说明：如果要删除IPSEC VPN第一阶段、第二阶段时，需要先删除被调用的路由与防火墙安全策略。

四、配置步骤

1、配置FortiGate

1) 基本上网配置

2) 配置IPsec VPN

进入：虚拟专网--IPSEC隧道--"新建"

选择IPsec VPN自定义模板进行配置：

IPsec 第一阶段配置：

IPsec 第二阶段配置：

命令行：

config vpn ipsec phase1-interface
edit "VPN-TO-Side1"
set interface "port1"
set ike-version 2
set peertype any
set proposal 3des-md5 aes128-sha1
set dpd on-idle
set remote-gw 101.100.1.1
set psksecret Fortinet123#
next
end
config vpn ipsec phase2-interface
edit "VPN-TO-Side1"
set phase1name "VPN-TO-Side1"
set proposal 3des-md5 aes128-sha1
set auto-negotiate enable
next

end

将IPsec的隧道上配置IP地址，用于和Cisco进行tunnel的对接：

config system interface

edit "VPN-TO-Side1"

set ip 1.1.1.1 255.255.255.255

set remote-ip 1.1.1.2 255.255.255.0

set allowaccess ping

end

3) 配置VPN相关的策略

命令行：

配置防火墙策略：
config firewall address
edit "Local_192.168.111.0/24"
set allow-routing enable
set subnet 192.168.111.0 255.255.255.0
next
edit "Remote_192.168.112.0/24"
set allow-routing enable
set subnet 192.168.112.0 255.255.255.0
next

end

  config firewall policy
							
    edit 1
							
        set name "TO-Internet"         //内网上互联网的策略
							
        set srcintf "port2"
							
        set dstintf "port1"
							
        set srcaddr "all"
							
        set dstaddr "all"
							
        set action accept
							
        set schedule "always"
							
        set service "ALL"
							
        set fsso disable
							
        set nat enable
							
    next
							
    edit 2
							
        set name "VPN-TO-Side1"
							
        set srcintf "port2"
							
        set dstintf "VPN-TO-Side1"
							
        set srcaddr "Local_192.168.111.0/24"
							
        set dstaddr "Remote_192.168.112.0/24"
							
        set action accept
							
        set schedule "always"
							
        set service "ALL"
							
        set fsso disable
							
    next
							
    edit 3
							
        set name "VPN-Side1-TO-Local"
							
        set srcintf "VPN-TO-Side1"
							
        set dstintf "port2"
							
        set srcaddr "Remote_192.168.112.0/24"
							
        set dstaddr "Local_192.168.111.0/24"
							
        set action accept
							
        set schedule "always"
							
        set service "ALL"
							
        set fsso disable
							
    next
							
   end

4）配置VPN业务网段的静态路由

命令行：

config router static
edit 1
set gateway 202.106.1.254
set device "port1"
next
edit 2
set dst 192.168.112.0 255.255.255.0
set device "VPN-TO-Side1"
next
edit 3
set dst 192.168.112.0 255.255.255.0
set distance 254
set blackhole enable
next

end

----FortiGate的配置全部完成----

2、配置Cisco Router

1) 基本上网配置

interface Ethernet0/0

 ip address 101.100.1.1 255.255.255.0
									

 ip nat outside
									

!

 interface Ethernet0/1
									

 ip address 192.168.112.1 255.255.255.0
									

 ip nat inside
									

!

ip nat inside source list 101 interface Ethernet0/0 overload

ip route 0.0.0.0 0.0.0.0 101.100.1.254

access-list 101 permit ip any any

2) IPsec IKE v2的配置

crypto ikev2 proposal MY-IKEV2-Proposal

encryption 3des aes-cbc-128

integrity md5 sha1

group 5 14

crypto ikev2 policy MY_IKEV2_Policy

proposal MY-IKEV2-Proposal

crypto ikev2 keyring MY_Keyring

peer Center

address 202.106.1.1

pre-shared-key Fortinet123#

crypto ikev2 profile MY_IKEV2_Pro

match identity remote address 202.106.1.1 255.255.255.255

identity local address 101.100.1.1

authentication remote pre-share

authentication local pre-share

keyring local MY_Keyring

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set MY_Trans esp-3des esp-md5-hmac

mode tunnel

crypto ipsec profile MY_IPsec_Pro

set transform-set MY_Trans

set pfs group5

set ikev2-profile MY_IKEV2_Pro

interface Tunnel0

ip address 1.1.1.2 255.255.255.0

ip mtu 1400

tunnel source Ethernet0/0

tunnel mode ipsec ipv4

tunnel destination 202.106.1.1

tunnel protection ipsec profile MY_IPsec_Pro

ip route 192.168.111.0 255.255.255.0 Tunnel0 1.1.1.1

Side-1#show version

Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(1)T, DEVELOPMENT TEST SOFTWARE

Technical Support: http://www.cisco.com/techsupport

Compiled Sat 23-Nov-13 03:28 by prod_rel_team

----Cisco_Router的配置全部完成----

五、检查配置结果

VPN状态查看：

查看VPN监视器，观察状态：进入"监视器"--"IPsec监测"

路由状态查看：

FortiGate侧业务测试：

Center # execute ping-options source 192.168.111.1

Center # execute ping 192.168.112.1
PING 192.168.112.1 (192.168.112.1): 56 data bytes
64 bytes from 192.168.112.1: icmp_seq=0 ttl=255 time=1.2 ms
64 bytes from 192.168.112.1: icmp_seq=1 ttl=255 time=1.3 ms
64 bytes from 192.168.112.1: icmp_seq=2 ttl=255 time=1.0 ms
64 bytes from 192.168.112.1: icmp_seq=3 ttl=255 time=1.1 ms
64 bytes from 192.168.112.1: icmp_seq=4 ttl=255 time=1.2 ms

--- 192.168.112.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.1/1.3 ms

Center #

Center # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S* 0.0.0.0/0 [10/0] via 202.106.1.254, port1
C    1.1.1.0/24 is directly connected, VPN-TO-Side1
C    1.1.1.1/32 is directly connected, VPN-TO-Side1
C    192.168.111.0/24 is directly connected, port2
S    192.168.112.0/24 [10/0] via 1.1.1.2, VPN-TO-Side1
C    202.106.1.0/24 is directly connected, port1

Center # get vpn ike gateway

vd: root/0
name: VPN-TO-Side1
version: 2
interface: port1 3
addr: 202.106.1.1:500 -> 101.100.1.1:500
created: 403s ago
IKE SA created: 1/1 established: 1/1 time: 0/0/0 ms
IPsec SA created: 1/1 established: 1/1 time: 0/0/0 ms

id/spi: 584 1806331987790d0c/6d9e158c59f3663f
direction: initiator
status: established 403-403s ago = 0ms
proposal: 3des-md5
SK_ei: 8457b6ee77125a3d-eb4816f54fa8c0bf-83f4acafce60ef5e
SK_er: dda597bc3f0b3226-fe5cc3c95d3ce2f9-d71f7aaef33eba2a
SK_ai: a729fc7ab23d7ad5-13bc01dee39f17a8
SK_ar: dc56e34d84fdbb43-b4406c4d88209bde
lifetime/rekey: 86400/85696
DPD sent/recv: 00000011/00000011

Center # get vpn ipsec tunnel
details List all IPsec tunnels in details.
name    List IPsec tunnel by name.
summary List all IPsec tunnels in summary.

Center # get vpn ipsec tunnel details

gateway
name: 'VPN-TO-Side1'
type: route-based
local-gateway: 202.106.1.1:0 (static)
remote-gateway: 101.100.1.1:0 (static)
mode: ike-v2
interface: 'port1' (3)
rx packets: 15 bytes: 2360 errors: 0
tx packets: 15 bytes: 1340 errors: 1
dpd: on-idle/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'VPN-TO-Side1'
auto-negotiate: enable
mode: tunnel
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA
lifetime/rekey: 43200/42476
mtu: 1438
tx-esp-seq: 10
replay: enabled
inbound
spi: ff0ec5ef
enc: aes-cb 256505a43e7c7a0ef28d91533493bb56
auth:   sha1 3f0e7127a80a3ac852f1b63f97bc7797b8eb8cb3
outbound
spi: 38f29e8c
enc: aes-cb 38d7197668b1b42ca54d176a9472cd12
auth:   sha1 0c2faeb1a78bcab7be73b525b744b8c89f0d5b21

Cisco_Router侧业务测试：

Side-1#ping 192.168.111.1 source 192.168.112.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.111.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.112.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/4/5 ms
Side-1#

Side-1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local    Remote fvrf/ivrf Status
2    101.100.1.1/500    202.106.1.1/500    none/none READY
Encr: 3DES, Hash: MD596, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/316 sec

IPv6 Crypto IKEv2 SA

Side-1#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 101.100.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 202.106.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 101.100.1.1, remote crypto endpt.: 202.106.1.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xFF0EC5EF(4279158255)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x38F29E8C(955424396)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 19, flow_id: SW:19, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4356403/3263)
IV size: 16 bytes
replay detection support: Y
ecn bit support: Y status: off
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xFF0EC5EF(4279158255)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 20, flow_id: SW:20, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4356403/3263)
IV size: 16 bytes
replay detection support: Y
ecn bit support: Y status: off
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
Side-1#

抓包：
Center # dia sni pa any "host 192.168.112.100 or host 101.100.1.1" 4 0 a
interfaces=[any]
filters=[host 192.168.112.100 or host 101.100.1.1]
2019-03-28 09:45:29.896405 port1 in 101.100.1.1 -> 202.106.1.1: ESP(spi=0xff0ec5ef,seq=0x10)
2019-03-28 09:45:29.896432 VPN-TO-Side1 in 192.168.112.100 -> 192.168.111.100: icmp: echo request
2019-03-28 09:45:29.897169 port2 out 192.168.112.100 -> 192.168.111.100: icmp: echo request
2019-03-28 09:45:29.897515 port2 in 192.168.111.100 -> 192.168.112.100: icmp: echo reply
2019-03-28 09:45:29.897561 VPN-TO-Side1 out 192.168.111.100 -> 192.168.112.100: icmp: echo reply
2019-03-28 09:45:29.897589 port1 out 202.106.1.1 -> 101.100.1.1: ESP(spi=0x38f29e8c,seq=0x11)

2019-03-28 09:45:30.900331 port1 in 101.100.1.1 -> 202.106.1.1: ESP(spi=0xff0ec5ef,seq=0x11)
2019-03-28 09:45:30.900363 VPN-TO-Side1 in 192.168.112.100 -> 192.168.111.100: icmp: echo request
2019-03-28 09:45:30.900418 port2 out 192.168.112.100 -> 192.168.111.100: icmp: echo request
2019-03-28 09:45:30.900813 port2 in 192.168.111.100 -> 192.168.112.100: icmp: echo reply
2019-03-28 09:45:30.900829 VPN-TO-Side1 out 192.168.111.100 -> 192.168.112.100: icmp: echo reply
2019-03-28 09:45:30.900856 port1 out 202.106.1.1 -> 101.100.1.1: ESP(spi=0x38f29e8c,seq=0x12)

2019-03-28 09:45:31.903290 port1 in 101.100.1.1 -> 202.106.1.1: ESP(spi=0xff0ec5ef,seq=0x12)
2019-03-28 09:45:31.903321 VPN-TO-Side1 in 192.168.112.100 -> 192.168.111.100: icmp: echo request
2019-03-28 09:45:31.903374 port2 out 192.168.112.100 -> 192.168.111.100: icmp: echo request
2019-03-28 09:45:31.903699 port2 in 192.168.111.100 -> 192.168.112.100: icmp: echo reply
2019-03-28 09:45:31.903714 VPN-TO-Side1 out 192.168.111.100 -> 192.168.112.100: icmp: echo reply
2019-03-28 09:45:31.903741 port1 out 202.106.1.1 -> 101.100.1.1: ESP(spi=0x38f29e8c,seq=0x13)

2019-03-28 09:45:32.905468 port1 in 101.100.1.1 -> 202.106.1.1: ESP(spi=0xff0ec5ef,seq=0x13)
2019-03-28 09:45:32.905498 VPN-TO-Side1 in 192.168.112.100 -> 192.168.111.100: icmp: echo request
2019-03-28 09:45:32.905547 port2 out 192.168.112.100 -> 192.168.111.100: icmp: echo request
2019-03-28 09:45:32.905884 port2 in 192.168.111.100 -> 192.168.112.100: icmp: echo reply
2019-03-28 09:45:32.905899 VPN-TO-Side1 out 192.168.111.100 -> 192.168.112.100: icmp: echo reply
2019-03-28 09:45:32.905929 port1 out 202.106.1.1 -> 101.100.1.1: ESP(spi=0x38f29e8c,seq=0x14)

2019-03-28 09:45:33.907738 port1 in 101.100.1.1 -> 202.106.1.1: ESP(spi=0xff0ec5ef,seq=0x14)
2019-03-28 09:45:33.907766 VPN-TO-Side1 in 192.168.112.100 -> 192.168.111.100: icmp: echo request
2019-03-28 09:45:33.907814 port2 out 192.168.112.100 -> 192.168.111.100: icmp: echo request
2019-03-28 09:45:33.908160 port2 in 192.168.111.100 -> 192.168.112.100: icmp: echo reply
2019-03-28 09:45:33.908176 VPN-TO-Side1 out 192.168.111.100 -> 192.168.112.100: icmp: echo reply
2019-03-28 09:45:33.908243 port1 out 202.106.1.1 -> 101.100.1.1: ESP(spi=0x38f29e8c,seq=0x15)
^C
30 packets received by filter
0 packets dropped by kernel

Center #

说明：关于sniffer抓VPN业务和ESP的包
抓取IPsec VPN的IKE协商包：
diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4

抓取IPsec VPN的ESP加密数据包：
diagnose sniffer packet any "host 101.1.1.1 and esp" 4

抓取IPsec VPN的明文业务数据包：
diagnose sniffer packet any "host 192.168.112.100 and icmp" 4

注意：由于存在IPsec VPN芯片加速，因此可能数据包会抓不完全，主要指“ESP数据和明文业务数据”抓不全，因此有时候需要将VPN隧道的NP加速关闭：
FortiGate1_BeiJing # config vpn ipsec phase1-interface
FortiGate1_BeiJing (phase1-interface) # edit BJ-OSPF-TO-SH
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # set npu-offload disable
FortiGate1_BeiJing (BJ-OSPF-TO-SH) # end

附：Cisco Router IPsec VPN 传统的Crypto MAP的配置方式（上述为VTI方式的IPsec VPN）：

FortiGate 只需要修改IPsec VPN的第二阶段（添加明确的感兴趣流即可），其他的所有配置不变：
config vpn ipsec phase2-interface
edit "VPN-TO-Side1"
set phase1name "VPN-TO-Side1"
set proposal 3des-md5 aes128-sha1
set auto-negotiate enable
set src-subnet 192.168.111.0 255.255.255.0
set dst-subnet 192.168.112.0 255.255.255.0
next
end

Cisco_Router配置：
hostname Side_Router
!
interface Ethernet0/0
ip address 101.100.1.1 255.255.255.0
ip nat outside
crypto map MY_MAP
!
interface Ethernet0/1
ip address 192.168.112.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 101.100.1.254

access-list 101 deny ip 192.168.112.0 0.0.0.255 192.168.111.0 0.0.0.255 //NAT需bypass掉VPN流量
access-list 101 permit ip any any

ip nat inside source list 101 interface Ethernet0/0 overload

crypto ikev2 proposal MY-IKEV2-Proposal
encryption 3des aes-cbc-128
integrity md5 sha1
group 5 14
!
crypto ikev2 policy MY_IKEV2_Policy
proposal MY-IKEV2-Proposal
!
crypto ikev2 keyring MY_Keyring
peer Center
address 202.106.1.1
pre-shared-key Fortinet123#
!
crypto ikev2 profile MY_IKEV2_Pro
match identity remote address 202.106.1.1 255.255.255.255
identity local address 101.100.1.1
authentication remote pre-share
authentication local pre-share
keyring local MY_Keyring
!
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set MY_Trans esp-3des esp-md5-hmac
mode tunnel
!
access-list 102 permit ip 192.168.112.0 0.0.0.255 192.168.111.0 0.0.0.255
!
crypto map MY_MAP 10 ipsec-isakmp
set peer 202.106.1.1
set transform-set MY_Trans
set pfs group5
set ikev2-profile MY_IKEV2_Pro

match address 102