一、组网需求

如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现192.168.0.0/24与192.168.2.0/24两个网段的通信。与OPENSWAN进行IPsec VPN对接。

二、网络拓扑

      

三、配置要点

1、配置FortiGate1

    1)基本上网配置

    2)根据自定义模板配置IPsec VPN(默认即为IPSEC接口模式)

2、配置FortiGate2

    1)基本上网配置

    2)根据自定义模板配置IPsec VPN(默认即为IPSEC接口模式)

说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

四、配置步骤

    1、配置FortiGate1 (BJ)

    1) 基本上网配置

     配置详细过程请参照 "路由模式典型功能--单线上网--静态地址线路上网配置"一节:

     接口IP配置如下:

    

    路由配置如下

   

     2) 根据模板配置IPsec VPN

     进入:虚拟专网--IPSEC隧道--"新建"

    

     选择IPsec VPN自定义模板进行配置:

   

   IPsec 第一阶段配置:

   

   IPsec 第二阶段配置:

   

      3) 配置VPN相关的策略
      
    

    4)使用VPN的静态路由

     

     

     

     命令行:

config vpn ipsec phase1-interface
    edit "VPN-TO-OPENSWAN"
        set interface "wan1"
        set peertype any
        set proposal 3des-md5 aes128-sha1
        set dpd on-idle
        set npu-offload disable
        set remote-gw 200.1.1.22
        set psksecret Fortinet123#
    next
end
config vpn ipsec phase2-interface
    edit "VPN-TO-OPENSWAN"
        set phase1name "VPN-TO-OPENSWAN"
        set proposal aes128-sha1 3des-md5
        set auto-negotiate enable
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 192.168.2.0 255.255.255.0
    next
end
config firewall policy
    edit 2
        set name "VPN-TO-OPENSWAN"
        set srcintf "lan"
        set dstintf "VPN-TO-OPENSWAN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 3
        set name "VPN-OPENSWAN-TO-LOCAL"
        set srcintf "VPN-TO-OPENSWAN"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
end      

config router static
    edit 2
        set dst 192.168.2.0 255.255.255.0
        set device "VPN-TO-OPENSWAN"
    next
    edit 3
        set dst 192.168.2.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

         ----FortiGate1(BJ)的配置全部完成----       

   2、配置OPENSWAN
    1) 在Centos上安装OPENSWAN
    1.1).使用yum -y install openswan安装openswan
# yum -y install openswan lsof

# ipsec verify    //一开始会有报错

# vi   /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 0                  ---改成1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1   ---改成0

# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
改为
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

# sysctl -p

     1.2).运行如下命令配置环境变量(禁止ICMP重定向)
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
成功执行后运行sysctl -p使修改的参数生效。
or(或以下命令修改ICMP重定向)
for *** in /proc/sys/net/ipv4/conf/*;
do
echo 0 > $***/accept_redirects;
echo 0 > $***/send_redirects;
done

     1.3).关闭selinux:setenforce 0(关闭selinux,重启失效),接下来永久关闭selinux
修改vi /etc/selinux/config 把
SELINUX=enforcing
改为
SELINUX=disabled

     1.4).关闭iptables
# /etc/init.d/iptables stop
# chkconfig iptables off



放行openswan服务端口和NAT规则
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

     1.5).运行#chkconfig ipsec on 开机自动启动ipsec服务
     1.6).启动ipsec # service ipsec restart 并重新运行检查命令ipsec verify(重新确认ipsec)

       2) 在配置Centos的IP和路由
          [root@liukangming ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth2
NM_CONTROLLED=no
ONBOOT=yes
NAME="eth2"
BOOTPROTO=static
DEVICE="eth2"
IPADDR=200.1.1.22
NETMASK=255.255.255.0
GATEWAY=200.1.1.254
DEFROUTE=yes
IPV6INIT=no
HWADDR="00:0c:29:a3:b3:fa"
DNS1=114.114.114.114
DNS2=1.2.4.8
NM_CONTROLLED=no

[root@liukangming ~]#
[root@liukangming ~]#
[root@liukangming ~]#
[root@liukangming ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth3
NM_CONTROLLED=no
ONBOOT=yes
NAME="eth3"
BOOTPROTO=static
DEVICE="eth3"
IPADDR=192.168.2.99
NETMASK=255.255.255.0
DEFROUTE=yes
IPV6INIT=no
DNS1=114.114.114.114
DNS2=1.2.4.8
NM_CONTROLLED=no
[root@liukangming ~]# 

[root@liukangming ~]# ifconfig

eth2      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:FA 
          inet addr:200.1.1.22  Bcast:200.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:350 errors:0 dropped:0 overruns:0 frame:0
          TX packets:486 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:44947 (43.8 KiB)  TX bytes:65067 (63.5 KiB)

eth3      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:0E 
          inet addr:192.168.2.99  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b30e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2297 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:169396 (165.4 KiB)  TX bytes:948 (948.0 b)

[root@liukangming ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth3
200.1.1.0       0.0.0.0         255.255.255.0   U     0      0        0 eth2
0.0.0.0         200.1.1.254     0.0.0.0         UG    0      0        0 eth2

       3) 在配置OPENSWAN
     [root@liukangming ~]# cat /etc/ipsec.secrets
     200.1.1.22 100.1.1.2: PSK "Fortinet123#"
 
     [root@liukangming ~]# cat  /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400

    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=200.1.1.22
    leftsubnet=192.168.2.0/24
    leftnexthop=%defaultroute

    right=100.1.1.2
    rightsubnet=192.168.0.0/24

[root@liukangming ~]# service ipsec restart
Shutting down pluto IKE daemon
002 shutting down

Starting pluto IKE daemon for IPsec: .                     [  OK  ]
[root@liukangming ~]# 

[root@liukangming ~]# service ipsec status
pluto (pid  70789) is running...
IPsec connections: loaded 1, active 1
[root@liukangming ~]#

[root@liukangming ~]# ipsec auto --status 
000 using kernel interface: netkey
000 interface lo/lo ::1@500
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 172.16.193.1@4500
000 interface eth0/eth0 172.16.193.1@500
000 interface eth1/eth1 192.168.91.193@4500
000 interface eth1/eth1 192.168.91.193@500
000 interface eth2/eth2 200.1.1.22@4500
000 interface eth2/eth2 200.1.1.22@500
000 interface eth3/eth3 192.168.2.99@4500
000 interface eth3/eth3 192.168.2.99@500
000 
000 
000 fips mode=disabled;
000 SElinux=disabled
000 
000 config setup options:
000 
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 secctx-attr-type=32001
000 myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000 
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 
000 ESP algorithms supported:
000 
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000 
000 IKE algorithms supported:
000 
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000 
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,6144} attrs={0,2,4096}
000 
000 Connection list:
000 
000 "openswan_to_fgt": 192.168.2.0/24===200.1.1.22<200.1.1.22>---200.1.1.254...100.1.1.2<100.1.1.2>===192.168.0.0/24; erouted; eroute owner: #3
000 "openswan_to_fgt":     oriented; my_ip=unset; their_ip=unset
000 "openswan_to_fgt":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "openswan_to_fgt":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "openswan_to_fgt":   labeled_ipsec:no;
000 "openswan_to_fgt":   policy_label:unset;
000 "openswan_to_fgt":   ike_life: 86400s; ipsec_life: 43200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "openswan_to_fgt":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "openswan_to_fgt":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "openswan_to_fgt":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "openswan_to_fgt":   conn_prio: 24,24; interface: eth2; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "openswan_to_fgt":   dpd: action:hold; delay:0; timeout:0; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "openswan_to_fgt":   newest ISAKMP SA: #4; newest IPsec SA: #3;
000 "openswan_to_fgt":   IKE algorithms wanted: AES_CBC(7)_000-SHA1(2)_000-MODP2048(14)
000 "openswan_to_fgt":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP2048(14)
000 "openswan_to_fgt":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "openswan_to_fgt":   ESP algorithms wanted: AES(12)_000-SHA1(2)_000; pfsgroup=MODP2048(14)
000 "openswan_to_fgt":   ESP algorithms loaded: AES(12)_000-SHA1(2)_000
000 "openswan_to_fgt":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP2048
000 
000 Total IPsec connections: loaded 1, active 1
000 
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0)
000 IPsec SAs: total(2), authenticated(2), anonymous(0)
000 
000 #3: "openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 42887s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "openswan_to_fgt" esp.e60ed201@100.1.1.2 esp.f95d8223@200.1.1.22 tun.0@100.1.1.2 tun.0@200.1.1.22 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #2: "openswan_to_fgt":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 42405s; isakmp#1; idle; import:admin initiate
000 #2: "openswan_to_fgt" esp.e60ed202@100.1.1.2 esp.b8d1237@200.1.1.22 tun.0@100.1.1.2 tun.0@200.1.1.22 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #1: "openswan_to_fgt":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85364s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #4: "openswan_to_fgt":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 86089s; newest ISAKMP; lastdpd=1s(seq in:0 out:0); idle; import:not set
000 
000 Bare Shunt list:
000 
[root@liukangming ~]# 

五、检查配置结果
    VPN状态查看:
    查看VPN监视器,观察状态: 进入"监视器"--"IPsec监测"
    
    
  
   业务测试:
   FortiGate1_BeiJing:
FortiGate1_BeiJing # execute ping-options  source  192.168.0.99

FortiGate1_BeiJing # execute ping 192.168.2.99
PING 192.168.2.99 (192.168.2.99): 56 data bytes
64 bytes from 192.168.2.99: icmp_seq=0 ttl=64 time=0.9 ms
64 bytes from 192.168.2.99: icmp_seq=1 ttl=64 time=0.8 ms
64 bytes from 192.168.2.99: icmp_seq=2 ttl=64 time=0.7 ms
64 bytes from 192.168.2.99: icmp_seq=3 ttl=64 time=0.7 ms
64 bytes from 192.168.2.99: icmp_seq=4 ttl=64 time=0.7 ms

--- 192.168.2.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.7/0.9 ms
   OPENSWAN:
[root@liukangming ~]# ping -I 192.168.2.99 192.168.0.99
PING 192.168.0.99 (192.168.0.99) from 192.168.2.99 : 56(84) bytes of data.
64 bytes from 192.168.0.99: icmp_seq=1 ttl=255 time=0.674 ms
64 bytes from 192.168.0.99: icmp_seq=2 ttl=255 time=0.735 ms
64 bytes from 192.168.0.99: icmp_seq=3 ttl=255 time=0.630 ms
64 bytes from 192.168.0.99: icmp_seq=4 ttl=255 time=0.748 ms
64 bytes from 192.168.0.99: icmp_seq=5 ttl=255 time=0.606 ms
64 bytes from 192.168.0.99: icmp_seq=6 ttl=255 time=0.669 ms
64 bytes from 192.168.0.99: icmp_seq=7 ttl=255 time=0.654 ms
64 bytes from 192.168.0.99: icmp_seq=8 ttl=255 time=0.644 ms
^C
--- 192.168.0.99 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7372ms
rtt min/avg/max/mdev = 0.606/0.670/0.748/0.046 ms
[root@liukangming ~]# 

FortiGate1_BeiJing # dia sni pa any "host 192.168.2.99 or esp" 4 0 a
interfaces=[any]
filters=[host 192.168.2.99 or esp]
2019-03-29 09:14:47.583650 wan1 in 200.1.1.22 -> 100.1.1.2: ESP(spi=0xe60ed202,seq=0x1c)
2019-03-29 09:14:47.583692 VPN-TO-OPENSWAN in 192.168.2.99 -> 192.168.0.99: icmp: echo request
2019-03-29 09:14:47.583817 VPN-TO-OPENSWAN out 192.168.0.99 -> 192.168.2.99: icmp: echo reply
2019-03-29 09:14:47.583852 wan1 out 100.1.1.2 -> 200.1.1.22: ESP(spi=0xf95d8223,seq=0x1d)

2019-03-29 09:14:48.584114 wan1 in 200.1.1.22 -> 100.1.1.2: ESP(spi=0xe60ed202,seq=0x1d)
2019-03-29 09:14:48.584148 VPN-TO-OPENSWAN in 192.168.2.99 -> 192.168.0.99: icmp: echo request
2019-03-29 09:14:48.584192 VPN-TO-OPENSWAN out 192.168.0.99 -> 192.168.2.99: icmp: echo reply
2019-03-29 09:14:48.584224 wan1 out 100.1.1.2 -> 200.1.1.22: ESP(spi=0xf95d8223,seq=0x1e)

2019-03-29 09:14:49.584168 wan1 in 200.1.1.22 -> 100.1.1.2: ESP(spi=0xe60ed202,seq=0x1e)
2019-03-29 09:14:49.584207 VPN-TO-OPENSWAN in 192.168.2.99 -> 192.168.0.99: icmp: echo request
2019-03-29 09:14:49.584263 VPN-TO-OPENSWAN out 192.168.0.99 -> 192.168.2.99: icmp: echo reply
2019-03-29 09:14:49.584295 wan1 out 100.1.1.2 -> 200.1.1.22: ESP(spi=0xf95d8223,seq=0x1f)

2019-03-29 09:14:50.584194 wan1 in 200.1.1.22 -> 100.1.1.2: ESP(spi=0xe60ed202,seq=0x1f)
2019-03-29 09:14:50.584226 VPN-TO-OPENSWAN in 192.168.2.99 -> 192.168.0.99: icmp: echo request
2019-03-29 09:14:50.584271 VPN-TO-OPENSWAN out 192.168.0.99 -> 192.168.2.99: icmp: echo reply
2019-03-29 09:14:50.584299 wan1 out 100.1.1.2 -> 200.1.1.22: ESP(spi=0xf95d8223,seq=0x20)

2019-03-29 09:14:51.584248 wan1 in 200.1.1.22 -> 100.1.1.2: ESP(spi=0xe60ed202,seq=0x20)
2019-03-29 09:14:51.584280 VPN-TO-OPENSWAN in 192.168.2.99 -> 192.168.0.99: icmp: echo request
2019-03-29 09:14:51.584322 VPN-TO-OPENSWAN out 192.168.0.99 -> 192.168.2.99: icmp: echo reply
2019-03-29 09:14:51.584352 wan1 out 100.1.1.2 -> 200.1.1.22: ESP(spi=0xf95d8223,seq=0x21)
^C
20 packets received by filter
0 packets dropped by kernel

FortiGate1_BeiJing # 
说明:关于sniffer抓VPN业务和ESP的包
抓取IPsec VPN的IKE协商包:
diagnose sniffer packet any "host 200.1.1.22 and (port 500 or port 4500)" 4

抓取IPsec VPN的ESP加密数据包:
diagnose sniffer packet any "host 200.1.1.2 and esp" 4

抓取IPsec VPN的明文业务数据包:
diagnose sniffer packet any "host 192.168.2.99 and icmp" 4

注意:由于存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:
FortiGate1_BeiJing # config vpn ipsec phase1-interface        
FortiGate1_BeiJing (phase1-interface) # edit VPN-TO-OPENSWAN                
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # set npu-offload disable                                                                        
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # end

关于:调试openswan
# service ipsec restart   //启动IPsec VPN


Shutting down pluto IKE daemon

002 shutting down

Starting pluto IKE daemon for IPsec: .                     [  OK  ]

# service ipsec status   //查看VPN状态

pluto (pid  42819) is running...

IPsec connections: loaded 1, active 1


# ipsec auto --status   //查看IPsecVPN的详细情况

# cat /var/log/pluto.log  //日志查看,用于排错


附:OPENSWAN 野蛮模式协商:

FortiGate 野蛮野蛮模式IPsec VPN的配置:
config vpn ipsec phase1-interface
    edit "VPN-TO-OPENSWAN"
        set interface "wan1"
        set mode aggressive
        set peertype one
        set proposal 3des-md5 aes128-sha1
        set localid "fgt"
        set dpd on-idle
        set npu-offload disable
        set remote-gw 200.1.1.22
        set peerid "openswan"
        set psksecret Fortinet123#
    next
end
config vpn ipsec phase2-interface
    edit "VPN-TO-OPENSWAN"
        set phase1name "VPN-TO-OPENSWAN"
        set proposal aes128-sha1 3des-md5
        set auto-negotiate enable
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 192.168.2.0 255.255.255.0
    next
end
config firewall policy
    edit 2
        set name "VPN-TO-OPENSWAN"
        set srcintf "lan"
        set dstintf "VPN-TO-OPENSWAN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 3
        set name "VPN-OPENSWAN-TO-LOCAL"
        set srcintf "VPN-TO-OPENSWAN"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
end
config router static
    edit 2
        set dst 192.168.2.0 255.255.255.0
        set device "VPN-TO-OPENSWAN"
    next
    edit 3
        set dst 192.168.2.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

OPENSWAN 野蛮模式IPsec VPN配置:
[root@liukangming ~]# cat /etc/ipsec.secrets
@openswan @fgt: PSK "Fortinet123#"
[root@liukangming ~]#
[root@liukangming ~]#  cat /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_dia
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    aggrmode=yes
    ikelifetime=86400

    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=200.1.1.22
    leftid=@openswan
    leftsubnet=192.168.2.0/24
    leftnexthop=%defaultroute

    right=100.1.1.2
    rightid=@fgt
    rightsubnet=192.168.0.0/24
[root@liukangming ~]#