IPSec

IPSec

Openswan和FortiGate的IPsec VPN对接

VPNkmliu 发表了文章 • 2 个评论 • 306 次浏览 • 2018-07-03 16:40 • 来自相关话题

最近有较多的case是Openswan和FortiGate建立IPsec VPN失败,因此根据多次的对接经验,总结出了各种场景下的openswan和fgt对接的配置举例,以供大家参考。
 
有道笔记链接:
Openswan和FortiGate的IPsec VPN对接




 
 

配置举例:IPsec VPN FGT与CentOS 5.6  OPENSWAN对接:

飞塔      Fortigate公网:202.106.1.25          内网网段:10.193.1.0/24
Centos5.6  Openswan 公网: 202.106.1.200       内网网段:172.16.193.0/24

拓扑:
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置:
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:F0  
          inet addr:172.16.193.1  Bcast:172.16.193.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB)  TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:FA  
          inet addr:202.100.1.200  Bcast:202.100.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB)  TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi  /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400
   
    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看:
[root@liukangming ~]# service ipsec status
pluto (pid  42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

 # diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2  established 2/2  time 50/65/80 ms
IPsec SA: created 2/2  established 2/2  time 60/95/130 ms

  id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
  direction: responder
  status: established 885-885s ago = 50ms
  proposal: aes128-sha1
  key: b2a171f28e08668e-9c51ab427bbfc433
  lifetime/rekey: 3600/2444
  DPD sent/recv: 00000000/00000000

  id/spi: 52643 398d69587e9169e7/bc24560972f70146
  direction: initiator
  status: established 885-885s ago = 80ms
  proposal: aes128-sha1
  key: c511b12f06b2db87-c4b5d526e7a6bde4
  lifetime/rekey: 86400/85214
  DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
  src: 0:10.193.1.0/255.255.255.0:0
  dst: 0:172.16.193.0/255.255.255.0:0
  SA:  ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42900/43200
  dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
  enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
  dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
  npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
  SA:  ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
  life: type=01 bytes=0/0 timeout=28531/28800
  dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
  enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
  dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms 查看全部
最近有较多的case是Openswan和FortiGate建立IPsec VPN失败,因此根据多次的对接经验,总结出了各种场景下的openswan和fgt对接的配置举例,以供大家参考。
 
有道笔记链接:
Openswan和FortiGate的IPsec VPN对接
1223.png

 
 

配置举例:IPsec VPN FGT与CentOS 5.6  OPENSWAN对接:

飞塔      Fortigate公网:202.106.1.25          内网网段:10.193.1.0/24
Centos5.6  Openswan 公网: 202.106.1.200       内网网段:172.16.193.0/24

拓扑:
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置:
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:F0  
          inet addr:172.16.193.1  Bcast:172.16.193.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB)  TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:FA  
          inet addr:202.100.1.200  Bcast:202.100.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB)  TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi  /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400
   
    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看:
[root@liukangming ~]# service ipsec status
pluto (pid  42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

 # diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2  established 2/2  time 50/65/80 ms
IPsec SA: created 2/2  established 2/2  time 60/95/130 ms

  id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
  direction: responder
  status: established 885-885s ago = 50ms
  proposal: aes128-sha1
  key: b2a171f28e08668e-9c51ab427bbfc433
  lifetime/rekey: 3600/2444
  DPD sent/recv: 00000000/00000000

  id/spi: 52643 398d69587e9169e7/bc24560972f70146
  direction: initiator
  status: established 885-885s ago = 80ms
  proposal: aes128-sha1
  key: c511b12f06b2db87-c4b5d526e7a6bde4
  lifetime/rekey: 86400/85214
  DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
  src: 0:10.193.1.0/255.255.255.0:0
  dst: 0:172.16.193.0/255.255.255.0:0
  SA:  ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42900/43200
  dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
  enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
  dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
  npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
  SA:  ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
  life: type=01 bytes=0/0 timeout=28531/28800
  dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
  enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
  dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms

大家有么有飞塔跟juniper SSG配置点到点的ipsec vpn文档

防火墙恒信致远张亮 回复了问题 • 2 人关注 • 1 个回复 • 448 次浏览 • 2017-11-27 11:03 • 来自相关话题

设备IPsecVPN和sslVPN问题

回复

FortiGatesky00 发起了问题 • 1 人关注 • 0 个回复 • 440 次浏览 • 2017-10-25 17:15 • 来自相关话题

IPsec VPN隧道建立正常但VPN业务却不稳定 甚至不通怎么办?

VPNkmliu 发表了文章 • 7 个评论 • 599 次浏览 • 2017-09-08 23:23 • 来自相关话题

IPsec VPN隧道建立正常,但是业务却不通或十分不稳定?
以下讨论有一个前提:并不是因为配置原因导致的VPN业务不通或不稳定,防火墙配置是正常的,而只是ESP报文在互联网上传输异常,也就是说运营商转发ESP报文的时候存在异常,或者运营商干脆就直接丢弃了ESP报文,这样的话IPsec VPN隧道看上去是好的,但是实际上业务却无法通信的这种情况。
不适用于IPsec VPN的其他故障环境下。

如何判断是ESP报文被丢弃的问题呢?
其实只需要在设备上抓对应的ESP报文即可,如果只有OUT方向的ESP而没有任何的IN方向的ESP,基本上就可以判断是运营商将ESP丢包导致的业务不通。
 
当然对于十分频繁的ESP ERROR故障此方法也是效果的。

IPsec_VPN隧道建立正常但VPN业务却不稳定甚至不通怎么办?.pdf


 
 
 新版本上有了进一步的更新:
上述方法过于复杂,只能在FOS5.2和5.0中使用,而新版本5.4和5.6中增加了一条命令,可以完美的规避这种复杂方法,只需要在第一阶段中把nat-t功能强制开启即可,这样ESP的流量就会被UDP4500封装。具体参考命令行:
config vpn ipsec phase1-interface
    edit "电信VPN"
        set interface "wan2"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set nattraversal forced      ----在第一阶段中添加这条命令即可
        set remote-gw 119.100.1.35
        set psksecret ENC F7No+LaW8RRpGE2ZFNZPmiK+t8D9SSjbfF/sX597liHRSrw2rNT3EHixmfKWobhRdkS8NfCZZdvFRrxN+7CxP3sAjlnuozLWIFxrPKgT3e8qmT951wWHQfiZF2/cTYuWXtGNx1koKg9fSxe8euUJn9T5UMG7rqjbxAm28Wm9jgF530YIg3sSBMhwpP69YEipjz6A8w==
    next
end 查看全部
IPsec VPN隧道建立正常,但是业务却不通或十分不稳定?
以下讨论有一个前提:并不是因为配置原因导致的VPN业务不通或不稳定,防火墙配置是正常的,而只是ESP报文在互联网上传输异常,也就是说运营商转发ESP报文的时候存在异常,或者运营商干脆就直接丢弃了ESP报文,这样的话IPsec VPN隧道看上去是好的,但是实际上业务却无法通信的这种情况。
不适用于IPsec VPN的其他故障环境下。

如何判断是ESP报文被丢弃的问题呢?
其实只需要在设备上抓对应的ESP报文即可,如果只有OUT方向的ESP而没有任何的IN方向的ESP,基本上就可以判断是运营商将ESP丢包导致的业务不通。
 
当然对于十分频繁的ESP ERROR故障此方法也是效果的。

 
 
 新版本上有了进一步的更新
上述方法过于复杂,只能在FOS5.2和5.0中使用,而新版本5.4和5.6中增加了一条命令,可以完美的规避这种复杂方法,只需要在第一阶段中把nat-t功能强制开启即可,这样ESP的流量就会被UDP4500封装。具体参考命令行:
config vpn ipsec phase1-interface
    edit "电信VPN"
        set interface "wan2"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set nattraversal forced      ----在第一阶段中添加这条命令即可
        set remote-gw 119.100.1.35
        set psksecret ENC F7No+LaW8RRpGE2ZFNZPmiK+t8D9SSjbfF/sX597liHRSrw2rNT3EHixmfKWobhRdkS8NfCZZdvFRrxN+7CxP3sAjlnuozLWIFxrPKgT3e8qmT951wWHQfiZF2/cTYuWXtGNx1koKg9fSxe8euUJn9T5UMG7rqjbxAm28Wm9jgF530YIg3sSBMhwpP69YEipjz6A8w==
    next
end

FortiGate60D与200B,IPSEC建立VPN后,IP电话无法注册,求助

FortiGatekmliu 回复了问题 • 2 人关注 • 1 个回复 • 932 次浏览 • 2017-06-22 10:17 • 来自相关话题

FortiGate 200B 如何设置macOS能连接的基于IPSec的VPN?

FortiGatekmliu 回复了问题 • 3 人关注 • 2 个回复 • 698 次浏览 • 2017-06-21 17:56 • 来自相关话题

ipsec vpn

FortiGatekmliu 回复了问题 • 2 人关注 • 3 个回复 • 624 次浏览 • 2017-03-23 13:11 • 来自相关话题

FortiGate 300C Dual Wan 建立IPsec

FortiGatejimmyhiyawu 回复了问题 • 3 人关注 • 2 个回复 • 875 次浏览 • 2016-08-29 10:32 • 来自相关话题

FortiClient IPSec 如何导入remote_networks

FortiClient滕寄坤 回复了问题 • 2 人关注 • 1 个回复 • 1037 次浏览 • 2015-10-01 18:01 • 来自相关话题

Fortigate设备和checkpoint连接ipsec 只通一边,请各位帮忙解决一下。

VPNsoway 回复了问题 • 3 人关注 • 2 个回复 • 2180 次浏览 • 2015-04-26 12:52 • 来自相关话题

大家有么有飞塔跟juniper SSG配置点到点的ipsec vpn文档

回复

防火墙恒信致远张亮 回复了问题 • 2 人关注 • 1 个回复 • 448 次浏览 • 2017-11-27 11:03 • 来自相关话题

设备IPsecVPN和sslVPN问题

回复

FortiGatesky00 发起了问题 • 1 人关注 • 0 个回复 • 440 次浏览 • 2017-10-25 17:15 • 来自相关话题

FortiGate60D与200B,IPSEC建立VPN后,IP电话无法注册,求助

回复

FortiGatekmliu 回复了问题 • 2 人关注 • 1 个回复 • 932 次浏览 • 2017-06-22 10:17 • 来自相关话题

FortiGate 200B 如何设置macOS能连接的基于IPSec的VPN?

回复

FortiGatekmliu 回复了问题 • 3 人关注 • 2 个回复 • 698 次浏览 • 2017-06-21 17:56 • 来自相关话题

ipsec vpn

回复

FortiGatekmliu 回复了问题 • 2 人关注 • 3 个回复 • 624 次浏览 • 2017-03-23 13:11 • 来自相关话题

FortiGate 300C Dual Wan 建立IPsec

回复

FortiGatejimmyhiyawu 回复了问题 • 3 人关注 • 2 个回复 • 875 次浏览 • 2016-08-29 10:32 • 来自相关话题

FortiClient IPSec 如何导入remote_networks

回复

FortiClient滕寄坤 回复了问题 • 2 人关注 • 1 个回复 • 1037 次浏览 • 2015-10-01 18:01 • 来自相关话题

Fortigate设备和checkpoint连接ipsec 只通一边,请各位帮忙解决一下。

回复

VPNsoway 回复了问题 • 3 人关注 • 2 个回复 • 2180 次浏览 • 2015-04-26 12:52 • 来自相关话题

三台设备之间的ipsec连接,两台设备通过其中一台进行透明传输的问题

回复

VPNzhongjiancong 回复了问题 • 4 人关注 • 7 个回复 • 1177 次浏览 • 2015-04-08 09:45 • 来自相关话题

FortiGate 600C 和天融信起IPSEC VPN

回复

VPN韩晔 回复了问题 • 2 人关注 • 1 个回复 • 2040 次浏览 • 2015-03-06 16:22 • 来自相关话题

Openswan和FortiGate的IPsec VPN对接

VPNkmliu 发表了文章 • 2 个评论 • 306 次浏览 • 2018-07-03 16:40 • 来自相关话题

最近有较多的case是Openswan和FortiGate建立IPsec VPN失败,因此根据多次的对接经验,总结出了各种场景下的openswan和fgt对接的配置举例,以供大家参考。
 
有道笔记链接:
Openswan和FortiGate的IPsec VPN对接




 
 

配置举例:IPsec VPN FGT与CentOS 5.6  OPENSWAN对接:

飞塔      Fortigate公网:202.106.1.25          内网网段:10.193.1.0/24
Centos5.6  Openswan 公网: 202.106.1.200       内网网段:172.16.193.0/24

拓扑:
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置:
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:F0  
          inet addr:172.16.193.1  Bcast:172.16.193.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB)  TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:FA  
          inet addr:202.100.1.200  Bcast:202.100.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB)  TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi  /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400
   
    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看:
[root@liukangming ~]# service ipsec status
pluto (pid  42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

 # diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2  established 2/2  time 50/65/80 ms
IPsec SA: created 2/2  established 2/2  time 60/95/130 ms

  id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
  direction: responder
  status: established 885-885s ago = 50ms
  proposal: aes128-sha1
  key: b2a171f28e08668e-9c51ab427bbfc433
  lifetime/rekey: 3600/2444
  DPD sent/recv: 00000000/00000000

  id/spi: 52643 398d69587e9169e7/bc24560972f70146
  direction: initiator
  status: established 885-885s ago = 80ms
  proposal: aes128-sha1
  key: c511b12f06b2db87-c4b5d526e7a6bde4
  lifetime/rekey: 86400/85214
  DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
  src: 0:10.193.1.0/255.255.255.0:0
  dst: 0:172.16.193.0/255.255.255.0:0
  SA:  ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42900/43200
  dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
  enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
  dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
  npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
  SA:  ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
  life: type=01 bytes=0/0 timeout=28531/28800
  dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
  enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
  dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms 查看全部
最近有较多的case是Openswan和FortiGate建立IPsec VPN失败,因此根据多次的对接经验,总结出了各种场景下的openswan和fgt对接的配置举例,以供大家参考。
 
有道笔记链接:
Openswan和FortiGate的IPsec VPN对接
1223.png

 
 

配置举例:IPsec VPN FGT与CentOS 5.6  OPENSWAN对接:

飞塔      Fortigate公网:202.106.1.25          内网网段:10.193.1.0/24
Centos5.6  Openswan 公网: 202.106.1.200       内网网段:172.16.193.0/24

拓扑:
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置:
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:F0  
          inet addr:172.16.193.1  Bcast:172.16.193.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB)  TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:FA  
          inet addr:202.100.1.200  Bcast:202.100.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB)  TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi  /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400
   
    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看:
[root@liukangming ~]# service ipsec status
pluto (pid  42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

 # diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2  established 2/2  time 50/65/80 ms
IPsec SA: created 2/2  established 2/2  time 60/95/130 ms

  id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
  direction: responder
  status: established 885-885s ago = 50ms
  proposal: aes128-sha1
  key: b2a171f28e08668e-9c51ab427bbfc433
  lifetime/rekey: 3600/2444
  DPD sent/recv: 00000000/00000000

  id/spi: 52643 398d69587e9169e7/bc24560972f70146
  direction: initiator
  status: established 885-885s ago = 80ms
  proposal: aes128-sha1
  key: c511b12f06b2db87-c4b5d526e7a6bde4
  lifetime/rekey: 86400/85214
  DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
  src: 0:10.193.1.0/255.255.255.0:0
  dst: 0:172.16.193.0/255.255.255.0:0
  SA:  ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42900/43200
  dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
  enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
  dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
  npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
  SA:  ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
  life: type=01 bytes=0/0 timeout=28531/28800
  dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
  enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
  dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms

IPsec VPN隧道建立正常但VPN业务却不稳定 甚至不通怎么办?

VPNkmliu 发表了文章 • 7 个评论 • 599 次浏览 • 2017-09-08 23:23 • 来自相关话题

IPsec VPN隧道建立正常,但是业务却不通或十分不稳定?
以下讨论有一个前提:并不是因为配置原因导致的VPN业务不通或不稳定,防火墙配置是正常的,而只是ESP报文在互联网上传输异常,也就是说运营商转发ESP报文的时候存在异常,或者运营商干脆就直接丢弃了ESP报文,这样的话IPsec VPN隧道看上去是好的,但是实际上业务却无法通信的这种情况。
不适用于IPsec VPN的其他故障环境下。

如何判断是ESP报文被丢弃的问题呢?
其实只需要在设备上抓对应的ESP报文即可,如果只有OUT方向的ESP而没有任何的IN方向的ESP,基本上就可以判断是运营商将ESP丢包导致的业务不通。
 
当然对于十分频繁的ESP ERROR故障此方法也是效果的。

IPsec_VPN隧道建立正常但VPN业务却不稳定甚至不通怎么办?.pdf


 
 
 新版本上有了进一步的更新:
上述方法过于复杂,只能在FOS5.2和5.0中使用,而新版本5.4和5.6中增加了一条命令,可以完美的规避这种复杂方法,只需要在第一阶段中把nat-t功能强制开启即可,这样ESP的流量就会被UDP4500封装。具体参考命令行:
config vpn ipsec phase1-interface
    edit "电信VPN"
        set interface "wan2"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set nattraversal forced      ----在第一阶段中添加这条命令即可
        set remote-gw 119.100.1.35
        set psksecret ENC F7No+LaW8RRpGE2ZFNZPmiK+t8D9SSjbfF/sX597liHRSrw2rNT3EHixmfKWobhRdkS8NfCZZdvFRrxN+7CxP3sAjlnuozLWIFxrPKgT3e8qmT951wWHQfiZF2/cTYuWXtGNx1koKg9fSxe8euUJn9T5UMG7rqjbxAm28Wm9jgF530YIg3sSBMhwpP69YEipjz6A8w==
    next
end 查看全部
IPsec VPN隧道建立正常,但是业务却不通或十分不稳定?
以下讨论有一个前提:并不是因为配置原因导致的VPN业务不通或不稳定,防火墙配置是正常的,而只是ESP报文在互联网上传输异常,也就是说运营商转发ESP报文的时候存在异常,或者运营商干脆就直接丢弃了ESP报文,这样的话IPsec VPN隧道看上去是好的,但是实际上业务却无法通信的这种情况。
不适用于IPsec VPN的其他故障环境下。

如何判断是ESP报文被丢弃的问题呢?
其实只需要在设备上抓对应的ESP报文即可,如果只有OUT方向的ESP而没有任何的IN方向的ESP,基本上就可以判断是运营商将ESP丢包导致的业务不通。
 
当然对于十分频繁的ESP ERROR故障此方法也是效果的。

 
 
 新版本上有了进一步的更新
上述方法过于复杂,只能在FOS5.2和5.0中使用,而新版本5.4和5.6中增加了一条命令,可以完美的规避这种复杂方法,只需要在第一阶段中把nat-t功能强制开启即可,这样ESP的流量就会被UDP4500封装。具体参考命令行:
config vpn ipsec phase1-interface
    edit "电信VPN"
        set interface "wan2"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set nattraversal forced      ----在第一阶段中添加这条命令即可
        set remote-gw 119.100.1.35
        set psksecret ENC F7No+LaW8RRpGE2ZFNZPmiK+t8D9SSjbfF/sX597liHRSrw2rNT3EHixmfKWobhRdkS8NfCZZdvFRrxN+7CxP3sAjlnuozLWIFxrPKgT3e8qmT951wWHQfiZF2/cTYuWXtGNx1koKg9fSxe8euUJn9T5UMG7rqjbxAm28Wm9jgF530YIg3sSBMhwpP69YEipjz6A8w==
    next
end

Wondows 7与FortiGate建立IPSec连接

VPN韩晔 发表了文章 • 0 个评论 • 853 次浏览 • 2014-09-30 09:28 • 来自相关话题

Windows 7客户端自带L2TP/IPSec客户端拨号程序,可以与FortiGate建立VPN连接。此方式适用于不希望在客户端PC上安装第三方IPSec软件的用户。
Windows 7客户端自带L2TP/IPSec客户端拨号程序,可以与FortiGate建立VPN连接。此方式适用于不希望在客户端PC上安装第三方IPSec软件的用户。

FortiGate-v5.2-基于X.509数字证书认证的拨号IPSec VPN-v1

VPN岑义涛 发表了文章 • 0 个评论 • 771 次浏览 • 2014-09-17 16:33 • 来自相关话题

简介
本例实现基于X.509数字证书认证的拨号IPSec VPN。
需求
FortiGate检查IPSec VPN客户端的数字证书,只有指定CA颁发的证书才能连接。
配置步骤
一、 FortiAuthenticator为FortiGate颁发证书(使用SCEP)
略。详见《FortiGate支持SCEP和OCSP协议.docx》
注意:FortiAuthenticator和FortiGate的时间一定要一致,否则可能导致证书颁发失败,建议使用NTP。 查看全部
简介
本例实现基于X.509数字证书认证的拨号IPSec VPN。
需求
FortiGate检查IPSec VPN客户端的数字证书,只有指定CA颁发的证书才能连接。
配置步骤
一、 FortiAuthenticator为FortiGate颁发证书(使用SCEP)
略。详见《FortiGate支持SCEP和OCSP协议.docx》
注意:FortiAuthenticator和FortiGate的时间一定要一致,否则可能导致证书颁发失败,建议使用NTP。

FortiGate-v5.2-基于X.509数字证书认证的拨号IPSec VPN-v1

VPN岑义涛 发表了文章 • 0 个评论 • 749 次浏览 • 2014-08-19 14:15 • 来自相关话题

简介
本例实现基于X.509数字证书认证的拨号IPSec VPN。
需求
FortiGate检查IPSec VPN客户端的数字证书,只有指定CA颁发的证书才能连接。
简介
本例实现基于X.509数字证书认证的拨号IPSec VPN。
需求
FortiGate检查IPSec VPN客户端的数字证书,只有指定CA颁发的证书才能连接。

Linux客户端与FortiGate建立IPSec连接

VPN韩晔 发表了文章 • 0 个评论 • 939 次浏览 • 2014-06-27 21:28 • 来自相关话题

Linux客户端需要与FortiGate建立IPSec VPN通道,需要在Linux上安装客户端软件实现。目前FortiClient Linux客户端暂时不支持IPsec VPN功能,因此要通过第三方软件实现。本文档介绍使用的第三方软件为开源软件Openswan。 查看全部
Linux客户端需要与FortiGate建立IPSec VPN通道,需要在Linux上安装客户端软件实现。目前FortiClient Linux客户端暂时不支持IPsec VPN功能,因此要通过第三方软件实现。本文档介绍使用的第三方软件为开源软件Openswan。

FortiGate IPSec高级选项配置

VPN岑义涛 发表了文章 • 0 个评论 • 1056 次浏览 • 2014-05-26 17:04 • 来自相关话题

本文介绍 FortiGate虚拟专用网 IPSec的 IKE 阶段 1和阶段 2高级选项中的几 个重要 参数,以解释 各个参数的作用和使场景。
-密钥周期 (keylife)
-保持存活 (autokey keep alive)
-自动协商 (阶段 2)
- NAT穿越 (NAT Tranversal)
-对等体状态探测 (DPD) 查看全部
本文介绍 FortiGate虚拟专用网 IPSec的 IKE 阶段 1和阶段 2高级选项中的几 个重要 参数,以解释 各个参数的作用和使场景。
-密钥周期 (keylife)
-保持存活 (autokey keep alive)
-自动协商 (阶段 2)
- NAT穿越 (NAT Tranversal)
-对等体状态探测 (DPD)