          Interface              State     ID               Pri  Dead
10.10.10.1       st0.1                  Full      10.10.10.1         1    39

admin@VSRX> show ospf route
Topology default Route Table:

Prefix             Path  Route      NH       Metric NextHop       Nexthop     
                   Type  Type       Type            Interface     Address/LSP
10.10.10.1         Intra Router     IP            1 st0.1
10.10.10.0/30      Intra Network    IP            1 st0.1
192.168.17.0/24    Intra Network    IP            2 st0.1
192.168.116.0/24   Intra Network    IP            1 ge-0/0/0.0

admin@VSRX> show ospf interface st0.1 detail
Interface           State   Area            DR ID           BDR ID          Nbrs
st0.1               PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1
  Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 9192, Cost: 1
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Cost: 1
st0.1               PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            0
  Type: P2P, Address: 10.10.10.2, Mask: 255.255.255.252, MTU: 9192, Cost: 1
  Adj count: 0, Passive
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Passive, Cost: 1

admin@VSRX> show ospf database detail router   

    OSPF database, Area 0.0.0.0
Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len
Router   10.10.10.1       10.10.10.1       0x80000075   296  0x2  0x8162  60
  bits 0x0, link count 3
  id 10.10.10.2, data 10.10.10.1, Type PointToPoint (1)
    Topology count: 0, Default metric: 100
  id 10.10.10.0, data 255.255.255.252, Type Stub (3)
    Topology count: 0, Default metric: 100
  id 192.168.17.0, data 255.255.255.0, Type Stub (3)
    Topology count: 0, Default metric: 1
  Topology default (ID 0)
    Type: PointToPoint, Node ID: 10.10.10.2
      Metric: 100, Bidirectional
Router  *10.10.10.2       10.10.10.2       0x80000007   328  0x22 0xf49e  60
  bits 0x0, link count 3
  id 192.168.116.0, data 255.255.255.0, Type Stub (3)
    Topology count: 0, Default metric: 1
  id 10.10.10.1, data 10.10.10.2, Type PointToPoint (1)
    Topology count: 0, Default metric: 1
  id 10.10.10.0, data 255.255.255.252, Type Stub (3)
    Topology count: 0, Default metric: 1
  Topology default (ID 0)
    Type: PointToPoint, Node ID: 10.10.10.1
      Metric: 1, Bidirectional

admin@VSRX> show ospf overview
Instance: master
  Router ID: 10.10.10.2
  Route table index: 0
  LSA refresh time: 50 minutes
  Post Convergence Backup: Disabled
  DoNotAge uncapable
    Area scope LSAs received with no DC bit: 1
  Area: 0.0.0.0
    Stub type: Not Stub
    Authentication Type: None
    Area border routers: 0, AS boundary routers: 0
    Neighbors
      Up (in full state): 1
    DoNotAge uncapable
      Area scope LSAs received with no DC bit: 1
  Topology: default (ID 0)
    Prefix export count: 0
    Full SPF runs: 11
    SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3
    Backup SPF: Not Needed

admin@VSRX> show route

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 19:26:24
                    >  to 101.100.1.192 via ge-0/0/1.0
10.10.10.0/30      *[Direct/0] 00:24:40
                    >  via st0.1
                    [OSPF/10] 00:23:20, metric 1
                    >  via st0.1
10.10.10.2/32      *[Local/0] 00:24:40
                       Local via st0.1
101.100.1.0/24     *[Direct/0] 19:26:53
                    >  via ge-0/0/1.0
101.100.1.116/32   *[Local/0] 19:26:53
                       Local via ge-0/0/1.0
192.168.17.0/24    *[OSPF/10] 00:06:35, metric 2
                    >  via st0.1
192.168.91.0/24    *[Direct/0] 19:31:49
                    >  via fxp0.0
192.168.91.116/32  *[Local/0] 19:31:49
                       Local via fxp0.0
192.168.116.0/24   *[Direct/0] 19:26:53
                    >  via ge-0/0/0.0
192.168.116.1/32   *[Local/0] 19:26:53
                       Local via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 00:29:26, metric 1
                       MultiRecv

inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

fe80::20c:2910:fcc2:3c7f/128
                   *[Local/0] 00:24:40
                       Local via st0.1
ff02::2/128        *[INET6/0] 19:35:53
                       MultiRecv
OSFP邻居和路由都学习正常。

4.业务测试
和之前的业务测试就没有什么区别了,不再详细描述

从FGT侧去访问juniper侧业务:

从juniper侧去访问FGT侧业务: