VPN

Windows XP系统SSL VPN连接FortiGate新版本的注意事项

kmliu 发表了文章 • 0 个评论 • 1929 次浏览 • 2018-07-09 15:59 • 来自相关话题

XP 连接FOS 5.4/5.6/6.0版本的SSL VPN必失败，必须在XP和FGT分别进行相应的参数修改。

理论上来说官方新版本已经不再支持XP系统连接SSL VPN，V5.6以后的官方版本已经彻底去掉了SSL v3协议，因此如果FGT使用默认SSL VPN的配置，XP系统是没办法连接到SSL VPN的，但是如果由于业务原因一定要使用XP系统连接SSL VPN，那么需要从两方面修改设置才可以让XP成功连接到SSL VPN：
XP方面的修改：
1.安装IE8-WindowsXP-x86-CHS.exe 浏览器
IE8下载地址

2.在浏览器“Internet选项”中开启TLS1.0协议

FGT SSL VPN方面配置修改：
1.ssl vpn 下面开启TLS1.0协议（5.4.X中还可以开启SSL V3），并降低加密强度
2.在SSL VPN setting里面的config authentication-rule 将加密算法的长度调整为any长度，默认为大于等于168位
config vpn ssl settings
    set sslv3 enable         //默认disable，FOS 5.6之后彻底删除掉了ssl v3
    set tlsv1-0 enable     //默认disable
    set algorithm medium 或 set algorithm low // 默认为 HIGH，XP系统的加密强度最弱无法满足要求    config authentication-rule
        edit 1
            set groups "Guest-group"
            set portal "full-access"
            set cipher any     //默认为HIGH
        next
    end
end

---------------------------------------------------------------
----------------------------------------------------------------
完整的配置举例说明：

1.定义user和user-group，ssl vpn用户资源的定义

2.新建内网网段IP地址对象，用于后续的SSL VPN隧道分割和策略调用

3.使用自带的full-access模板即可，开启隧道分割，选择内网网段IP地址对象，这就是内网资源的定义

4.配置SSL VPN的端口，关联ssl vpn user-group资源和full-access内网资源

5.配置SSL VPN的策略，注意源IP里面需要调用user-group，目的IP需要调用隧道分割网段，做一个用户组和资源组的相互关联

FortiGate的SSL VPN配置完毕，默认状态应该就是这样，这个时候会发现 WIN7 WIN10等下系统连接SSL VPN没有任何问题，但是XP系统则怎么样都无法连接上SSL VPN，具体有两种报错：

XP SSL VPN Client下载：
https://fortinet.egnyte.com/dl/sUFezSusMD

FortiClient以及小SSL VPN Client的更多下载可以参考：
http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=448

报错1： 40%的时候报错

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 19 minutes.

FG100E4Q16003872 # diagnose debug enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24423:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24423:root:f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:f]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24423:root:f]SSL_accept failed, 5:(null)
[24423:root:f]Destroy sconn 0x35d6db00, connSize=0. (root)
[24424:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:fatal protocol version (192.168.91.126) // ssl 协议不匹配
[24424:root:f]SSL state:error:(null)(192.168.91.126)
[24424:root:f]SSL_accept failed, 1:unsupported protocol //不支持的ssl 协议

不支持的ssl协议

FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable //默认TLS1.0 disable，XP的IE8只有TLS1.0,因此TLS1.0必须打开
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm high   // XP没有太强的加密算法 DES-CBC3-SHA ，需要修改为medium 或 low

修改SSLVPN的配置：
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm medium

报错2：48%的时候报错"没有权限-455"

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 12 minutes.

FG100E4Q16003872 # diagnose debug enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24422:root:1b]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1b]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24422:root:1b]SSL_accept failed, 5:(null)
[24422:root:1b]Destroy sconn 0x35ce4b00, connSize=0. (root)
[24423:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1b]req: /remote/info
[24424:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1b]req: /remote/login
[24424:root:1b]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1b]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24422:root:1c]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1c]req: /remote/logincheck
[24422:root:1c]rmt_web_auth_info_parser_common:439 no session id in auth info
[24422:root:1c]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24422:root:1c]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24422:root:1c]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24422:root:1c]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24422:root:1c]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm (). //报错authentication rules 1错误
[24422:root:1c]sslvpn_validate_user_group_list:1484 checking rule 1 cipher. //cipher不匹配
[24422:root:1c]sslvpn_validate_user_group_list:1702 got user (0), group (0:0).
[24422:root:1c]no valid user or group candidate found.
[24423:root:1c]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1c]req: /FortiClientSslvpnClearCacheUrl/for/Wini
[24423:root:1c]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t

修改SSL VPN的配置：
FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # config authentication-rule
FG100E4Q16003872 (authentication-rule) # edit 1
FG100E4Q16003872 (1) # show
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
    next
end
FG100E4Q16003872 (1) # show full-configuration
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
        set realm ''
        set client-cert disable
        set cipher high   //默认为HIGH 需要168位及以上的加密算法，但是XP的加密算法不符合要求
        set auth any
    next
end
FG100E4Q16003872 (1) # set cipher
any       Any cipher strength.
high      High cipher strength (>= 168 bits).
medium    Medium cipher strength (>= 128 bits).
FG100E4Q16003872 (1) # set cipher any   //修改为any，接收DES等低位数加密算法
FG100E4Q16003872 (1) # end
FG100E4Q16003872 (settings) # end

总结修改的配置：
FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # show
config vpn ssl settings
    set tlsv1-0 enable
    set servercert "Fortinet_Factory"
    set algorithm medium
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN_User_Group"
            set portal "full-access"
            set cipher any
        next
    end
end
然后XP拨号就可以了：

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 1 minutes.
FG100E4Q16003872 # diagnose debug enable
[24423:root:1d]req: /remote/login
[24423:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24423:root:1d]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24424:root:1d]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1d]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1d]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1d]req: /remote/logincheck
[24424:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1d]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24424:root:1d]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24424:root:1d]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24424:root:1d]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm ().
[24424:root:1d]sslvpn_validate_user_group_list:1484 checking rule 1 cipher.
[24424:root:1d]sslvpn_validate_user_group_list:1492 checking rule 1 realm.
[24424:root:1d]sslvpn_validate_user_group_list:1503 checking rule 1 source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1542 checking rule 1 vd source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1614 rule 1 done, got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1702 got user (0), group (1:0).
[24424:root:1d]two factor check for user1: off
[24424:root:1d]sslvpn_authenticate_user:167 authenticate user: [user1]
[24424:root:1d]sslvpn_authenticate_user:174 create fam state
[24424:root:1d]fam_auth_send_req:577 with server blacklist:
[24424:root:1d]fam_auth_send_req_internal:449 fnbam_auth return: 0
[24424:root:1d]fam_auth_send_req_internal:455 authentication OK
[24424:root:1d]fam_do_cb:479 fnbamd return auth success.
[24424:root:1d]SSL VPN login matched rule (1).
[24424:root:1d]rmt_web_session_create:709 create web session, idx[0]
[24424:root:1d]login_succeeded:383 redirect to hostcheck
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1e]allocSSLConn:280 sconn 0x35ce4e00 (0:root)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1e]req: /
[24422:root:1e]mza: 0x12b74d4 /rmt_index.html
[24422:root:1e]def: 0x12b74d4 /rmt_index.html
[24423:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1e]req: /remote/index
[24423:root:1e]def: (nil) /remote/index
[24424:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1e]req: /remote/fortisslvpn
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]allocSSLConn:280 sconn 0x35ce5100 (0:root)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1f]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1f]req: /remote/fortisslvpn_xml
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]sslvpn_reserve_dynip:1143 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[24423:root:1f]allocSSLConn:280 sconn 0x35d28100 (0:root)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write session ticket (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[24423:root:1f]req: /remote/fortisslvpn_xml
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]allocSSLConn:280 sconn 0x35c77800 (0:root)
[24424:root:1f]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA from 192.168.91.126
[24424:root:1f]sslvpn_dtls_handle_client_data:651 got type clthello
[24424:root:1f]sslvpn_dtls_handle_client_data:661 got cookie: 7MShUOJ6QDpGmm0IpT18T2O7EaSKOhHN7ECzQEeVIwNnw/zbuRD1NTNqAmEQntupD1moCW9RXRJpb7AHHj7nMnOyT5P23kG3A6z5bkOqXlCy+JbqRqfH51rRLJNJO/ZDFilf47fXID95ELzjlfcXF+hCtPuWs80YmrzRvvyBXDCKa1PddCC8JNwnUyrZ9U1DLTI5lD8xxQw5gtnYlL4PiWSvpvEpsZZFXD1d1SFItu4hLasg26KLKzffLcHp4iQV
[24424:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]sconn 0x35c77800 (0:root) vfid=0 local=[202.100.1.25] remote=[192.168.91.126] dynamicip=[10.212.134.200]
[24424:root:1f]Prepare to launch ppp service ...
[24424:root:1f]tun: ppp 0x35e3f000 dev (ssl.root) opened fd 32
[24424:root:1f]Will add auth policy for policy 16 for user user1:SSL_VPN_User_Group
[24424:root:1f]Add auth logon for user user1:SSL_VPN_User_Group, matched group number 1
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: svrhello ok 192.168.91.126
[24423:root:1f]sslvpn_read_request_common,674, ret=-1 error=-1, sconn=0x35d28100.
[24423:root:1f]Destroy sconn 0x35d28100, connSize=2. (root)
[24424:root:0]RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[24424:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]lcp_reqci: returning CONFREJ.
[24424:root:0]SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
[24424:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_reqci: returning CONFACK.
[24424:root:0]SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_up: with mtu 1354
[24424:root:0]SND: IPCP Configure_Request id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: CCP Configure_Request id(2) [Microsoft_PPC]
[24424:root:0]SND: LCP Protocol_Reject id(2) len(18)
[24424:root:0]RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-REJ
[24424:root:0]SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-NAK
[24424:root:0]SND: IPCP Configure_Nak id(4) [IP_Address 10.212.134.200]
[24424:root:0]RCV: IPCP Configure_Request id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: returning Configure-ACK
[24424:root:0]SND: IPCP Configure_Ack id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: up ppp:0x35e3f000 caller:0x35c77800 tun:32
[24424:root:0]Cannot determine ethernet address for proxy ARP
[24424:root:0]local IP address 202.100.1.25
[24424:root:0]remote IP address 10.212.134.200
[24424:root:1f]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.200 to tun (ssl.root:32)
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: heartbeat 192.168.91.126
[24424:root:1d]Timeout for connection 0x35d27b00.
[24424:root:1d]Destroy sconn 0x35d27b00, connSize=2. (root)
[24424:root:1e]Timeout for connection 0x35d27e00.
<---完---> 查看全部

XP 连接FOS 5.4/5.6/6.0版本的SSL VPN必失败，必须在XP和FGT分别进行相应的参数修改。

理论上来说官方新版本已经不再支持XP系统连接SSL VPN，V5.6以后的官方版本已经彻底去掉了SSL v3协议，因此如果FGT使用默认SSL VPN的配置，XP系统是没办法连接到SSL VPN的，但是如果由于业务原因一定要使用XP系统连接SSL VPN，那么需要从两方面修改设置才可以让XP成功连接到SSL VPN：
XP方面的修改：
1.安装IE8-WindowsXP-x86-CHS.exe 浏览器
IE8下载地址

2.在浏览器“Internet选项”中开启TLS1.0协议

FGT SSL VPN方面配置修改：
1.ssl vpn 下面开启TLS1.0协议（5.4.X中还可以开启SSL V3），并降低加密强度
2.在SSL VPN setting里面的config authentication-rule 将加密算法的长度调整为any长度，默认为大于等于168位
config vpn ssl settings
    set sslv3 enable         //默认disable，FOS 5.6之后彻底删除掉了ssl v3
    set tlsv1-0 enable     //默认disable
    set algorithm medium 或 set algorithm low // 默认为 HIGH，XP系统的加密强度最弱无法满足要求    config authentication-rule
        edit 1
            set groups "Guest-group"
            set portal "full-access"
            set cipher any     //默认为HIGH
        next
    end
end

---------------------------------------------------------------
----------------------------------------------------------------
完整的配置举例说明：

1.定义user和user-group，ssl vpn用户资源的定义

2.新建内网网段IP地址对象，用于后续的SSL VPN隧道分割和策略调用

3.使用自带的full-access模板即可，开启隧道分割，选择内网网段IP地址对象，这就是内网资源的定义

4.配置SSL VPN的端口，关联ssl vpn user-group资源和full-access内网资源

5.配置SSL VPN的策略，注意源IP里面需要调用user-group，目的IP需要调用隧道分割网段，做一个用户组和资源组的相互关联

FortiGate的SSL VPN配置完毕，默认状态应该就是这样，这个时候会发现 WIN7 WIN10等下系统连接SSL VPN没有任何问题，但是XP系统则怎么样都无法连接上SSL VPN，具体有两种报错：

XP SSL VPN Client下载：
https://fortinet.egnyte.com/dl/sUFezSusMD

FortiClient以及小SSL VPN Client的更多下载可以参考：
http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=448

报错1： 40%的时候报错

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 19 minutes.

FG100E4Q16003872 # diagnose debug enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24423:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24423:root:f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:f]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24423:root:f]SSL_accept failed, 5:(null)
[24423:root:f]Destroy sconn 0x35d6db00, connSize=0. (root)
[24424:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:fatal protocol version (192.168.91.126) // ssl 协议不匹配
[24424:root:f]SSL state:error:(null)(192.168.91.126)
[24424:root:f]SSL_accept failed, 1:unsupported protocol //不支持的ssl 协议

不支持的ssl协议

FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable //默认TLS1.0 disable，XP的IE8只有TLS1.0,因此TLS1.0必须打开
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm high   // XP没有太强的加密算法 DES-CBC3-SHA ，需要修改为medium 或 low

修改SSLVPN的配置：
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm medium

报错2：48%的时候报错"没有权限-455"

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 12 minutes.

FG100E4Q16003872 # diagnose debug enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24422:root:1b]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1b]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24422:root:1b]SSL_accept failed, 5:(null)
[24422:root:1b]Destroy sconn 0x35ce4b00, connSize=0. (root)
[24423:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1b]req: /remote/info
[24424:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1b]req: /remote/login
[24424:root:1b]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1b]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24422:root:1c]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1c]req: /remote/logincheck
[24422:root:1c]rmt_web_auth_info_parser_common:439 no session id in auth info
[24422:root:1c]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24422:root:1c]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24422:root:1c]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24422:root:1c]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24422:root:1c]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm (). //报错authentication rules 1错误
[24422:root:1c]sslvpn_validate_user_group_list:1484 checking rule 1 cipher. //cipher不匹配
[24422:root:1c]sslvpn_validate_user_group_list:1702 got user (0), group (0:0).
[24422:root:1c]no valid user or group candidate found.
[24423:root:1c]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1c]req: /FortiClientSslvpnClearCacheUrl/for/Wini
[24423:root:1c]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t

修改SSL VPN的配置：
FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # config authentication-rule
FG100E4Q16003872 (authentication-rule) # edit 1
FG100E4Q16003872 (1) # show
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
    next
end
FG100E4Q16003872 (1) # show full-configuration
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
        set realm ''
        set client-cert disable
        set cipher high   //默认为HIGH 需要168位及以上的加密算法，但是XP的加密算法不符合要求
        set auth any
    next
end
FG100E4Q16003872 (1) # set cipher
any       Any cipher strength.
high      High cipher strength (>= 168 bits).
medium    Medium cipher strength (>= 128 bits).
FG100E4Q16003872 (1) # set cipher any   //修改为any，接收DES等低位数加密算法
FG100E4Q16003872 (1) # end
FG100E4Q16003872 (settings) # end

总结修改的配置：
FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # show
config vpn ssl settings
    set tlsv1-0 enable
    set servercert "Fortinet_Factory"
    set algorithm medium
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN_User_Group"
            set portal "full-access"
            set cipher any
        next
    end
end
然后XP拨号就可以了：

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 1 minutes.
FG100E4Q16003872 # diagnose debug enable
[24423:root:1d]req: /remote/login
[24423:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24423:root:1d]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24424:root:1d]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1d]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1d]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1d]req: /remote/logincheck
[24424:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1d]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24424:root:1d]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24424:root:1d]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24424:root:1d]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm ().
[24424:root:1d]sslvpn_validate_user_group_list:1484 checking rule 1 cipher.
[24424:root:1d]sslvpn_validate_user_group_list:1492 checking rule 1 realm.
[24424:root:1d]sslvpn_validate_user_group_list:1503 checking rule 1 source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1542 checking rule 1 vd source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1614 rule 1 done, got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1702 got user (0), group (1:0).
[24424:root:1d]two factor check for user1: off
[24424:root:1d]sslvpn_authenticate_user:167 authenticate user: [user1]
[24424:root:1d]sslvpn_authenticate_user:174 create fam state
[24424:root:1d]fam_auth_send_req:577 with server blacklist:
[24424:root:1d]fam_auth_send_req_internal:449 fnbam_auth return: 0
[24424:root:1d]fam_auth_send_req_internal:455 authentication OK
[24424:root:1d]fam_do_cb:479 fnbamd return auth success.
[24424:root:1d]SSL VPN login matched rule (1).
[24424:root:1d]rmt_web_session_create:709 create web session, idx[0]
[24424:root:1d]login_succeeded:383 redirect to hostcheck
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1e]allocSSLConn:280 sconn 0x35ce4e00 (0:root)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1e]req: /
[24422:root:1e]mza: 0x12b74d4 /rmt_index.html
[24422:root:1e]def: 0x12b74d4 /rmt_index.html
[24423:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1e]req: /remote/index
[24423:root:1e]def: (nil) /remote/index
[24424:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1e]req: /remote/fortisslvpn
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]allocSSLConn:280 sconn 0x35ce5100 (0:root)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1f]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1f]req: /remote/fortisslvpn_xml
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]sslvpn_reserve_dynip:1143 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[24423:root:1f]allocSSLConn:280 sconn 0x35d28100 (0:root)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write session ticket (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[24423:root:1f]req: /remote/fortisslvpn_xml
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]allocSSLConn:280 sconn 0x35c77800 (0:root)
[24424:root:1f]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA from 192.168.91.126
[24424:root:1f]sslvpn_dtls_handle_client_data:651 got type clthello
[24424:root:1f]sslvpn_dtls_handle_client_data:661 got cookie: 7MShUOJ6QDpGmm0IpT18T2O7EaSKOhHN7ECzQEeVIwNnw/zbuRD1NTNqAmEQntupD1moCW9RXRJpb7AHHj7nMnOyT5P23kG3A6z5bkOqXlCy+JbqRqfH51rRLJNJO/ZDFilf47fXID95ELzjlfcXF+hCtPuWs80YmrzRvvyBXDCKa1PddCC8JNwnUyrZ9U1DLTI5lD8xxQw5gtnYlL4PiWSvpvEpsZZFXD1d1SFItu4hLasg26KLKzffLcHp4iQV
[24424:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]sconn 0x35c77800 (0:root) vfid=0 local=[202.100.1.25] remote=[192.168.91.126] dynamicip=[10.212.134.200]
[24424:root:1f]Prepare to launch ppp service ...
[24424:root:1f]tun: ppp 0x35e3f000 dev (ssl.root) opened fd 32
[24424:root:1f]Will add auth policy for policy 16 for user user1:SSL_VPN_User_Group
[24424:root:1f]Add auth logon for user user1:SSL_VPN_User_Group, matched group number 1
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: svrhello ok 192.168.91.126
[24423:root:1f]sslvpn_read_request_common,674, ret=-1 error=-1, sconn=0x35d28100.
[24423:root:1f]Destroy sconn 0x35d28100, connSize=2. (root)
[24424:root:0]RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[24424:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]lcp_reqci: returning CONFREJ.
[24424:root:0]SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
[24424:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_reqci: returning CONFACK.
[24424:root:0]SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_up: with mtu 1354
[24424:root:0]SND: IPCP Configure_Request id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: CCP Configure_Request id(2) [Microsoft_PPC]
[24424:root:0]SND: LCP Protocol_Reject id(2) len(18)
[24424:root:0]RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-REJ
[24424:root:0]SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-NAK
[24424:root:0]SND: IPCP Configure_Nak id(4) [IP_Address 10.212.134.200]
[24424:root:0]RCV: IPCP Configure_Request id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: returning Configure-ACK
[24424:root:0]SND: IPCP Configure_Ack id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: up ppp:0x35e3f000 caller:0x35c77800 tun:32
[24424:root:0]Cannot determine ethernet address for proxy ARP
[24424:root:0]local IP address 202.100.1.25
[24424:root:0]remote IP address 10.212.134.200
[24424:root:1f]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.200 to tun (ssl.root:32)
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: heartbeat 192.168.91.126
[24424:root:1d]Timeout for connection 0x35d27b00.
[24424:root:1d]Destroy sconn 0x35d27b00, connSize=2. (root)
[24424:root:1e]Timeout for connection 0x35d27e00.
<---完--->

Openswan和FortiGate的IPsec VPN对接

kmliu 发表了文章 • 2 个评论 • 632 次浏览 • 2018-07-03 16:40 • 来自相关话题

最近有较多的case是Openswan和FortiGate建立IPsec VPN失败，因此根据多次的对接经验，总结出了各种场景下的openswan和fgt对接的配置举例，以供大家参考。

有道笔记链接：
Openswan和FortiGate的IPsec VPN对接

配置举例：IPsec VPN FGT与CentOS 5.6 OPENSWAN对接：

飞塔      Fortigate公网:202.106.1.25          内网网段：10.193.1.0/24
Centos5.6 Openswan 公网: 202.106.1.200       内网网段：172.16.193.0/24

拓扑：
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置：
# ifconfig
eth0      Link encap:Ethernet HWaddr 00:0C:29:A3:B3:F0
          inet addr:172.16.193.1 Bcast:172.16.193.255 Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB) TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet HWaddr 00:0C:29:A3:B3:FA
          inet addr:202.100.1.200 Bcast:202.100.1.255 Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB) TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400

    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置：
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看：
[root@liukangming ~]# service ipsec status
pluto (pid 42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

# diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2 established 2/2 time 50/65/80 ms
IPsec SA: created 2/2 established 2/2 time 60/95/130 ms

id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
direction: responder
status: established 885-885s ago = 50ms
proposal: aes128-sha1
key: b2a171f28e08668e-9c51ab427bbfc433
lifetime/rekey: 3600/2444
DPD sent/recv: 00000000/00000000

id/spi: 52643 398d69587e9169e7/bc24560972f70146
direction: initiator
status: established 885-885s ago = 80ms
proposal: aes128-sha1
key: c511b12f06b2db87-c4b5d526e7a6bde4
lifetime/rekey: 86400/85214
DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
src: 0:10.193.1.0/255.255.255.0:0
dst: 0:172.16.193.0/255.255.255.0:0
SA: ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
SA: ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
life: type=01 bytes=0/0 timeout=28531/28800
dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms 查看全部

最近有较多的case是Openswan和FortiGate建立IPsec VPN失败，因此根据多次的对接经验，总结出了各种场景下的openswan和fgt对接的配置举例，以供大家参考。

有道笔记链接：
Openswan和FortiGate的IPsec VPN对接

配置举例：IPsec VPN FGT与CentOS 5.6 OPENSWAN对接：

飞塔      Fortigate公网:202.106.1.25          内网网段：10.193.1.0/24
Centos5.6 Openswan 公网: 202.106.1.200       内网网段：172.16.193.0/24

拓扑：
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置：
# ifconfig
eth0      Link encap:Ethernet HWaddr 00:0C:29:A3:B3:F0
          inet addr:172.16.193.1 Bcast:172.16.193.255 Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB) TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet HWaddr 00:0C:29:A3:B3:FA
          inet addr:202.100.1.200 Bcast:202.100.1.255 Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB) TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400

    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置：
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看：
[root@liukangming ~]# service ipsec status
pluto (pid 42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

# diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2 established 2/2 time 50/65/80 ms
IPsec SA: created 2/2 established 2/2 time 60/95/130 ms

id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
direction: responder
status: established 885-885s ago = 50ms
proposal: aes128-sha1
key: b2a171f28e08668e-9c51ab427bbfc433
lifetime/rekey: 3600/2444
DPD sent/recv: 00000000/00000000

id/spi: 52643 398d69587e9169e7/bc24560972f70146
direction: initiator
status: established 885-885s ago = 80ms
proposal: aes128-sha1
key: c511b12f06b2db87-c4b5d526e7a6bde4
lifetime/rekey: 86400/85214
DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
src: 0:10.193.1.0/255.255.255.0:0
dst: 0:172.16.193.0/255.255.255.0:0
SA: ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
SA: ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
life: type=01 bytes=0/0 timeout=28531/28800
dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms

通知设置新通知

拨号IPsec VPN处理机制更新 (“set net-device disable”)

ios版forticlient为何在appstore下架了

ipsec vpn

关于重叠子网的站点到站点IPsec VPN场景中的VIP应用问题

fortigate 和 ssg140 基于路由的模式建设点到点的ipsec vpn

forticlient 在1809上的问题

ipsec vpn的共享密钥忘记密码了，命令行的文件可以翻译出来吗？

Windows XP系统SSL VPN连接FortiGate新版本的注意事项

Openswan和FortiGate的IPsec VPN对接

ipsec 隧道起来但ping不通

热门话题

热门用户

通知设置 新通知

VPN

热门话题

热门用户

通知设置新通知