IPsec VPN

IPsec VPN

给拨号VPN的用户分配固定IP地址

VPNkmliu 发表了文章 • 0 个评论 • 74 次浏览 • 2019-08-14 00:13 • 来自相关话题

本文介绍IPSec/SSL VPN通过Radius获取VPN隧道内虚拟IP(实际上PPTP也可以,本文没有测试)。
 
本文介绍IPSec/SSL VPN通过Radius获取VPN隧道内虚拟IP(实际上PPTP也可以,本文没有测试)。
 

拨号IPsec VPN处理机制更新 (“set net-device disable”)

VPNkmliu 发表了文章 • 0 个评论 • 160 次浏览 • 2019-05-24 15:18 • 来自相关话题

拨号IPsec VPN处理机制更新 (“set net-device disable”)
 
拨号IPsec VPN处理机制更新 (“set net-device disable”)
 

最近在割接防火墙,飞塔替换juniper,遇到些问题来看看大家怎么解决

FortiGatekuky_liu1978 回复了问题 • 3 人关注 • 3 个回复 • 814 次浏览 • 2018-12-10 17:16 • 来自相关话题

Openswan和FortiGate的IPsec VPN对接

VPNkmliu 发表了文章 • 2 个评论 • 740 次浏览 • 2018-07-03 16:40 • 来自相关话题

最近有较多的case是Openswan和FortiGate建立IPsec VPN失败,因此根据多次的对接经验,总结出了各种场景下的openswan和fgt对接的配置举例,以供大家参考。
 
有道笔记链接:
Openswan和FortiGate的IPsec VPN对接




 
 

配置举例:IPsec VPN FGT与CentOS 5.6  OPENSWAN对接:

飞塔      Fortigate公网:202.106.1.25          内网网段:10.193.1.0/24
Centos5.6  Openswan 公网: 202.106.1.200       内网网段:172.16.193.0/24

拓扑:
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置:
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:F0  
          inet addr:172.16.193.1  Bcast:172.16.193.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB)  TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:FA  
          inet addr:202.100.1.200  Bcast:202.100.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB)  TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi  /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400
   
    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看:
[root@liukangming ~]# service ipsec status
pluto (pid  42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

 # diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2  established 2/2  time 50/65/80 ms
IPsec SA: created 2/2  established 2/2  time 60/95/130 ms

  id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
  direction: responder
  status: established 885-885s ago = 50ms
  proposal: aes128-sha1
  key: b2a171f28e08668e-9c51ab427bbfc433
  lifetime/rekey: 3600/2444
  DPD sent/recv: 00000000/00000000

  id/spi: 52643 398d69587e9169e7/bc24560972f70146
  direction: initiator
  status: established 885-885s ago = 80ms
  proposal: aes128-sha1
  key: c511b12f06b2db87-c4b5d526e7a6bde4
  lifetime/rekey: 86400/85214
  DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
  src: 0:10.193.1.0/255.255.255.0:0
  dst: 0:172.16.193.0/255.255.255.0:0
  SA:  ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42900/43200
  dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
  enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
  dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
  npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
  SA:  ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
  life: type=01 bytes=0/0 timeout=28531/28800
  dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
  enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
  dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms 查看全部
最近有较多的case是Openswan和FortiGate建立IPsec VPN失败,因此根据多次的对接经验,总结出了各种场景下的openswan和fgt对接的配置举例,以供大家参考。
 
有道笔记链接:
Openswan和FortiGate的IPsec VPN对接
1223.png

 
 

配置举例:IPsec VPN FGT与CentOS 5.6  OPENSWAN对接:

飞塔      Fortigate公网:202.106.1.25          内网网段:10.193.1.0/24
Centos5.6  Openswan 公网: 202.106.1.200       内网网段:172.16.193.0/24

拓扑:
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置:
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:F0  
          inet addr:172.16.193.1  Bcast:172.16.193.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB)  TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:FA  
          inet addr:202.100.1.200  Bcast:202.100.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB)  TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi  /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400
   
    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看:
[root@liukangming ~]# service ipsec status
pluto (pid  42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

 # diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2  established 2/2  time 50/65/80 ms
IPsec SA: created 2/2  established 2/2  time 60/95/130 ms

  id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
  direction: responder
  status: established 885-885s ago = 50ms
  proposal: aes128-sha1
  key: b2a171f28e08668e-9c51ab427bbfc433
  lifetime/rekey: 3600/2444
  DPD sent/recv: 00000000/00000000

  id/spi: 52643 398d69587e9169e7/bc24560972f70146
  direction: initiator
  status: established 885-885s ago = 80ms
  proposal: aes128-sha1
  key: c511b12f06b2db87-c4b5d526e7a6bde4
  lifetime/rekey: 86400/85214
  DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
  src: 0:10.193.1.0/255.255.255.0:0
  dst: 0:172.16.193.0/255.255.255.0:0
  SA:  ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42900/43200
  dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
  enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
  dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
  npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
  SA:  ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
  life: type=01 bytes=0/0 timeout=28531/28800
  dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
  enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
  dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms

IPsec_LAN_TO_LAN配置举例

VPNkmliu 发表了文章 • 0 个评论 • 562 次浏览 • 2018-01-26 11:29 • 来自相关话题

IPSEC VPN问题

VPNkmliu 回复了问题 • 2 人关注 • 3 个回复 • 547 次浏览 • 2018-01-02 11:15 • 来自相关话题

fortigate 5.4.6版本怎么配置点到点ipsec

VPNkmliu 回复了问题 • 3 人关注 • 1 个回复 • 610 次浏览 • 2017-11-20 17:03 • 来自相关话题

IPsec vpn早上可以建立连通,到了中午就不通,求指点

FortiGatekmliu 回复了问题 • 3 人关注 • 3 个回复 • 2007 次浏览 • 2017-09-20 15:39 • 来自相关话题

vpn第一阶段起来第二阶段起不来

FortiGatekmliu 回复了问题 • 2 人关注 • 1 个回复 • 948 次浏览 • 2017-09-20 15:39 • 来自相关话题

最近在割接防火墙,飞塔替换juniper,遇到些问题来看看大家怎么解决

回复

FortiGatekuky_liu1978 回复了问题 • 3 人关注 • 3 个回复 • 814 次浏览 • 2018-12-10 17:16 • 来自相关话题

IPSEC VPN问题

回复

VPNkmliu 回复了问题 • 2 人关注 • 3 个回复 • 547 次浏览 • 2018-01-02 11:15 • 来自相关话题

fortigate 5.4.6版本怎么配置点到点ipsec

回复

VPNkmliu 回复了问题 • 3 人关注 • 1 个回复 • 610 次浏览 • 2017-11-20 17:03 • 来自相关话题

IPsec vpn早上可以建立连通,到了中午就不通,求指点

回复

FortiGatekmliu 回复了问题 • 3 人关注 • 3 个回复 • 2007 次浏览 • 2017-09-20 15:39 • 来自相关话题

vpn第一阶段起来第二阶段起不来

回复

FortiGatekmliu 回复了问题 • 2 人关注 • 1 个回复 • 948 次浏览 • 2017-09-20 15:39 • 来自相关话题

IPSec negotiate_error

回复

VPNloumzd 回复了问题 • 3 人关注 • 2 个回复 • 4742 次浏览 • 2017-04-28 18:00 • 来自相关话题

5.2.x和5.4.x ipsec vpn ,无法指定路由到tunnel接口

回复

VPN韩晔 回复了问题 • 2 人关注 • 1 个回复 • 843 次浏览 • 2017-03-29 13:33 • 来自相关话题

飞塔80C如何删除IPSec的阶段一

回复

VPN蝈蝈 回复了问题 • 3 人关注 • 2 个回复 • 1434 次浏览 • 2017-03-28 17:25 • 来自相关话题

防火墙 ipsec 旁路部署

回复

VPN何育新 回复了问题 • 3 人关注 • 1 个回复 • 782 次浏览 • 2017-03-02 22:34 • 来自相关话题

给拨号VPN的用户分配固定IP地址

VPNkmliu 发表了文章 • 0 个评论 • 74 次浏览 • 2019-08-14 00:13 • 来自相关话题

本文介绍IPSec/SSL VPN通过Radius获取VPN隧道内虚拟IP(实际上PPTP也可以,本文没有测试)。
 
本文介绍IPSec/SSL VPN通过Radius获取VPN隧道内虚拟IP(实际上PPTP也可以,本文没有测试)。
 

拨号IPsec VPN处理机制更新 (“set net-device disable”)

VPNkmliu 发表了文章 • 0 个评论 • 160 次浏览 • 2019-05-24 15:18 • 来自相关话题

拨号IPsec VPN处理机制更新 (“set net-device disable”)
 
拨号IPsec VPN处理机制更新 (“set net-device disable”)
 

Openswan和FortiGate的IPsec VPN对接

VPNkmliu 发表了文章 • 2 个评论 • 740 次浏览 • 2018-07-03 16:40 • 来自相关话题

最近有较多的case是Openswan和FortiGate建立IPsec VPN失败,因此根据多次的对接经验,总结出了各种场景下的openswan和fgt对接的配置举例,以供大家参考。
 
有道笔记链接:
Openswan和FortiGate的IPsec VPN对接




 
 

配置举例:IPsec VPN FGT与CentOS 5.6  OPENSWAN对接:

飞塔      Fortigate公网:202.106.1.25          内网网段:10.193.1.0/24
Centos5.6  Openswan 公网: 202.106.1.200       内网网段:172.16.193.0/24

拓扑:
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置:
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:F0  
          inet addr:172.16.193.1  Bcast:172.16.193.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB)  TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:FA  
          inet addr:202.100.1.200  Bcast:202.100.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB)  TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi  /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400
   
    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看:
[root@liukangming ~]# service ipsec status
pluto (pid  42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

 # diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2  established 2/2  time 50/65/80 ms
IPsec SA: created 2/2  established 2/2  time 60/95/130 ms

  id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
  direction: responder
  status: established 885-885s ago = 50ms
  proposal: aes128-sha1
  key: b2a171f28e08668e-9c51ab427bbfc433
  lifetime/rekey: 3600/2444
  DPD sent/recv: 00000000/00000000

  id/spi: 52643 398d69587e9169e7/bc24560972f70146
  direction: initiator
  status: established 885-885s ago = 80ms
  proposal: aes128-sha1
  key: c511b12f06b2db87-c4b5d526e7a6bde4
  lifetime/rekey: 86400/85214
  DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
  src: 0:10.193.1.0/255.255.255.0:0
  dst: 0:172.16.193.0/255.255.255.0:0
  SA:  ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42900/43200
  dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
  enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
  dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
  npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
  SA:  ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
  life: type=01 bytes=0/0 timeout=28531/28800
  dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
  enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
  dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms 查看全部
最近有较多的case是Openswan和FortiGate建立IPsec VPN失败,因此根据多次的对接经验,总结出了各种场景下的openswan和fgt对接的配置举例,以供大家参考。
 
有道笔记链接:
Openswan和FortiGate的IPsec VPN对接
1223.png

 
 

配置举例:IPsec VPN FGT与CentOS 5.6  OPENSWAN对接:

飞塔      Fortigate公网:202.106.1.25          内网网段:10.193.1.0/24
Centos5.6  Openswan 公网: 202.106.1.200       内网网段:172.16.193.0/24

拓扑:
10.193.1.0/24-----FGT--------------------Internet-----------------Centos5.6------172.16.193.0/24
                                         202.106.1.25                202.106.1.200

Centos5.6 OPENSWAN IPsec VPN配置:
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:F0  
          inet addr:172.16.193.1  Bcast:172.16.193.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739794 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167501254 (159.7 MiB)  TX bytes:8224 (8.0 KiB)

eth2      Link encap:Ethernet  HWaddr 00:0C:29:A3:B3:FA  
          inet addr:202.100.1.200  Bcast:202.100.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea3:b3fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4138556 (3.9 MiB)  TX bytes:237964 (232.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.100.1.0     0.0.0.0         255.255.255.0   U      0      0        0 eth2
172.16.193.0    0.0.0.0         255.255.255.0   U      0      0        0 eth0
0.0.0.0              202.100.1.192   0.0.0.0         UG    0      0       0 eth2

# vi  /etc/ipsec.secrets
202.100.1.200 202.100.1.25: PSK "1q2w3e4r"

# vi /etc/ipsec.conf
version 2.0
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off

conn openswan_to_fgt
    ##phase 1##
    authby=secret
    auto=start
    ike=aes-sha1;modp2048
    keyexchange=ike
    ikelifetime=86400
   
    ##phase 2##
    phase2=esp
    phase2alg=aes-sha1;modp2048
    compress=no
    pfs=yes
    type=tunnel
    keylife=43200

    left=202.100.1.200
    leftsubnet=172.16.193.0/24
    leftnexthop=%defaultroute

    right=202.100.1.25
    rightsubnet=10.193.1.0/24

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 202.100.1.25 255.255.255.0
        set allowaccess ping https ssh
next
    edit "lan"
        set ip 10.193.1.1 255.255.255.0
        set allowaccess ping https ssh http
    next
end

config vpn ipsec phase1-interface
    edit "to-openswan"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dhgrp 5 14
        set remote-gw 202.100.1.200
        set psksecret 1q2w3e4r
    next
end
config vpn ipsec phase2-interface
    edit "to-openswan"
        set phase1name "to-openswan"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 5 14
        set auto-negotiate enable
        set src-subnet 10.193.1.0 255.255.255.0
        set dst-subnet 172.16.193.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "TO-OPENSWAN-IN"
        set srcintf "to-openswan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "TO-OPENSWAN-OUT"
        set srcintf "lan"
        set dstintf "to-openswan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

config router static
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set device "to-openswan"
    next
    edit 0
        set dst 172.16.193.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

结果查看:
[root@liukangming ~]# service ipsec status
pluto (pid  42819) is running...
IPsec connections: loaded 1, active 1

# ipsec auto --status
....
"openswan_to_fgt":500 STATE_QUICK_R2 (IPsec SA established)
....

[root@liukangming ~]# ping -I 172.16.193.1 10.193.1.1
PING 10.193.1.1 (10.193.1.1) from 172.16.193.1 : 56(84) bytes of data.
64 bytes from 10.193.1.1: icmp_seq=1 ttl=255 time=0.734 ms
64 bytes from 10.193.1.1: icmp_seq=2 ttl=255 time=0.358 ms
64 bytes from 10.193.1.1: icmp_seq=3 ttl=255 time=0.407 ms
64 bytes from 10.193.1.1: icmp_seq=4 ttl=255 time=0.467 ms
64 bytes from 10.193.1.1: icmp_seq=5 ttl=255 time=0.350 ms
64 bytes from 10.193.1.1: icmp_seq=6 ttl=255 time=0.439 ms
64 bytes from 10.193.1.1: icmp_seq=7 ttl=255 time=0.386 ms

 # diagnose vpn ike gateway
vd: root/0
name: to-openswan
version: 1
interface: wan1 7
addr: 202.100.1.25:500 -> 202.100.1.200:500
created: 885s ago
IKE SA: created 2/2  established 2/2  time 50/65/80 ms
IPsec SA: created 2/2  established 2/2  time 60/95/130 ms

  id/spi: 52644 25a22a087085467b/5b7afcd931bc3063
  direction: responder
  status: established 885-885s ago = 50ms
  proposal: aes128-sha1
  key: b2a171f28e08668e-9c51ab427bbfc433
  lifetime/rekey: 3600/2444
  DPD sent/recv: 00000000/00000000

  id/spi: 52643 398d69587e9169e7/bc24560972f70146
  direction: initiator
  status: established 885-885s ago = 80ms
  proposal: aes128-sha1
  key: c511b12f06b2db87-c4b5d526e7a6bde4
  lifetime/rekey: 86400/85214
  DPD sent/recv: 00000000/00000000

# diagnose vpn tunnel list
------------------------------------------------------
name=to-openswan ver=1 serial=6 202.100.1.25:0->202.100.1.200:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=202 ad=/0 itn-status=4a
stat: rxp=12 txp=12 rxb=1230 txb=1008
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=2 ref=3 serial=6 auto-negotiate
  src: 0:10.193.1.0/255.255.255.0:0
  dst: 0:172.16.193.0/255.255.255.0:0
  SA:  ref=5 options=18227 type=00 soft=0 mtu=1438 expire=41990/0B replaywin=1024
       seqno=d esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42900/43200
  dec: spi=68295a14 esp=aes key=16 6470bfc876b692fd41054aacc9b7adb4
       ah=sha1 key=20 256ea6bee70ababd21e6bccb76225b32443ff4f6
  enc: spi=2cfa0d20 esp=aes key=16 53a090f7f7d45bbdcbcc1a4a7572319d
       ah=sha1 key=20 a1f96f64144359d8987585c5646b81ab7f830613
  dec:pkts/bytes=0/0, enc:pkts/bytes=12/1824
  npu_flag=01 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=0 enc_npuid=1
  SA:  ref=4 options=18227 type=00 soft=0 mtu=1438 expire=27621/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0
  life: type=01 bytes=0/0 timeout=28531/28800
  dec: spi=68295a15 esp=aes key=16 2cd9917763f86dceb10dc90590b4e36f
       ah=sha1 key=20 26fa71b22ea83f3b7aea1f8dbc29d73c2bcb62ac
  enc: spi=01a7a4c4 esp=aes key=16 7093917e35eb1f6af5ecedd982b3dd60
       ah=sha1 key=20 eb24090cda50410c1be6c0a28f3ea1004dcc8af2
  dec:pkts/bytes=1/84, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=202.100.1.200 npu_lgwy=202.100.1.25 npu_selid=a dec_npuid=1 enc_npuid=0

FG100E4Q16003872 # execute ping-options source 10.193.1.1
FG100E4Q16003872 # execute ping 172.16.193.1
PING 172.16.193.1 (172.16.193.1): 56 data bytes
64 bytes from 172.16.193.1: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 172.16.193.1: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 172.16.193.1: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 172.16.193.1: icmp_seq=4 ttl=64 time=0.6 ms
--- 172.16.193.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms

IPsec_LAN_TO_LAN配置举例

VPNkmliu 发表了文章 • 0 个评论 • 562 次浏览 • 2018-01-26 11:29 • 来自相关话题

FGT Session Crash的测试

VPNkmliu 发表了文章 • 1 个评论 • 517 次浏览 • 2017-07-03 17:42 • 来自相关话题

有道笔记链接:
FGT Session crash测试

1.VIP场景下session crash的测试过程,解析为什么会产生session crash。
2.VIP场景下IPsec VPN(NAT-T)经常会出现VPN连接异常的问题的原因,以及解决办法。 查看全部
有道笔记链接:
FGT Session crash测试

1.VIP场景下session crash的测试过程,解析为什么会产生session crash。
2.VIP场景下IPsec VPN(NAT-T)经常会出现VPN连接异常的问题的原因,以及解决办法。

使用ADVPN(Auto Discovery VPN)建立Full-Mesh方式的Hub_and_Spoke

VPNkmliu 发表了文章 • 1 个评论 • 945 次浏览 • 2016-05-20 09:23 • 来自相关话题

使用ADVPN(Auto_Discovery_VPN)_建立Full-Mesh方式的Hub_and_Spoke_v1.2_.pdf

 
(v1.2版本更新了RIP2方式的ADVPN实现方式等内容,修改了部分简介内容) 
ADVPN (Auto Discovery VPN) 是一种基于IETF RFC draft的IPsec VPN(https://tools.ietf.org/html/dr ... pn-03)简单来说,ADVPN允许在传统的Hub-and-Spoke VPN网络中的Spokes之间相互建立动态的、按需连接的VPN隧道,从而达到整网Full-Mesh的效果。
    传统的Hub-Spoke方式中,Spoke只能和Hub建立永久隧道,Spoke之间的流量需要通过Hub来转发,这种方式减轻了Spoke的负担,增加了 Hub的性能要求,同时利于总部对分支间流量的监控;使用ADVPN技术实现的Full-Mesh方式中,Spoke之间可以建立动态直连隧道,分支间的流量可以直接转发。相比而言,Hub负担减轻,同时减少分支间流量的延迟,更有利于VOIP等实时流量的传输,在实际使用的过程中可按照自身需求进行选择。
     我们都知道思科的DMVPN,DMVPN通过多点的GRE-Over-IPsec加上NHRP注册协议实现总部和分部之间的全互联(Full-Mesh),而Fortinet的ADVPN与DMVPN的实现方式完全不一样,ADVPN只基于IKE(携带ADVPN报文)&IPsec(通过IKE消息触发advpn内核通知)就能实现,不需要GRE-Over-IPsec,也不需要NHRP注册服务,以更加简单的方式实现总部和分部之间全互联(Full-Mesh)。 目前只有FortiOS5.4的版本才支持ADVPN,同时ADVPN需要与动态路由协议(BGP/RIP)配合使用。一般而言,我们推荐使用BGP协议,因为BGP的路由反射功能与ADVPN能够完美的契合,在二者的实现原理都围绕着简化Full-Mesh进行,HUB设备充当BGP的RR反射器角色,所有的Spoke都只需要与Hub建立起BGP邻居(就像所有Spoke也只需要与Hub建立起IPsec VPN一样),Hub就像一面反射的镜子,将这个Spoke学习而来的BGP路由传递给其他所有的Spokes,Hub通过BGP RR负责整网的路由动态更新。当新加入一个Spoke的时候,只需要与Hub建立IPsec VPN隧道以及BGP邻居,则这个新的Spoke的路由信息就可被传递到其他的Spoke,同时其他的Spoke可以动态地与新Spoke建立起IPsec VPN隧道,从而实现Spoke之间数据和路由的直接转发。
    在实际使用过程中为了简化BGP的配置,可以使用BGP动态邻居特性,该特性中,在Hub节点BGP配置中,配置一个特定网段,Hub可以接受来自该网段内的所有邻居的连接请求,并与其建立对等体关系,本地不再一一配置到每个对端的peer命令。在大规模组网中,该特性既简化了配置,又大大降低了维护和升级成本。为了防止非法邻居接入,建议动态邻居所在的对等体组需要配置MD5认证功能。
 
详细见附件内容! 查看全部
 
(v1.2版本更新了RIP2方式的ADVPN实现方式等内容,修改了部分简介内容) 
ADVPN (Auto Discovery VPN) 是一种基于IETF RFC draft的IPsec VPN(https://tools.ietf.org/html/dr ... pn-03)简单来说,ADVPN允许在传统的Hub-and-Spoke VPN网络中的Spokes之间相互建立动态的、按需连接的VPN隧道,从而达到整网Full-Mesh的效果。
    传统的Hub-Spoke方式中,Spoke只能和Hub建立永久隧道,Spoke之间的流量需要通过Hub来转发,这种方式减轻了Spoke的负担,增加了 Hub的性能要求,同时利于总部对分支间流量的监控;使用ADVPN技术实现的Full-Mesh方式中,Spoke之间可以建立动态直连隧道,分支间的流量可以直接转发。相比而言,Hub负担减轻,同时减少分支间流量的延迟,更有利于VOIP等实时流量的传输,在实际使用的过程中可按照自身需求进行选择。
     我们都知道思科的DMVPN,DMVPN通过多点的GRE-Over-IPsec加上NHRP注册协议实现总部和分部之间的全互联(Full-Mesh),而Fortinet的ADVPN与DMVPN的实现方式完全不一样,ADVPN只基于IKE(携带ADVPN报文)&IPsec(通过IKE消息触发advpn内核通知)就能实现,不需要GRE-Over-IPsec,也不需要NHRP注册服务,以更加简单的方式实现总部和分部之间全互联(Full-Mesh)。 目前只有FortiOS5.4的版本才支持ADVPN,同时ADVPN需要与动态路由协议(BGP/RIP)配合使用。一般而言,我们推荐使用BGP协议,因为BGP的路由反射功能与ADVPN能够完美的契合,在二者的实现原理都围绕着简化Full-Mesh进行,HUB设备充当BGP的RR反射器角色,所有的Spoke都只需要与Hub建立起BGP邻居(就像所有Spoke也只需要与Hub建立起IPsec VPN一样),Hub就像一面反射的镜子,将这个Spoke学习而来的BGP路由传递给其他所有的Spokes,Hub通过BGP RR负责整网的路由动态更新。当新加入一个Spoke的时候,只需要与Hub建立IPsec VPN隧道以及BGP邻居,则这个新的Spoke的路由信息就可被传递到其他的Spoke,同时其他的Spoke可以动态地与新Spoke建立起IPsec VPN隧道,从而实现Spoke之间数据和路由的直接转发。
    在实际使用过程中为了简化BGP的配置,可以使用BGP动态邻居特性,该特性中,在Hub节点BGP配置中,配置一个特定网段,Hub可以接受来自该网段内的所有邻居的连接请求,并与其建立对等体关系,本地不再一一配置到每个对端的peer命令。在大规模组网中,该特性既简化了配置,又大大降低了维护和升级成本。为了防止非法邻居接入,建议动态邻居所在的对等体组需要配置MD5认证功能。
 
详细见附件内容!

FortiOS 5.2基于用户认证的IPsec VPN

VPNkmliu 发表了文章 • 0 个评论 • 612 次浏览 • 2016-01-15 14:11 • 来自相关话题

FortiOS 5.2中对VPN功能进行了增强,可以基于IPsec的用户身份,来进行策略访问控制。本例基于LDAP用户进行配置。
FortiOS 5.2中对VPN功能进行了增强,可以基于IPsec的用户身份,来进行策略访问控制。本例基于LDAP用户进行配置。

Fortigate与CISCO路由器建立GRE over IPSEC VPN

VPN李朝辉 发表了文章 • 0 个评论 • 836 次浏览 • 2015-10-29 17:50 • 来自相关话题

企业用户采用CISCO中高端路由器作为边界接入聚合路由器,路由器支持IPSEC VPN,IPSEC VPN在路由器上是一种业务层的服务,没有防火墙设备上的IPSEC VPN 接口模式。分支机构需要与总部建立VPN通道,CISCO会建议采用GRE OVER IPSEC VPN技术,实现分支机构与总部VPN网络建设。
  查看全部
企业用户采用CISCO中高端路由器作为边界接入聚合路由器,路由器支持IPSEC VPN,IPSEC VPN在路由器上是一种业务层的服务,没有防火墙设备上的IPSEC VPN 接口模式。分支机构需要与总部建立VPN通道,CISCO会建议采用GRE OVER IPSEC VPN技术,实现分支机构与总部VPN网络建设。
 

配置模式IPSEC VPN的部署案例

VPNfoxjia 发表了文章 • 0 个评论 • 773 次浏览 • 2015-09-28 09:48 • 来自相关话题

FortiGate HA下的IPSec Failover

VPN玉文锋 发表了文章 • 0 个评论 • 715 次浏览 • 2015-05-16 17:43 • 来自相关话题

本文简要介绍了IPsec 在HA failover下的运作细节
本文简要介绍了IPsec 在HA failover下的运作细节