iOS原生客户端接入IPSec(IKEv1)

本文基于iOS 16.3编写。

组网需求

通过iOS原生客户端(IKEv1)连接FortiGate的IPSec,并访问VPN内部资源。

网络拓扑

image-20230315092901678

配置步骤

FortiGate配置

  1. 配置FortiGate的接口IP。

    image-20230314161154582

  2. 创建本地VPN用户和用户组,参考用户与认证→本地用户和用户组章节(如需使用远程认证,请参考用户与认证→LDAP认证→LDAP认证配置与排错用户与认证→Radius认证→Radius认证配置与排错章节)。

    image-20230314161934370

    config user local
        edit "vpn_user"
            set type password
            set passwd xxxxxxxx
        next
    end
    

    image-20230314161959786

    config user group
        edit "VPN"
            set member "vpn_user"
        next
    end
    
  3. 进入FortiGate的VPN→IPSec隧道页面,点击新建按钮,新建IPSec隧道。

    image-20230314160655376

  4. 填写VPN名称,模版选择远程拨号,远程设备选择Native,然后选择iOS Native,点击下一步。

    image-20230314160835341

  5. 配置流入接口为wan口,填入预共享密钥,选择VPN用户组,点击下一步。

    image-20230314162226256

  6. 配置本地接口(VPN客户端要访问的网络所属出接口),本地地址新建并选择内网的VPN网段地址对象,分配客户端地址范围(注意不要和现有网段冲突),DNS可选择系统DNS或指定DNS,默认开启隧道分割,只有本地地址中的网段会被客户端转发至VPN隧道(关闭隧道分割的话,客户端会将自身发起的所有流量转发至VPN隧道)。点击下一步。

    image-20230314162557939

    请注意如果开启了隧道分割,本地地址不要填写为0.0.0.0/0,否则会导致客户端连接失败。

  7. 检查配置无误后,点击完成按钮,完成隧道建立。

    image-20230314163305822

    image-20230314163252059

  8. 向导配置完成后,FortiGate会自动创建IPSec一阶段和二阶段、内网地址对象、客户端到内网的防火墙访问策略,对应的CLI如下:

    第一阶段和第二阶段VPN配置:
    config vpn ipsec phase1-interface
        edit "iOS_IKEv1"
            set type dynamic
            set interface "port2"
            set peertype any
            set net-device disable
            set mode-cfg enable
            set proposal aes256-sha256 aes256-md5 aes256-sha1
            set comments "VPN: iOS_IKEv1 (Created by VPN wizard)"
            set dhgrp 14 5 2
            set wizard-type dialup-ios
            set xauthtype auto
            set authusrgrp "VPN"
            set ipv4-start-ip 10.10.100.1
            set ipv4-end-ip 10.10.100.100
            set dns-mode auto
            set ipv4-split-include "iOS_IKEv1_split"
            set psksecret xxxxxxxx
        next
    end
    
    config vpn ipsec phase2-interface
        edit "iOS_IKEv1"
            set phase1name "iOS_IKEv1"
            set proposal aes256-sha256 aes256-md5 aes256-sha1
            set pfs disable
            set keepalive enable
            set comments "VPN: iOS_IKEv1 (Created by VPN wizard)"
        next
    end
    
    地址和地址组:
    config firewall address
        edit "LAN_10.10.1.0/24"
            set subnet 10.10.1.0 255.255.255.0
        next
        edit "iOS_IKEv1_range"
            set type iprange
            set comment "VPN: iOS_IKEv1 (Created by VPN wizard)"
            set start-ip 10.10.100.1
            set end-ip 10.10.100.100
        next
    end
    
    config firewall addrgrp
        edit "iOS_IKEv1_split"
            set member "LAN_10.10.1.0/24"
            set comment "VPN: iOS_IKEv1 (Created by VPN wizard)"
        next
    end
    
    允许客户端访问内网VPN资源的防火墙策略:
    config firewall policy
        edit 1
            set name "vpn_iOS_IKEv1_remote_0"
            set srcintf "iOS_IKEv1"
            set dstintf "port3"
            set action accept
            set srcaddr "iOS_IKEv1_range"
            set dstaddr "LAN_10.10.1.0/24"
            set schedule "always"
            set service "ALL"
            set nat enable
            set comments "VPN: iOS_IKEv1 (Created by VPN wizard)"
        next
    end
    

客户端配置

  1. 打开设置→VPN,点击最下方的“添加VPN配置…”按钮。

    image-20230314164534687

  2. 类型选择IPSec,填写VPN名称、服务器IP、用户名、用户密码、预共享密钥,其他不填写(如果想要使用群组名称,请在FortiGate侧配置),点击完成按钮。

    image-20230314170150584

  3. 点击创建的VPN连接,确保该连接被选中(连接前有一个✅)。

    image-20230314165325305

结果验证

  1. 在客户端点击连接按钮,查看连接状态,点击VPN连接右侧的信息按钮,可以看到连接的具体信息,获取的IP为FortiGate配置的网段。

    image-20230314170638456

    image-20230314170724115

  2. 在FortiGate侧查看连接状态。

    image-20230314180327746

    FortiGate # diagnose vpn ike gateway list 
    
    vd: root/0
    name: iOS_IKEv1_0
    version: 1
    interface: port2 4
    addr: 202.103.12.2:4500 -> 202.103.23.2:60417
    tun_id: 10.10.100.1/::10.0.0.4
    remote_location: 0.0.0.0
    network-id: 0
    created: 1144s ago
    xauth-user: vpn_user
    2FA: no
    assigned IPv4 address: 10.10.100.1/255.255.255.255
    nat: peer
    IKE SA: created 1/1  established 1/1  time 60/60/60 ms
    IPsec SA: created 1/1  established 1/1  time 10/10/10 ms
      id/spi: 2 1ab45dd9b8ad53a1/229987eaaab4142e
      direction: responder
      status: established 1144-1144s ago = 60ms
      proposal: aes256-sha256
      key: 26d033d72c0d55fe-6652a7159cf151dd-1113c3dd29c29cf9-74dabccc059f96ac
      lifetime/rekey: 3600/2185
      DPD sent/recv: 00000000/00000000
    
    FortiGate # diagnose vpn tunnel list 
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=iOS_IKEv1 ver=1 serial=1 202.103.12.2:0->0.0.0.0:0 tun_id=10.0.0.1 tun_id6=::10.0.0.1 dst_mtu=0 dpd-link=on weight=1
    bound_if=4 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu frag-rfc  role=primary accept_traffic=1 overlay_id=0
    proxyid_num=0 child_num=1 refcnt=3 ilast=42957570 olast=42957570 ad=/0
    stat: rxp=115 txp=96 rxb=10525 txb=16656
    dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    run_tally=0
    ------------------------------------------------------
    name=iOS_IKEv1_0 ver=1 serial=4 202.103.12.2:4500->202.103.23.2:60417 tun_id=10.10.100.1 tun_id6=::10.0.0.4 dst_mtu=1500 dpd-link=on weight=1
    bound_if=4 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/9128 options[23a8]=npu rgwy-chg rport-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0
    parent=iOS_IKEv1 index=0
    proxyid_num=1 child_num=0 refcnt=5 ilast=873 olast=873 ad=/0
    stat: rxp=51 txp=44 rxb=4704 txb=6692
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
    natt: mode=silent draft=32 interval=10 remote_port=60417
    proxyid=iOS_IKEv1 proto=0 sa=1 ref=2 serial=1 add-route
      src: 0:10.10.1.0-10.10.1.255:0
      dst: 0:10.10.100.1-10.10.100.1:0
      SA:  ref=3 options=20083 type=00 soft=0 mtu=1422 expire=2440/0B replaywin=2048
           seqno=2d esn=0 replaywin_lastseq=00000033 qat=0 rekey=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=3588/3600
      dec: spi=f3a58344 esp=aes key=32 a8ff490c9fb2e89be964d1a6993b11eedf71191e520ca99ed294c8eb4ea26301
           ah=sha256 key=32 7be5011c5d5a80768497ea9a4421bf8016797480cf6e31bd887d7367db35f30b
      enc: spi=05a9cf2e esp=aes key=32 83392937fdf5872826b529822a07a81c22e076d7bd648c8887451a2ce51b8336
           ah=sha256 key=32 a1897271122f887c59149acb755abc2959d1916a2c3340a35ef40f7172809d9b
      dec:pkts/bytes=102/9408, enc:pkts/bytes=88/16868
      npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.12.2 npu_selid=2 dec_npuid=0 enc_npuid=0
    
  3. 在FortiGate侧查看路由kernel表,可以看到FortiGate已经自动添加了到客户端的路由。

    FortiGate # get router info kernel 
    ...
    tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->10.10.100.1/32 pref=0.0.0.0 gwy=10.10.100.1 dev=25(iOS_IKEv1)
    ...
    
  4. 使用客户端访问VPN内网资源(Ping和HTTP访问)。

    image-20230314173119391

  5. 查看客户端的路由表,可以看到隧道分割的路由。

    image-20230314173246636

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-09-12 15:24:01

results matching ""

    No results matching ""