iOS原生客户端接入IPSec(IKEv2预共享密钥认证)

本文基于iOS 16.3编写。

组网需求

通过iOS原生客户端(IKEv2预共享密钥认证)连接FortiGate的IPSec,并访问VPN内部资源。

网络拓扑

image-20230315092901678

配置步骤

FortiGate配置

  1. 配置FortiGate的接口IP。

    image-20230314161154582

  2. 进入FortiGate的VPN→IPSec隧道页面,点击新建按钮,新建IPSec隧道。

    image-20230314160655376

  3. 填写VPN名称,模版选择自定义,点击下一步。

    image-20230315135042812

  4. 按照下图修改配置,其他配置保持默认即可,点击确认下发配置。

    image-20230315141301766

    image-20230315141624520

    请注意如果开启了隧道分割,本地地址不要填写为0.0.0.0/0,否则会导致客户端连接失败。

  5. 对应的CLI如下:

    第一阶段配置:
    config vpn ipsec phase1-interface
        edit "IKEv2_PSK"
            set type dynamic
            set interface "port2"
            set ike-version 2
            set peertype any
            set net-device disable
            set mode-cfg enable
            set ipv4-dns-server1 10.10.1.2
            set proposal aes128-sha256 aes256-sha256
            set dpd on-idle
            set ipv4-start-ip 10.10.100.1
            set ipv4-end-ip 10.10.100.100
            set ipv4-split-include "LAN_10.10.1.0/24"
            set psksecret xxxxxxxx
            set dpd-retryinterval 60
        next
    end
    
    第二阶段配置:
    config vpn ipsec phase2-interface
        edit "IKEv2_PSK"
            set phase1name "IKEv2_PSK"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
            set pfs disable
            set keepalive enable
        next
    end
    
    地址对象:
    config firewall address
        edit "LAN_10.10.1.0/24"
            set subnet 10.10.1.0 255.255.255.0
        next
    end
    
  6. 配置防火墙策略,允许客户端访问内网VPN资源。

    image-20230315143656587

    客户端地址对象:
    config firewall address
        edit "VPN_10.10.100.0/24"
            set subnet 10.10.100.0 255.255.255.0
        next
    end
    
    防火墙策略:
    config firewall policy
        edit 1
            set name "IKEv2_PSK"
            set srcintf "IKEv2_PSK"
            set dstintf "port3"
            set action accept
            set srcaddr "VPN_10.10.100.0/24"
            set dstaddr "LAN_10.10.1.0/24"
            set schedule "always"
            set service "ALL"
        next
    end
    

客户端配置

  1. 打开设置→VPN,点击最下方的“添加VPN配置…”按钮。

    image-20230314164534687

  2. 类型选择IKEv2,填写VPN名称、服务器IP,远程ID随意填写,用户鉴定选择“无”,关闭“使用证书”,填写预共享密钥,点击完成按钮。

    image-20230315154622012

  3. 点击创建的VPN连接,确保该连接被选中(连接前有一个✅)。

    image-20230315143516040

结果验证

  1. 在客户端点击连接按钮,查看连接状态,点击VPN连接右侧的信息按钮,可以看到连接的具体信息,获取的IP为FortiGate配置的网段。

    image-20230315144041395

    image-20230315144107843

  2. 在FortiGate侧查看连接状态。

    image-20230315144424436

    diagnose vpn ike gateway list 
    
    vd: root/0
    name: IKEv2_PSK_0
    version: 2
    interface: port2 4
    addr: 202.103.12.2:4500 -> 202.103.23.2:64916
    tun_id: 10.10.100.1/::10.0.0.9
    remote_location: 0.0.0.0
    network-id: 0
    created: 421s ago
    assigned IPv4 address: 10.10.100.1/255.255.255.255
    nat: peer
    PPK: no
    IKE SA: created 1/1  established 1/1  time 450/450/450 ms
    IPsec SA: created 1/1  established 1/1  time 140/140/140 ms
      id/spi: 10 5198d872487677ea/31cdf17287e5560c
      direction: responder
      status: established 421-420s ago = 450ms
      proposal: aes256-sha256
      child: no
      SK_ei: dc94f8538f947677-a09ddef1a1bec336-c65701c8f563da84-1812eb919f080c9c
      SK_er: f845db38cae914bf-f45903f0d16af51b-756ce4808bcfedde-f28ff9ec28b3dfe0
      SK_ai: d733f1548b7a4e66-0b7bc5e25539c612-7d9b58309bf6b7ac-539bbdbf51610ccd
      SK_ar: b4b85aecdc194e94-3b04954ddb321f23-fec94182c35dc0d9-ee6c3f8edaab46f4
      PPK: no
      message-id sent/recv: 0/3
      lifetime/rekey: 86400/85709
      DPD sent/recv: 00000000/00000000
    
    FortiGate # diagnose vpn tunnel list
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=IKEv2_PSK_0 ver=2 serial=f 202.103.12.2:4500->202.103.23.2:64916 tun_id=10.10.100.1 tun_id6=::10.0.0.9 dst_mtu=1500 dpd-link=on weight=1
    bound_if=4 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/9128 options[23a8]=npu rgwy-chg rport-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0
    parent=IKEv2_PSK index=0
    proxyid_num=1 child_num=0 refcnt=5 ilast=0 olast=0 ad=/0
    stat: rxp=347 txp=338 rxb=23044 txb=31852
    dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=1
    natt: mode=silent draft=0 interval=10 remote_port=64916
    proxyid=IKEv2_PSK proto=0 sa=1 ref=24 serial=1 add-route
      src: 0:0.0.0.0-255.255.255.255:0
      dst: 0:10.10.100.1-10.10.100.1:0
      SA:  ref=3 options=20483 type=00 soft=0 mtu=1422 expire=42739/0B replaywin=2048
           seqno=153 esn=0 replaywin_lastseq=0000015b qat=0 rekey=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=43185/43200
      dec: spi=4d836866 esp=aes key=16 8ae2318c0e96f4a41b454135917178a9
           ah=sha1 key=20 87cc5f5d5de49187019ea267a812df1873b9cf6f
      enc: spi=0c26fd39 esp=aes key=16 08bfbe6a97eb166634337de47be3925f
           ah=sha1 key=20 d670dba9af5500ae408f62052c5c192c1b45feff
      dec:pkts/bytes=694/46088, enc:pkts/bytes=676/88844
      npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.12.2 npu_selid=7 dec_npuid=0 enc_npuid=0
    ------------------------------------------------------
    name=IKEv2_PSK ver=2 serial=e 202.103.12.2:0->0.0.0.0:0 tun_id=10.0.0.7 tun_id6=::10.0.0.7 dst_mtu=0 dpd-link=on weight=1
    bound_if=4 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu frag-rfc  role=primary accept_traffic=1 overlay_id=0
    proxyid_num=0 child_num=1 refcnt=3 ilast=43032051 olast=43032051 ad=/0
    stat: rxp=347 txp=338 rxb=23044 txb=31852
    dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    run_tally=0
    
  3. 在FortiGate侧查看路由kernel表,可以看到FortiGate已经自动添加了到客户端的路由。

    FortiGate # get router info kernel 
    ...
    tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->10.10.100.1/32 pref=0.0.0.0 gwy=10.10.100.1 dev=25(IKEv2_PSK)
    ...
    
  4. 使用客户端访问VPN内网资源(Ping和HTTP访问)。

    image-20230314173119391

    实际测试iOS/macOS使用IKEv2,无法使用隧道分割功能,VPN建立后,所有流量被送入VPN隧道。

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-09-12 15:24:01

results matching ""

    No results matching ""