鸿蒙(HarmonyOS)及Android12以下系统(IKEv1)

本文基于鸿蒙(HarmonyOS)3.0编写,Android12以下系统配置步骤与其一致。

网络需求

通过鸿蒙(HarmonyOS)或Android12以下系统客户端(IKEv1)连接FortiGate的IPSec,并访问VPN内部资源。

通过IKEv1用户名/密码+预共享密钥的方式认证(不涉及L2TP)。

网络拓扑

image-20230316164717598

配置步骤

FortiGate配置

  1. 配置FortiGate的接口IP。

    image-20230314161154582

  2. 进入FortiGate的VPN→IPSec隧道页面,点击新建按钮,新建IPSec隧道。

    image-20230314160655376

  3. 填写VPN名称,模版选择自定义,点击下一步。

    image-20230316171503146

  4. 按照下图修改配置,其他配置保持默认即可,点击确认下发配置。

    image-20230316195140394

    image-20230316191224095

  5. 对应的CLI如下:

    第一阶段配置:
    config vpn ipsec phase1-interface
        edit "HarmonyOS"
            set type dynamic
            set interface "port2"
            set peertype any
            set net-device disable
            set mode-cfg enable
            set ipv4-dns-server1 10.10.1.2
            set proposal aes256-sha256 aes128-sha1
            set dpd on-idle
            set dhgrp 14 5 2
            set xauthtype auto
            set authusrgrp "VPN"
            set ipv4-start-ip 10.10.100.1
            set ipv4-end-ip 10.10.100.100
            set psksecret xxxxxxxx
            set dpd-retryinterval 60
        next
    end
    
    第二阶段配置:
    config vpn ipsec phase2-interface
        edit "HarmonyOS"
            set phase1name "HarmonyOS"
            set proposal aes256-sha256 aes128-sha1
            set pfs disable
            set keepalive enable
        next
    end
    
    地址对象:
    config firewall address
        edit "LAN_10.10.1.0/24"
            set subnet 10.10.1.0 255.255.255.0
        next
    end
    
  6. 配置防火墙策略,允许客户端访问内网VPN资源。

    image-20230316200459002

    客户端地址对象:
    config firewall address
        edit "VPN_10.10.100.0/24"
            set subnet 10.10.100.0 255.255.255.0
        next
    end
    
    防火墙策略:
    config firewall policy
        edit 1
            set name "HarmonyOS"
            set srcintf "HarmonyOS"
            set dstintf "port3"
            set action accept
            set srcaddr "VPN_10.10.100.0/24"
            set dstaddr "LAN_10.10.1.0/24"
            set schedule "always"
            set service "ALL"
        next
    end
    

客户端配置

  1. 打开设置→更多连接→VPN,点击下方的“添加VPN网络”。

    image-20230317140631620

  2. 类型选择IPSec Xauth PSK,填写名称、服务器地址、IPSec预共享密钥,点击保存按钮保存连接(由于华为手机在VPN连接配置界面无法截图,所以下图为拍照)。

    image-20230317111811678

结果验证

  1. 点击创建的VPN连接,输入用户名与密码,按需求勾选“保存账户信息”(由于华为手机在VPN连接配置界面无法截图,所以下图为拍照),点击连接按钮。连接成功后,点击查看连接状态,可以看到连接的具体信息。

    image-20230317111845667

    image-20230317140722727

  2. 在FortiGate侧查看连接状态。

    image-20230316193106002

    FortiGate # diagnose vpn ike gateway list 
    
    vd: root/0
    name: HarmonyOS_0
    version: 1
    interface: port2 4
    addr: 202.103.12.2:4500 -> 202.103.23.2:64916
    tun_id: 10.10.100.1/::10.0.0.19
    remote_location: 0.0.0.0
    network-id: 0
    created: 26s ago
    xauth-user: vpn_user
    2FA: no
    assigned IPv4 address: 10.10.100.1/255.255.255.255
    nat: peer
    IKE SA: created 1/1  established 1/1  time 240/240/240 ms
    IPsec SA: created 1/1  established 1/1  time 440/440/440 ms
      id/spi: 73 39a070180abf8f20/7c90c7a59d942c95
      direction: responder
      status: established 26-26s ago = 240ms
      proposal: aes256-sha256
      key: 888ae90f86ef043e-a160f4d6b782c66d-c6d006f30ed9f5d7-923c853d34fa1e06
      lifetime/rekey: 28800/28503
      DPD sent/recv: 00000000/00000000
    
    FortiGate # diagnose vpn tunnel list 
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=HarmonyOS_0 ver=1 serial=17 202.103.12.2:4500->202.103.23.2:64916 tun_id=10.10.100.1 tun_id6=::10.0.0.19 dst_mtu=1500 dpd-link=on weight=1
    bound_if=4 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/9128 options[23a8]=npu rgwy-chg rport-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0
    parent=HarmonyOS index=0
    proxyid_num=1 child_num=0 refcnt=5 ilast=7 olast=7 ad=/0
    stat: rxp=5 txp=3 rxb=331 txb=289
    dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=1
    natt: mode=silent draft=32 interval=10 remote_port=64916
    proxyid=HarmonyOS proto=0 sa=1 ref=5 serial=1 add-route
      src: 0:0.0.0.0-255.255.255.255:0
      dst: 0:10.10.100.1-10.10.100.1:0
      SA:  ref=3 options=20083 type=00 soft=0 mtu=1422 expire=28757/0B replaywin=2048
           seqno=4 esn=0 replaywin_lastseq=00000005 qat=0 rekey=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=28786/28800
      dec: spi=a06d669d esp=aes key=32 bb01635fcbcfec11f8970f8b58a23c6cadc3c12e6b506a799b8563c73501e5db
           ah=sha256 key=32 d8eb7b5dea988ea7b2d0509a6160b7f285827c4f56d6293aa77230759034518d
      enc: spi=02c359e0 esp=aes key=32 d8e3495f33ee0a4b7f851a4eaa1756f6ab16bddb6ba9d9c07b34fcc4c63d6e55
           ah=sha256 key=32 39e4c2b7c0b060c6d27a605c55821e27276b780699081975f1362a13580bd012
      dec:pkts/bytes=10/662, enc:pkts/bytes=6/813
      npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.12.2 npu_selid=11 dec_npuid=0 enc_npuid=0
    ------------------------------------------------------
    name=HarmonyOS ver=1 serial=13 202.103.12.2:0->0.0.0.0:0 tun_id=10.0.0.5 tun_id6=::10.0.0.5 dst_mtu=0 dpd-link=on weight=1
    bound_if=4 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu frag-rfc  role=primary accept_traffic=1 overlay_id=0
    proxyid_num=0 child_num=1 refcnt=3 ilast=42980186 olast=42980186 ad=/0
    stat: rxp=7 txp=5 rxb=459 txb=473
    dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    run_tally=0
    
  3. 在FortiGate侧查看路由kernel表,可以看到FortiGate已经自动添加了到客户端的路由。

    FortiGate # get router info kernel 
    ...
    tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->10.10.100.1/32 pref=0.0.0.0 gwy=10.10.100.1 dev=23(HarmonyOS)
    ...
    
  4. 使用客户端访问VPN内网资源(Ping和HTTP访问)。

    image-20230317140507793

    实际测试Android使用IKEv1,无法使用隧道分割功能,VPN建立后,所有流量被送入VPN隧道。

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-03-14 11:24:14

results matching ""

    No results matching ""