说明：如果要删除IPSEC VPN第一阶段、第二阶段时，需要先删除被调用的路由与防火墙安全策略。

四、配置步骤

1、配置FortiGate

1) 基本上网配置

2) 配置IPsec VPN

进入：虚拟专网--IPSEC隧道--"新建"

选择IPsec VPN自定义模板进行配置：

IPsec 第一阶段配置：

IPsec 第二阶段配置：

GUI配置所对应的命令行：

config vpn ipsec phase1-interface

edit "to-hillstone"

set interface "port2"

set peertype any

set net-device disable

set proposal aes128-sha256 aes256-sha256

set dpd on-idle

set remote-gw 101.100.1.16

set psksecret Fortinet123#

end

config vpn ipsec phase2-interface

edit "to-hillstone"

set phase1name "to-hillstone"

set proposal aes128-sha256 aes256-sha256

set auto-negotiate enable

end

3) 配置VPN相关的策略

命令行：

配置防火墙策略：
config firewall address

edit "vpn_local_192.168.17.0"

set allow-routing enable

set subnet 192.168.17.0 255.255.255.0

edit "vpn_remote_192.168.16.0"

set allow-routing enable

set subnet 192.168.16.0 255.255.255.0

end

config firewall policy
									
    edit 1
									
        set name "TO-Internet-Policy"  // 内网用户上互联网的策略
									
        set srcintf "port1"
									
        set dstintf "port2"
									
        set srcaddr "all"
									
        set dstaddr "all"
									
        set action accept
									
        set schedule "always"
									
        set service "ALL"
									
        set logtraffic all
									
        set logtraffic-start enable
									
        set nat enable
									
    next
									
    edit 2
									
        set name "to-hillstone-out"   // 去往hillstone的VPN OUT方向策略
									
        set srcintf "port1"
									
        set dstintf "to-hillstone"
									
        set srcaddr "vpn_local_192.168.17.0"
									
        set dstaddr "vpn_remote_192.168.16.0"
									
        set action accept
									
        set schedule "always"
									
        set service "ALL"
									
        set logtraffic all
									
        set logtraffic-start enable
									
    next
									
    edit 3
									
        set name "to-hillstone-in"     // hillstone的VPN过来的 IN方向策略
									
        set srcintf "to-hillstone"
									
        set dstintf "port1"
									
        set srcaddr "vpn_remote_192.168.16.0"
									
        set dstaddr "vpn_local_192.168.17.0"
									
        set action accept
									
        set schedule "always"
									
        set service "ALL"
									
        set logtraffic all
										
        set logtraffic-start enable 
										
    next
									
end

4）配置VPN业务网段的静态路由

命令行：

config router static

edit 1

set gateway 202.100.1.192

set device "port2"

edit 2

set device "to-hillstone"

set dstaddr "vpn_remote_192.168.16.0"

edit 3

set distance 254

set blackhole enable

set dstaddr "vpn_remote_192.168.16.0"

end

说明：相关VPN的路由配置中“黑洞路由的意义”：

你可能会遇到以下的VPN业务问题：通过VPN的SIP电话，时不时中断，无法向服务器成功注册？通过VPN的Radius认证无法经常会无法认证成功？通过VPN的AP注册到总部时不时会中断？持续的PRGT监控ping总部的服务器，时不时会显示中断？

VPN有时候会因为各种原因重新连接，比如互联网不稳定，PPPOE重新连接更换公网IP地址等，VPN tunnel此时会出现短暂的DOWN，而去往对方的VPN业务网段的路由也会短暂消失，此时VPN的业务流量（SIP注册请求/Radius/Capwap/ICMP）会因为查询到了默认路由而走向了 WAN1（Internet），从而产生了错误的UDP-NAT-Seesion，此时即便VPN tunnel再次UP，VPN业务网段的路由再次恢复，SIP等VPN旧的业务流量依旧会走到错误的Session上去，从而引起该业务异常。

排查思路：通过diagnose sniffer pa “port 5060”4 以及查看session （diagnose sys session list）去判断问题。

解决此类问题的办法有三种：

办法一：配置去往VPN业务网段的“黑洞路由”，管理距离为254，VPN正常的情况下此黑洞路由不生效，而当VPN中断的时候，黑洞路由浮起来并且生效，将VPN中断时候的VPN流量丢弃，避免将流量转发到互联网而产生错误的session。// 配置VPN的备份黑洞路由的意义在此

办法二：配置源接口：LAN，目的接口：WAN1，源IP：本地内网网段，目的IP：对端内网网段，动作：丢包的策略。将此去往Internet的私网（无用的）流量丢弃掉，避免FGT产生这种错误的session，从而避免了UDP业务时不时中断的问题。

办法三：在全局下开启“set snat-route-change enable”，一旦路由发生变化，将相关的会话flag置位为“Dirty”，清除路由缓存并重新查找目的IP的下一跳地址，这样VPN隧道恢复的时候，流量也会相应的切换到VPN隧道里面来。

FGT # config system global
FGT (global) # set snat-route-change enable

FGT (global) # end

三种方式任意选择一种即可。推荐使用黑洞路由方式。

----FortiGate的配置全部完成----

2、配置Hillstone防火墙

1) 基本上网配置

2) IPsec VPN的配置

第一阶段算法自定义：to-fgt-p1 ：Pre-share + SHA256 + AES256 + Group5 （适配FortiGate的第一阶段默认算法）

第二阶段算法自定义：to-fgt-p2 ：SHA-256/AES-256 + PFS-Group5 （适配FortiGate的第二阶段默认算法）

VPN对端列表定义：

  配置IKE VPN列表：
							

  可选择的高级配置，VPN-monitor：
							

  创建VPN-Zone和tunnel接口并与IPsec VPN关联起来：
							

  新建VPN-Zone的安全域：
							

  新建tunnel接口并与IPsec VPN绑定：
							

  配置VPN的策略：
							

  添加到VPN业务网段的路由：
							

  ----Hillstone防火墙的配置全部完成----
							

五、检查配置结果

VPN状态查看：

FGT的VPN状态查看：

查看VPN监视器，观察状态：进入"监视器"--"IPsec监测"

路由状态查看：

命令行查看FGT状态：

FGVM04TM19005798 # get vpn ike gateway to-hillstone

vd: root/0

version: 1

interface: port2 6

addr: 202.100.1.17:500 -> 101.100.1.16:500

created: 186s ago

IKE SA created: 1/1 established: 1/1 time: 250/250/250 ms

IPsec SA created: 3/3 established: 3/3 time: 80/86/90 ms

id/spi: 97 816d55c84bdb63c3/e6ae9ca3fa0f02bc

direction: initiator

status: established 186-186s ago = 250ms

proposal: aes-256-sha256

key: 43c2304830d2a3f5-8c122d5fd0671cd6-1d0e27393b35037f-23f01b7fcbdfb967

lifetime/rekey: 86400/85913

DPD sent/recv: 00000000/00000bb8

FGVM04TM19005798 # get vpn ipsec tunnel name to-hillstone

gateway

type: route-based

local-gateway: 202.100.1.17:0 (static)

remote-gateway: 101.100.1.16:0 (static)

mode: ike-v1

interface: 'port2' (6)

rx packets: 0 bytes: 0 errors: 0

tx packets: 0 bytes: 0 errors: 0

dpd: on-idle/negotiated idle: 20000ms retry: 3 count: 0

selectors

auto-negotiate: enable

mode: tunnel

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

lifetime/rekey: 43200/42924

mtu: 1438

tx-esp-seq: 1

replay: enabled

qat: 0

inbound

spi: 55a2b8d2

enc: aes-cb 11db87a7cb99bc2c8fef43c77723a25e

auth: sha256 cc18eab9079b52ace4b36fba9b9c225ba774fcc842bc58fcc3bb4822bba413d0

outbound

spi: 536f872d

enc: aes-cb 114d1ba0e41462762b660fac8e4b6ae7

auth: sha256 368c4ad9b32061ced147ced1029c179c6c1606ccf0e23ec9317edb5b7775b348

FGVM04TM19005798 # diagnose vpn ike gateway list

vd: root/0

version: 1

interface: port2 6

addr: 202.100.1.17:500 -> 101.100.1.16:500

created: 44s ago

IKE SA: created 1/1 established 1/1 time 240/240/240 ms

IPsec SA: created 1/2 established 1/2 time 90/215/340 ms

id/spi: 98 e39dfda96194980d/06736678701b5561

direction: initiator

status: established 44-44s ago = 240ms

proposal: aes256-sha256

key: 817e801b6555bc67-5adaee84ea1229d6-b741e3f308e916f2-ee6359d07b0c1034

lifetime/rekey: 86400/86055

DPD sent/recv: 00000000/00000f75

FGVM04TM19005798 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=to-hillstone ver=1 serial=2 202.100.1.17:0->101.100.1.16:0 dst_mtu=1500

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0

stat: rxp=4 txp=4 rxb=496 txb=192

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=to-hillstone proto=0 sa=1 ref=12 serial=1 auto-negotiate

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42879/0B replaywin=2048

seqno=5 esn=0 replaywin_lastseq=00000005 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42928/43200

dec: spi=55a2b8d2 esp=aes key=16 11db87a7cb99bc2c8fef43c77723a25e

ah=sha256 key=32 cc18eab9079b52ace4b36fba9b9c225ba774fcc842bc58fcc3bb4822bba413d0

enc: spi=536f872d esp=aes key=16 114d1ba0e41462762b660fac8e4b6ae7

ah=sha256 key=32 368c4ad9b32061ced147ced1029c179c6c1606ccf0e23ec9317edb5b7775b348

dec:pkts/bytes=4/192, enc:pkts/bytes=4/496

run_tally=1

FGVM04TM19005798 # get router info routing-table all

Routing table for VRF=0

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

S* 0.0.0.0/0 [10/0] via 202.100.1.192, port2

S 192.168.16.0/24 [10/0] is directly connected, to-hillstone

C 192.168.17.0/24 is directly connected, port1

C 192.168.91.0/24 is directly connected, port4

C 202.100.1.0/24 is directly connected, port2

FGT IKE debug 命令：

首先，sniffer抓包确认UDP 500/4500 双方通信是否正常

diagnose sniffer packet any "host 101.100.1.16 and ( port 500 or port 4500)" 4 //IP换成对方公网IP

UDP 500 或 UDP 4500 这两个端口是IPsec VPN协商协议IKE会使用的端口，一定要互通要通畅，否则VPN无法正常建立，确认互通正常在进行下一步定位

然后，通过日志，debug app ike 确认问题是出在第一阶段还是第二阶段

diagnose vpn ike log-filter dst-addr4 101.100.1.16 //IP换成对方公网IP

diagnose debug application ike -1

diagnose debug enable

debug具体可参考IPsec VPN排错部分内容。

FortiGate侧业务测试：

FGVM04TM19005798 # execute ping-options source 192.168.17.1  // 在FGT测试IPsec-VPN的业务流量是否可通，需要携带源IP，由于VPN tunnel没有配置IP，必须携带源IP进行业务测试。
				

FGVM04TM19005798 # execute ping 192.168.16.1
				

PING 192.168.16.1 (192.168.16.1): 56 data bytes
				

64 bytes from 192.168.16.1: icmp_seq=0 ttl=128 time=77.5 ms
				

64 bytes from 192.168.16.1: icmp_seq=1 ttl=128 time=77.2 ms
				

64 bytes from 192.168.16.1: icmp_seq=2 ttl=128 time=77.2 ms
				

64 bytes from 192.168.16.1: icmp_seq=3 ttl=128 time=77.4 ms
				

64 bytes from 192.168.16.1: icmp_seq=4 ttl=128 time=77.1 ms
				

--- 192.168.16.1 ping statistics ---
				

5 packets transmitted, 5 packets received, 0% packet loss
				

round-trip min/avg/max = 77.1/77.2/77.5 ms
				

FGVM04TM19005798 # execute ping 192.168.16.100
				

PING 192.168.16.100 (192.168.16.100): 56 data bytes
				

64 bytes from 192.168.16.100: icmp_seq=0 ttl=127 time=77.7 ms
				

64 bytes from 192.168.16.100: icmp_seq=1 ttl=127 time=77.5 ms
				

64 bytes from 192.168.16.100: icmp_seq=2 ttl=127 time=77.3 ms
				

64 bytes from 192.168.16.100: icmp_seq=3 ttl=127 time=77.6 ms
				

64 bytes from 192.168.16.100: icmp_seq=4 ttl=127 time=77.3 ms
				

--- 192.168.16.100 ping statistics ---
				

5 packets transmitted, 5 packets received, 0% packet loss
				

round-trip min/avg/max = 77.3/77.4/77.7 ms
				

FGVM04TM19005798 # 
				

Hillstone防火墙VPN业务状态：

Hillstone防火墙VPN状态命令行状态查询：

SG-6000[DBG]# show isakmp sa

Total: 1

================================================================================

Cookies Gateway Port Algorithms Lifetime

--------------------------------------------------------------------------------

e39dfda961~ 202.100.1.17 500 pre-share sha256/aes-256 31764

================================================================================

SG-6000[DBG]# show ipsec sa

Total: 1

S - Status, I - Inactive, A - Active;

================================================================================

Id VPN Peer IP Port Algorithms SPI Life(s) S

--------------------------------------------------------------------------------

3 to-fgt >202.100.1.17 500 esp:aes/sha256/- 55a2b8d3 25297 A

3 to-fgt <202.100.1.17 500 esp:aes/sha256/- 556f872d 25297 A

================================================================================

Hillstone防火墙IPsec VPN Debug：

SG-6000[DBG]# debug vpn

SG-6000[DBG]# show logging debug

Hillstone防火墙侧业务测试（由于tunnel上没有配置IP地址，因此同样需要携带源IP进行ping的业务测试）：

SG-6000[DBG]# ping 192.168.17.1 source ethernet0/0

Sending ICMP packets to 192.168.17.1

From ethernet0/0

Seq ttl time(ms)

1 255 77.3

2 255 76.9

3 255 77.2

4 255 76.9

5 255 77.0

statistics:

5 packets sent, 5 received, 0% packet loss, time 4002ms

rtt min/avg/max/mdev = 76.929/77.109/77.345/0.155 ms

SG-6000[DBG]# ping 192.168.17.100 source ethernet0/0

Sending ICMP packets to 192.168.17.100

From ethernet0/0

Seq ttl time(ms)

1 127 77.3

2 127 77.6

3 127 77.3

4 127 77.1

5 127 77.5

statistics:

5 packets sent, 5 received, 0% packet loss, time 4004ms

rtt min/avg/max/mdev = 77.146/77.421/77.691/0.403 ms

SG-6000[DBG]#

FGT侧的192.168.17.100去访问Hillstone侧的192.168.16.100过程：

抓包：

FGVM04TM19005798 # dia sni pa any "host 192.168.16.100 or host 101.100.1.16" 4 0 l

interfaces=[any]

filters=[host 192.168.16.100 or host 101.100.1.16]

2020-05-08 09:50:08.922754 port1 in 192.168.17.100 -> 192.168.16.100: icmp: echo request

2020-05-08 09:50:08.922778 to-hillstone out 192.168.17.100 -> 192.168.16.100: icmp: echo request

2020-05-08 09:50:08.922807 port2 out 202.100.1.17 -> 101.100.1.16: ESP(spi=0x556f872d,seq=0x763)

2020-05-08 09:50:08.999935 port2 in 101.100.1.16 -> 202.100.1.17: ESP(spi=0x55a2b8d3,seq=0x763)

2020-05-08 09:50:08.999954 to-hillstone in 192.168.16.100 -> 192.168.17.100: icmp: echo reply

2020-05-08 09:50:08.999968 port1 out 192.168.16.100 -> 192.168.17.100: icmp: echo reply

一次ping的sniffer完整过程。

说明：关于sniffer抓VPN业务和ESP的包
抓取IPsec VPN的IKE协商包：
diagnose sniffer packet any "host 101.100.1.16 and (port 500 or port 4500)" 4

抓取IPsec VPN的ESP加密数据包：
diagnose sniffer packet any "host 101.100.1.16 and esp" 4

抓取IPsec VPN的明文业务数据包：
diagnose sniffer packet any "host 192.168.16.100 and icmp" 4

注意：由于存在IPsec VPN芯片加速，因此可能数据包会抓不完全，主要指“ESP数据和明文业务数据”抓不全，因此有时候需要将VPN隧道的NP加速关闭：
FortiGate1_BeiJing # config vpn ipsec phase1-interface
FortiGate1_BeiJing (phase1-interface) # edit VPN
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # set npu-offload disable

FortiGate1_BeiJing (BJ-OSPF-TO-SH) # end

这个部分具体可以查看IPsec VPN排错的内容。

												
FGT/Hillstone设备上会话状态查询：

补充拓扑测试：

不用静态路由打通路由，而使用OSPF协议发布双方的路由，拓扑图如下:

删除FGT的静态路由（黑洞路由保留）：
									

删除Hillstone的静态路由（黑洞路由保留）：
									

此时是没有路由到VPN的对端的，相应的流量会被黑洞路由丢弃，业务是不通的。
									

然后我们将路由切换到OSPF动态路由协议相互学习到对端的路由：
									

1.配置ipsec vpn tunnel接口的IP地址
									

配置fortigate的vpn tunnel ip:
									

FortiGate的策略也需要添加tunnel IP的相互访问：
									

配置hillstone的vpn tunnel ip:
									

隧道绑定先删除原先的配置，然后再添加有网关的绑定：
									

由于Hillstone的策略配置的是all到all，因此策略可以不用调整。
									

那么这样tunnel之间的IP 10.10.10.1和10.10.10.2之间就可以互通了。
									

FGVM04TM19005798 # execute ping-options reset
										
FGVM04TM19005798 #

FGVM04TM19005798 # execute ping 10.10.10.2
										
PING 10.10.10.2 (10.10.10.2): 56 data bytes
										
64 bytes from 10.10.10.2: icmp_seq=0 ttl=128 time=77.0 ms
										
64 bytes from 10.10.10.2: icmp_seq=1 ttl=128 time=81.6 ms
										
64 bytes from 10.10.10.2: icmp_seq=2 ttl=128 time=77.1 ms
										
64 bytes from 10.10.10.2: icmp_seq=3 ttl=128 time=81.3 ms
										
64 bytes from 10.10.10.2: icmp_seq=4 ttl=128 time=76.9 ms
										
--- 10.10.10.2 ping statistics ---
										
5 packets transmitted, 5 packets received, 0% packet loss
										
round-trip min/avg/max = 76.9/78.7/81.6 ms
										
FGVM04TM19005798 # 
										
SG-6000[DBG]# ping 10.10.10.1
											
Sending ICMP packets to 10.10.10.1
											
   Seq    ttl    time(ms)
											
   1      255    76.8 
											
   2      255    76.8 
											
   3      255    77.1 
											
   4      255    77.2 
											
   5      255    77.2 
											
statistics: 
											
5 packets sent, 5 received, 0% packet loss, time 4004ms
											
rtt min/avg/max/mdev = 76.857/77.080/77.284/0.308 ms
											
SG-6000[DBG]# 
											
1.利用ipsec vpn tunnel接口的IP建立OSPF邻居
												
FGT配置OSPF：
												
低端型号FGT需要开启GUI的“高级路由”隐藏特性
												
命令行调整OSPF tunnel接口的MTU参数，避免不同场景tunnel接口MTU不一致，导致OSPF无法建立成功。（会卡在ExStart和EsChange状态）
												
FGVM04TM19005798 # get router info ospf neighbor
													
OSPF process 0, VRF 0:
													
Neighbor ID     Pri   State           Dead Time   Address         Interface
													
10.10.10.2        1   ExStart/ -      00:00:37    10.10.10.2      to-hillstone
													
调整tunnel接口的MTU属性：
													
FGVM04TM19005798 # config router ospf
														
FGVM04TM19005798 (ospf) # show 
														
config router ospf
														
    set router-id 10.10.10.1
														
    config area
														
        edit 0.0.0.0
														
        next
														
    end
														
    config ospf-interface
														
        edit "tunnel-to-hillstone"
														
            set interface "to-hillstone"
														
            set network-type point-to-point // FGT默认的tunnel的ospf接口类型默认是P2P，而Hillstone的tunnel接口的OSPF接口类型默认为广播类型，需要改成一致，否则邻居可以起来，但是路由学习不成功，我们保持默认的P2P类型，修改Hillstone侧为P2P即可。
														
        next
														
    end
														
    config network
														
        edit 1
														
            set prefix 10.10.10.0 255.255.255.252
														
        next
														
        edit 2
														
            set prefix 192.168.17.0 255.255.255.0
														
        next
														
    end
														
    config redistribute "connected"
														
    end
														
    config redistribute "static"
														
    end
														
    config redistribute "rip"
														
    end
														
    config redistribute "bgp"
														
    end
														
    config redistribute "isis"
														
    end
														
end
														
FGVM04TM19005798 (ospf) # config ospf-interface
														
FGVM04TM19005798 (ospf-interface) # edit "tunnel-to-hillstone"
														
FGVM04TM19005798 (tunnel-to-hillstone) # set mtu
														
mtu           MTU for database description packets.
														
mtu-ignore    Enable/disable ignore MTU.
														
FGVM04TM19005798 (tunnel-to-hillstone) # set mtu-ignore enable  // 选择ospf协商期间忽略mtu大小的匹配检查
														
FGVM04TM19005798 (tunnel-to-hillstone) # set  mtu 1280  // 可选择，双方配置为一致即可
														
FGVM04TM19005798 (tunnel-to-hillstone) # end
														
FGVM04TM19005798 (ospf) # end
														
Hilstone配置OSPF：
												
修改tunnel1的OSPF接口类型为P2P类型：
												
修改tunnel1的MTU为1280（可选择，如果要修改，修改成一致即可）：
													
SG-6000[DBG]# configure 
														
SG-6000[DBG](config)# interface tunnel1
														
SG-6000[DBG](config-if-tun1)#  ip mtu ?        
														
  <1280-1600>       The mtu value,default value is 1500
														
SG-6000[DBG](config-if-tun1)#  ip mtu 1280    // 修改hillstone vpn tunnel的MTU为1280
														
SG-6000[DBG](config-if-tun1)# end
														
SG-6000[DBG]# show configuration vrouter         
														
ip vrouter "twin-mode-vr"
														
exit
														
ip vrouter "trust-vr"
														
  snatrule id 1 ingress-interface "ethernet0/0" from address-book "Any" to address-book "Any" service "Any" eif ethernet0/1 trans-to eif-ip mode dynamicport log 
														
  ip route 0.0.0.0/0 101.100.1.192
														
  ip route 192.168.17.0/24 null0 254
														
  router ospf 1
														
    router-id 10.10.10.2
														
    network 10.10.10.0/30 area 0.0.0.0
														
    network 192.168.16.0/24 area 0.0.0.0
														
  exit
														
exit
														
SG-6000[DBG]# show configuration interface tunnel1
														
interface tunnel1 local
														
  zone  "VPN-Zone"
														
  ip address 10.10.10.2 255.255.255.252
														
  bandwidth downstream 1000000000
														
  bandwidth upstream 1000000000
														
  ip mtu 1280
														
  description "vpn-tunnel-to-fgt"
														
  manage ping
														
  tunnel ipsec "to-fgt" gw 10.10.10.1
														
  ip ospf network point-to-point
														
exit
														
OSPF配置完毕！
												
3.查看OSPF邻居以及路由的学习状态
													
FGT侧：
													
FGVM04TM19005798 # get router info ospf neighbor 
														
OSPF process 0, VRF 0:
														
Neighbor ID     Pri   State           Dead Time   Address         Interface
														
10.10.10.2        0   Full/ -         00:00:32    10.10.10.2      to-hillstone
														
FGVM04TM19005798 # get router info ospf route 
															
OSPF process 0:
															
Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area
															
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
															
       E1 - OSPF external type 1, E2 - OSPF external type 2
															
C  10.10.10.0/30 [100] is directly connected, to-hillstone, Area 0.0.0.0
															
O  192.168.16.0/24 [101] via 10.10.10.2, to-hillstone, Area 0.0.0.0
															
C  192.168.17.0/24 [1] is directly connected, port1, Area 0.0.0.0
															
FGVM04TM19005798 # get router info routing-table all 
															
Routing table for VRF=0
															
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
															
       O - OSPF, IA - OSPF inter area
															
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
															
       E1 - OSPF external type 1, E2 - OSPF external type 2
															
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
															
       * - candidate default
															
S*      0.0.0.0/0 [10/0] via 202.100.1.192, port2
															
C       10.10.10.0/30 is directly connected, to-hillstone
															
C       10.10.10.1/32 is directly connected, to-hillstone
															
O       192.168.16.0/24 [110/101] via 10.10.10.2, to-hillstone, 00:08:07
															
C       192.168.17.0/24 is directly connected, port1
															
C       192.168.91.0/24 is directly connected, port4
															
C       202.100.1.0/24 is directly connected, port2
															
FGVM04TM19005798 # get router info ospf database router lsa 
													
            OSPF Router with ID (10.10.10.1) (Process ID 0, VRF 0)
													
                Router Link States (Area 0.0.0.0)
													
  LS age: 542
													
  Options: 0x2 (*|-|-|-|-|-|E|-)
													
  Flags: 0x0
													
  LS Type: router-LSA
													
  Link State ID: 10.10.10.1 
													
  Advertising Router: 10.10.10.1
													
  LS Seq Number: 80000014
													
  Checksum: 0x4401
													
  Length: 60
													
   Number of Links: 3
													
    Link connected to: another Router (point-to-point)
													
     (Link ID) Neighboring Router ID: 10.10.10.2
													
     (Link Data) Router Interface address: 10.10.10.1
													
      Number of TOS metrics: 0
													
       TOS 0 Metric: 100
													
    Link connected to: Stub Network
													
     (Link ID) Network/subnet number: 10.10.10.0
													
     (Link Data) Network Mask: 255.255.255.252
													
      Number of TOS metrics: 0
													
       TOS 0 Metric: 100
													
    Link connected to: Stub Network
													
     (Link ID) Network/subnet number: 192.168.17.0
													
     (Link Data) Network Mask: 255.255.255.0
													
      Number of TOS metrics: 0
													
       TOS 0 Metric: 1
													
  LS age: 542
													
  Options: 0x2 (*|-|-|-|-|-|E|-)
													
  Flags: 0x0
													
  LS Type: router-LSA
													
  Link State ID: 10.10.10.2 
													
  Advertising Router: 10.10.10.2
													
  LS Seq Number: 8000001c
													
  Checksum: 0x25dd
													
  Length: 60
													
   Number of Links: 3
													
    Link connected to: Stub Network
													
     (Link ID) Network/subnet number: 192.168.16.0
													
     (Link Data) Network Mask: 255.255.255.0
													
      Number of TOS metrics: 0
													
       TOS 0 Metric: 1
													
    Link connected to: another Router (point-to-point)
													
     (Link ID) Neighboring Router ID: 10.10.10.1
													
     (Link Data) Router Interface address: 10.10.10.2
													
      Number of TOS metrics: 0
													
       TOS 0 Metric: 1
													
    Link connected to: Stub Network
													
     (Link ID) Network/subnet number: 10.10.10.0
													
     (Link Data) Network Mask: 255.255.255.252
													
      Number of TOS metrics: 0
													
       TOS 0 Metric: 1
													
FGVM04TM19005798 #  
													
Hillstone侧：
												
SG-6000[DBG]# show ip ospf neighbor 
													
OSPF Router with ID 10.10.10.2, OSPF Process ID 1
													
Neighbor ID     Pri State           Dead Time Address         Interface
													
10.10.10.1        0 Full/ -         00:00:32  10.10.10.1      tunnel1 
													
SG-6000[DBG]# show ip ospf route    
													
OSPF Router with ID 10.10.10.2, OSPF Process ID 1
													
Codes: N - network route, D - discard route, R - router route, IA - inter router
													
       E1 - external type-1 route, E2 - external type-2 route
													
================= OSPF network routing table =================
													
N    10.10.10.0/30         [1] area: 0.0.0.0
													
                           directly attached to tunnel1
													
N    192.168.16.0/24       [1] area: 0.0.0.0
													
                           directly attached to ethernet0/0
													
N    192.168.17.0/24       [2] area: 0.0.0.0
													
                           via 10.10.10.1, tunnel1
													
SG-6000[DBG]# show ip route 
													
Codes: K - kernel route, C - connected, S - static, Z - ISP, R - RIP, O - OSPF,
													
       B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT,
													
       I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b - BFD enable
													
Routing Table for Virtual Router <trust-vr>
													
==============================================================================
													
S>* 0.0.0.0/0 [1/0/1] via 101.100.1.192, ethernet0/1
													
C>* 10.10.10.0/30 is directly connected, tunnel1
													
H>* 10.10.10.2/32 [0/0/1] is local address, tunnel1
													
C>* 101.100.1.0/24 is directly connected, ethernet0/1
													
H>* 101.100.1.16/32 [0/0/1] is local address, ethernet0/1
													
C>* 192.168.16.0/24 is directly connected, ethernet0/0
													
H>* 192.168.16.1/32 [0/0/1] is local address, ethernet0/0
													
O>* 192.168.17.0/24 [110/2/1] via 10.10.10.1, tunnel1, 00:11:01
													
S   192.168.17.0/24 [254/0/1] is directly connected, null0
													
C>* 192.168.91.0/24 is directly connected, ethernet0/3
													
H>* 192.168.91.16/32 [0/0/1] is local address, ethernet0/3
													
==============================================================================
													
SG-6000[DBG]# 
													
SG-6000[DBG]# show ip ospf database router 
														
       OSPF Router with ID (10.10.10.2) (Process ID 1)
														
                Router Link States (Area 0.0.0.0)
														
  LS age: 740
														
  Options: 2
														
  Flags: 0x0
														
  LS Type: router-LSA
														
  Link State ID: 10.10.10.1 
														
  Advertising Router: 10.10.10.1
														
  LS Seq Number: 80000014
														
  Checksum: 0x4401
														
  Length: 60
														
   Number of Links: 3
														
    Link connected to: another Router (point-to-point)
														
     (Link ID) Neighboring Router ID: 10.10.10.2
														
     (Link Data) Router Interface address: 10.10.10.1
														
      Number of TOS metrics: 0
														
       TOS 0 Metric: 100
														
    Link connected to: Stub Network
														
     (Link ID) Net: 10.10.10.0
														
     (Link Data) Network Mask: 255.255.255.252
														
      Number of TOS metrics: 0
														
       TOS 0 Metric: 100
														
    Link connected to: Stub Network
														
     (Link ID) Net: 192.168.17.0
														
     (Link Data) Network Mask: 255.255.255.0
														
      Number of TOS metrics: 0
														
       TOS 0 Metric: 1
														
  LS age: 739
														
  Options: 2
														
  Flags: 0x0
														
  LS Type: router-LSA
														
  Link State ID: 10.10.10.2 
														
  Advertising Router: 10.10.10.2
														
  LS Seq Number: 8000001c
														
  Checksum: 0x25dd
														
  Length: 60
														
   Number of Links: 3
														
    Link connected to: Stub Network
														
     (Link ID) Net: 192.168.16.0
														
     (Link Data) Network Mask: 255.255.255.0
														
      Number of TOS metrics: 0
														
       TOS 0 Metric: 1
														
    Link connected to: another Router (point-to-point)
														
     (Link ID) Neighboring Router ID: 10.10.10.1
														
     (Link Data) Router Interface address: 10.10.10.2
														
      Number of TOS metrics: 0
														
       TOS 0 Metric: 1
														
    Link connected to: Stub Network
														
     (Link ID) Net: 10.10.10.0
														
     (Link Data) Network Mask: 255.255.255.252
														
      Number of TOS metrics: 0
														
       TOS 0 Metric: 1
														
SG-6000[DBG]# 
														
OSFP邻居和路由都学习正常。
													
4.业务测试
													
和之前的业务测试就没有什么区别了，不再详细描述
													
从FGT侧去访问Hiilstone侧业务：
													
从Hiilstone侧去访问FGT侧业务：