FortiGate

FortiGate

基于Fortinet专有的FortiASIC加速芯片
FortiAp

FortiAp

无线接入点的企业级、控制器管理设备
FortiWeb

FortiWeb

Web应用层防火墙
FortiMail

FortiMail

先进的反垃圾邮件和反病毒过滤功能

FGT处理数据包时延怎么测

FortiGate蒋晓 回复了问题 • 3 人关注 • 2 个回复 • 239 次浏览 • 2018-03-08 10:39 • 来自相关话题

阿里云openswan与FGT IPsec VPN对接

FortiGatekmliu 发表了文章 • 0 个评论 • 492 次浏览 • 2018-03-07 17:20 • 来自相关话题

Centos 6.5安装并配置OPENSWAN
(1)使用yum -y install openswan安装openswan
# yum -y install openswan
# ipsec verify

# vi /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 0 ---改成1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1 ---改成0

# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
改为
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

(3).运行如下命令配置环境变量
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
成功执行后运行sysctl -p使修改的参数生效。

(4).关闭selinux:setenforce 0(关闭selinux,重启失效),接下来永久关闭selinux
修改vi /etc/selinux/config 把
SELINUX=enforcing
改为
SELINUX=disabled
[按照需求调整此配合,完全关闭不安全]

(5)关闭iptables
# /etc/init.d/iptables stop 
# chkconfig iptables off
[按照需求调整此配合,完全关闭不安全,实际只需将相关流量放通即可]

(6).运行#chkconfig ipsec on 开机自动启动ipsec服务
 
(7)开启Linux的路由转发功能:
echo "1">/proc/sys/net/ipv4/ip_forward
 
(8).启动ipsec # service ipsec restart 并重新运行检查命令ipsec verify

(9)配置openswan
# vi /etc/ipsec.conf
# vi /etc/ipsec.secrets
# service ipsec restart 
 
 IPsec VPN FGT与阿里云OPENSWAN对接配置案例:
飞塔  Fortigate     公网:111.207.223.66    内网网段:192.168.146.0/24
阿里云Openswan 公网: 39.107.48.171     内网网段:10.25.0.0/16


拓扑:
192.168.146.0/24------------FGT----------Internet---------OPENSWAN-----------10.25.0.0/16
                                  
阿里云OPENSWAN IPsec VPN配置:
# vi /etc/ipsec.secrets
39.107.48.171 111.207.223.66: PSK "root123"

# vi /etc/ipsec.conf
config setup
   plutodebug=all
   plutostderrlog=/var/log/pluto.log
   protostack=netkey
   nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16

conn vpn-tunnel
   auto=start
   type=tunnel
   authby=secret
   compress=no
   pfs=yes

  left=39.107.48.171             
  #leftid=openswan
  leftsubnet=10.25.0.0/16                
  leftnexthop=%defaultroute

  right=111.207.223.66
  #rightid=fgt
  rightsubnet=192.168.146.0/24
  rightnexthop=%defaultroute

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 111.207.223.66 255.255.255.224
end
config vpn ipsec phase1-interface
    edit "to-aliyun"
        set interface "wan1"
        set peertype any
        set remote-gw 39.107.48.171
        set psksecret ENC osY8nq9ytG9TwSANhARRNzLQCSNQ2m7WSsZrJVCNFuwjtwiMvth6hayrHdFqU7CuWai+337BiJPgSJ+ycQqgoPfRYrqg/KG/9K/Kv4HyPDYtKq7WuOyODjz2hlCCIsF5yLkHZSKgsNsXuTi+MDgRoT3YA6TbAn+yjsU4W5BJXyWKKNz6f2KG/cmQSKjIlo6Ak/awCw==
    next
end
config vpn ipsec phase2-interface
    edit "to-aliyun"
        set phase1name "to-aliyun"
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet 192.168.146.0 255.255.255.0
        set dst-subnet 10.25.0.0 255.255.0.0
    next
end
config firewall policy
    edit 0
        set name "vpnlocal-to-aliyun"
        set srcintf "port1"
        set dstintf "to-aliyun"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "aliyun-to-vpnlocal"
        set srcintf "to-aliyun"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
config router static
    edit 1
        set gateway 111.207.223.65
        set device "wan1"
    next
    edit 0
        set dst 10.25.0.0 255.255.0.0
        set device "to-aliyun"
    next
    edit 0
        set dst 10.25.0.0 255.255.0.0
        set distance 254
        set blackhole enable
    next
end 查看全部
Centos 6.5安装并配置OPENSWAN
(1)使用yum -y install openswan安装openswan
# yum -y install openswan
# ipsec verify

# vi /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 0 ---改成1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1 ---改成0

# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
改为
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

(3).运行如下命令配置环境变量
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
成功执行后运行sysctl -p使修改的参数生效。

(4).关闭selinux:setenforce 0(关闭selinux,重启失效),接下来永久关闭selinux
修改vi /etc/selinux/config 把
SELINUX=enforcing
改为
SELINUX=disabled
[按照需求调整此配合,完全关闭不安全]

(5)关闭iptables
# /etc/init.d/iptables stop 
# chkconfig iptables off
[按照需求调整此配合,完全关闭不安全,实际只需将相关流量放通即可]

(6).运行#chkconfig ipsec on 开机自动启动ipsec服务
 
(7)开启Linux的路由转发功能:
echo "1">/proc/sys/net/ipv4/ip_forward
 
(8).启动ipsec # service ipsec restart 并重新运行检查命令ipsec verify

(9)配置openswan
# vi /etc/ipsec.conf
# vi /etc/ipsec.secrets
# service ipsec restart 
 
 IPsec VPN FGT与阿里云OPENSWAN对接配置案例:
飞塔  Fortigate     公网:111.207.223.66    内网网段:192.168.146.0/24
阿里云Openswan 公网: 39.107.48.171     内网网段:10.25.0.0/16


拓扑:
192.168.146.0/24------------FGT----------Internet---------OPENSWAN-----------10.25.0.0/16
                                  
阿里云OPENSWAN IPsec VPN配置:
# vi /etc/ipsec.secrets
39.107.48.171 111.207.223.66: PSK "root123"

# vi /etc/ipsec.conf
config setup
   plutodebug=all
   plutostderrlog=/var/log/pluto.log
   protostack=netkey
   nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16

conn vpn-tunnel
   auto=start
   type=tunnel
   authby=secret
   compress=no
   pfs=yes

  left=39.107.48.171             
  #leftid=openswan
  leftsubnet=10.25.0.0/16                
  leftnexthop=%defaultroute

  right=111.207.223.66
  #rightid=fgt
  rightsubnet=192.168.146.0/24
  rightnexthop=%defaultroute

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 111.207.223.66 255.255.255.224
end
config vpn ipsec phase1-interface
    edit "to-aliyun"
        set interface "wan1"
        set peertype any
        set remote-gw 39.107.48.171
        set psksecret ENC osY8nq9ytG9TwSANhARRNzLQCSNQ2m7WSsZrJVCNFuwjtwiMvth6hayrHdFqU7CuWai+337BiJPgSJ+ycQqgoPfRYrqg/KG/9K/Kv4HyPDYtKq7WuOyODjz2hlCCIsF5yLkHZSKgsNsXuTi+MDgRoT3YA6TbAn+yjsU4W5BJXyWKKNz6f2KG/cmQSKjIlo6Ak/awCw==
    next
end
config vpn ipsec phase2-interface
    edit "to-aliyun"
        set phase1name "to-aliyun"
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet 192.168.146.0 255.255.255.0
        set dst-subnet 10.25.0.0 255.255.0.0
    next
end
config firewall policy
    edit 0
        set name "vpnlocal-to-aliyun"
        set srcintf "port1"
        set dstintf "to-aliyun"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "aliyun-to-vpnlocal"
        set srcintf "to-aliyun"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
config router static
    edit 1
        set gateway 111.207.223.65
        set device "wan1"
    next
    edit 0
        set dst 10.25.0.0 255.255.0.0
        set device "to-aliyun"
    next
    edit 0
        set dst 10.25.0.0 255.255.0.0
        set distance 254
        set blackhole enable
    next
end

虚拟连接对

防火墙lpx 回复了问题 • 2 人关注 • 2 个回复 • 544 次浏览 • 2018-03-06 09:55 • 来自相关话题

飞塔防火墙HA ping 检测切换故障

回复

系统管理lpx 发起了问题 • 1 人关注 • 0 个回复 • 722 次浏览 • 2018-03-06 09:46 • 来自相关话题

查看日志的命令?

回复

FortiGatesky00 发起了问题 • 1 人关注 • 0 个回复 • 216 次浏览 • 2018-02-28 14:39 • 来自相关话题

在console下怎么把配置导出来啊,还有就是配置导出来可以直接刷上去吗?

FortiGateliangxuena 回复了问题 • 2 人关注 • 1 个回复 • 310 次浏览 • 2018-02-24 16:13 • 来自相关话题

谁能帮忙下载一下60D和100Dv5.2.2,build642,谢谢啦

回复

FortiGatesky00 发起了问题 • 1 人关注 • 0 个回复 • 227 次浏览 • 2018-02-22 11:01 • 来自相关话题

FortiWiFi-51E的升级固件到哪里下载?

回复

FortiGate360rundll 回复了问题 • 1 人关注 • 1 个回复 • 362 次浏览 • 2018-02-12 12:17 • 来自相关话题

FortiSwitch 端口POE供电功率可否指定成某指定值

回复

FortiGate360rundll 发起了问题 • 1 人关注 • 0 个回复 • 310 次浏览 • 2018-02-09 17:04 • 来自相关话题

最近公司juniper防火墙替换飞塔防火墙,配置怎么迁移?

FortiGatezhao_am 回复了问题 • 2 人关注 • 7 个回复 • 384 次浏览 • 2018-02-06 19:52 • 来自相关话题