说明：如果要删除IPSEC VPN第一阶段、第二阶段时，需要先删除被调用的路由与防火墙安全策略。

四、配置步骤

1、配置FortiGate

1) 基本上网配置

2) 配置IPsec VPN

进入：虚拟专网--IPSEC隧道--"新建"

选择IPsec VPN自定义模板进行配置：

IPsec 第一阶段配置：

IPsec 第二阶段配置：

命令行：

config vpn ipsec phase1-interface
edit "to-side1"
set interface "wan1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set remote-gw 102.1.1.1
set psksecret Fortinet123#
next
end
config vpn ipsec phase2-interface
edit "to-side1"
set phase1name "to-side1"
set proposal aes128-sha1 aes256-sha256
set auto-negotiate enable
next

end

将IPsec的隧道上配置IP地址，用于和Hillstone进行tunnel的对接（可选配置，不配置也可以，如果起OSPF则必须配置tunnel IP）：

config system interface

edit "to-side1"

set ip 10.10.10.1 255.255.255.255

set allowaccess ping

set remote-ip 10.10.10.2 255.255.255.0

end

3) 配置VPN相关的策略

说明策略没有放通tunnel地址之间的互访，如果有需要可以放通10.10.10.X去玩业务网段的策略。

命令行：

配置防火墙策略：
config firewall address

edit "vpn_local_192.168.0.0/24"

set allow-routing enable

set subnet 192.168.0.0 255.255.255.0

edit "vpn_remote_192.168.2.0/24"

set allow-routing enable

set subnet 192.168.2.0 255.255.255.0

end

config firewall policy
								
    edit 1
								
        set name "TO-Internet"   //内网上互联网的策略
								
        set srcintf "lan"
								
        set dstintf "wan1"
								
        set srcaddr "all"
								
        set dstaddr "all"
								
        set action accept
								
        set schedule "always"
								
        set service "ALL"
								
        set fsso disable
								
        set nat enable
								
    next
								
    edit 2
								
        set name "VPN-IN"
								
        set srcintf "to-side1"
								
        set dstintf "lan"
								
        set srcaddr "vpn_remote_192.168.2.0/24"
								
        set dstaddr "vpn_local_192.168.0.0/24"
								
        set action accept
								
        set schedule "always"
								
        set service "ALL"
								
        set fsso disable
								
    next
								
    edit 3
								
        set name "VPN-OUT"
								
        set srcintf "lan"
								
        set dstintf "to-side1"
								
        set srcaddr "vpn_local_192.168.0.0/24"
								
        set dstaddr "vpn_remote_192.168.2.0/24"
								
        set action accept
								
        set schedule "always"
								
        set service "ALL"
								
        set fsso disable
								
    next 
								
end

4）配置VPN业务网段的静态路由

命令行：

config router static
edit 1
set gateway 100.1.1.254
set device "wan1"
next
edit 2
set dst 192.168.2.0 255.255.255.0
set device "to-side1"
next
edit 3
set dst 192.168.2.0 255.255.255.0
set distance 254
set blackhole enable
next

end

----FortiGate的配置全部完成----

2、配置Hillstone防火墙

1) 基本上网配置

2) IPsec VPN的配置

第一阶段算法自定义：TO-FGT-PH1 ：Pre-share + SHA + AES + Group5 （适配FortiGate的第一阶段默认算法）

第二阶段算法自定义：TO-FGT-PH2 ：MD5/SHA/SHA-256/ + AES/AES-192/AES-256 + PFS-Group5 （适配FortiGate的第二阶段默认算法）

  或者
							

  创建VPN-Zone和tunnel接口并与IPsec VPN关联起来：
							

  新建VPN-Zone的安全域：
							

  新建tunnel接口并与IPsec VPN绑定：
							

  配置VPN的策略：
							

  同样策略没有放通10.10.10.X的访问，有需要可以放通。
							

  添加到VPN业务网段的路由：
							

  （优先权应该是254，配置为255，hillstone不会激活路由）
							

  ----Hillstone防火墙的配置全部完成----
							

五、检查配置结果

VPN状态查看：

查看VPN监视器，观察状态：进入"监视器"--"IPsec监测"

路由状态查看：

FortiGate侧业务测试：

FortiGate1_BeiJing # execute ping-options source 192.168.0.99

FortiGate1_BeiJing # execute ping 192.168.2.99
PING 192.168.2.99 (192.168.2.99): 56 data bytes
64 bytes from 192.168.2.99: icmp_seq=0 ttl=128 time=1.5 ms
64 bytes from 192.168.2.99: icmp_seq=1 ttl=128 time=1.0 ms
64 bytes from 192.168.2.99: icmp_seq=2 ttl=128 time=1.0 ms
64 bytes from 192.168.2.99: icmp_seq=3 ttl=128 time=1.0 ms
64 bytes from 192.168.2.99: icmp_seq=4 ttl=128 time=1.1 ms

--- 192.168.2.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.1/1.5 ms

FortiGate1_BeiJing # execute ping 192.168.2.100
PING 192.168.2.100 (192.168.2.100): 56 data bytes
64 bytes from 192.168.2.100: icmp_seq=0 ttl=127 time=1.4 ms
64 bytes from 192.168.2.100: icmp_seq=1 ttl=127 time=1.2 ms
64 bytes from 192.168.2.100: icmp_seq=2 ttl=127 time=1.5 ms
64 bytes from 192.168.2.100: icmp_seq=3 ttl=127 time=1.2 ms
64 bytes from 192.168.2.100: icmp_seq=4 ttl=127 time=1.3 ms

--- 192.168.2.100 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.2/1.3/1.5 ms

FortiGate1_BeiJing #

FortiGate1_BeiJing # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S* 0.0.0.0/0 [10/0] via 100.1.1.254, wan1
C    10.10.10.0/24 is directly connected, to-side1
C    10.10.10.1/32 is directly connected, to-side1
C    100.1.1.0/24 is directly connected, wan1
C    192.168.0.0/24 is directly connected, lan
is directly connected, lan
S    192.168.2.0/24 [10/0] via 10.10.10.2, to-side1

FortiGate1_BeiJing #

Hillstone防火墙侧业务测试：

SG-6000# ping 192.168.0.99 source ethernet0/1
Sending ICMP packets to 192.168.0.99
From ethernet0/1
Seq ttl time(ms)
1 255 0.996
2 255 0.870
3 255 0.861
4 255 0.903
5 255 0.857

statistics:
5 packets sent, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 0.857/0.897/0.996/0.058 ms
SG-6000# ping 192.168.0.100 source ethernet0/1
Sending ICMP packets to 192.168.0.100
From ethernet0/1
Seq ttl time(ms)
1 255 1.03
2 255 0.931
3 255 0.866
4 255 0.862
5 255 0.873

statistics:
5 packets sent, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.862/0.912/1.032/0.075 ms
SG-6000#

SG-6000# show isakmp sa
Total: 1
================================================================================
Cookies Gateway    Port Algorithms    Lifetime
--------------------------------------------------------------------------------
9c6568d8fc~ 100.1.1.1    500    pre-share sha/aes    85220
================================================================================

SG-6000#
SG-6000#
SG-6000# show ipsec sa
Total: 1
S - Status, I - Inactive, A - Active;
================================================================================
Id VPN Peer IP    Port Algorithms SPI Life(s) S
--------------------------------------------------------------------------------
1    to-hub    >100.1.1.1    500 esp:aes/sha/-    172083fa   27617 A
1    to-hub    <100.1.1.1    500 esp:aes/sha/-    34eb4464   27617 A
================================================================================
SG-6000#

抓包：
FortiGate1_BeiJing # dia sni pa any "host 192.168.2.100 or host 102.1.1.1" 4 0 a
interfaces=[any]
filters=[host 192.168.2.100 or host 102.1.1.1]
2019-04-22 02:18:18.224786 wan1 in 102.1.1.1 -> 100.1.1.1: ESP(spi=0x172083fd,seq=0xb)
2019-04-22 02:18:18.224833 to-side1 in 192.168.2.100 -> 192.168.0.100: icmp: echo request
2019-04-22 02:18:18.224910 lan out 192.168.2.100 -> 192.168.0.100: icmp: echo request

2019-04-22 02:18:18.225221 lan in 192.168.0.100 -> 192.168.2.100: icmp: echo reply
2019-04-22 02:18:18.225257 to-side1 out 192.168.0.100 -> 192.168.2.100: icmp: echo reply
2019-04-22 02:18:18.225295 wan1 out 100.1.1.1 -> 102.1.1.1: ESP(spi=0x34eb446a,seq=0xb)

说明：关于sniffer抓VPN业务和ESP的包
抓取IPsec VPN的IKE协商包：
diagnose sniffer packet any "host 102.1.1.1 and (port 500 or port 4500)" 4

抓取IPsec VPN的ESP加密数据包：
diagnose sniffer packet any "host 102.1.1.1 and esp" 4

抓取IPsec VPN的明文业务数据包：
diagnose sniffer packet any "host 192.168.2.100 and icmp" 4

注意：由于存在IPsec VPN芯片加速，因此可能数据包会抓不完全，主要指“ESP数据和明文业务数据”抓不全，因此有时候需要将VPN隧道的NP加速关闭：
FortiGate1_BeiJing # config vpn ipsec phase1-interface
FortiGate1_BeiJing (phase1-interface) # edit VPN
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # set npu-offload disable

FortiGate1_BeiJing (BJ-OSPF-TO-SH) # end