Openswan和FortiGate的IPsec VPN对接

最近有较多的case是Openswan和FortiGate建立IPsec VPN失败,因此根据多次的对接经验,总结出了各种场景下的openswan和fgt对接的配置举例,以供大家参考。
 
有道笔记链接:
Openswan和FortiGate的IPsec VPN对接
1223.png

 
 

配置举例:IPsec VPN FGT与CentOS 5.6  OPENSWAN对接:

飞塔      Fortigate公网:202.106.1.25          内网网段:10.193.1.0/24
Centos5.6  Openswan 公网: 202.106.1.200       内网网段:172.16.193.0/24

拓扑:
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置:
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:F0  
          inet addr:172.16.193.1  Bcast:172.16.193.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB)  TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:FA  
          inet addr:202.100.1.200  Bcast:202.100.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB)  TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi  /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400
   
    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看:
[root@liukangming ~]# service ipsec status
pluto (pid  42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

 # diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2  established 2/2  time 50/65/80 ms
IPsec SA: created 2/2  established 2/2  time 60/95/130 ms

  id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
  direction: responder
  status: established 885-885s ago = 50ms
  proposal: aes128-sha1
  key: b2a171f28e08668e-9c51ab427bbfc433
  lifetime/rekey: 3600/2444
  DPD sent/recv: 00000000/00000000

  id/spi: 52643 398d69587e9169e7/bc24560972f70146
  direction: initiator
  status: established 885-885s ago = 80ms
  proposal: aes128-sha1
  key: c511b12f06b2db87-c4b5d526e7a6bde4
  lifetime/rekey: 86400/85214
  DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
  src: 0:10.193.1.0/255.255.255.0:0
  dst: 0:172.16.193.0/255.255.255.0:0
  SA:  ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42900/43200
  dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
  enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
  dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
  npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
  SA:  ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
  life: type=01 bytes=0/0 timeout=28531/28800
  dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
  enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
  dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms

1 个评论

感谢刘工的对接文档,昨天客户现场测试成功了!

要回复文章请先登录注册