macOS原生客户端接入IPSec(IKEv2预共享密钥认证)

本文基于macOS 13.2编写。

组网需求

通过macOS原生客户端(IKEv2预共享密钥认证)连接FortiGate的IPSec,并访问VPN内部资源。

网络拓扑

image-20230315092944393

配置步骤

FortiGate配置

  1. 配置FortiGate的接口IP。

    image-20230314161154582

  2. 进入FortiGate的VPN→IPSec隧道页面,点击新建按钮,新建IPSec隧道。

    image-20230314160655376

  3. 填写VPN名称,模版选择自定义,点击下一步。

    image-20230315135042812

  4. 按照下图修改配置,其他配置保持默认即可,点击确认下发配置。

    image-20230315141301766

    image-20230315141624520

    请注意如果开启了隧道分割,本地地址不要填写为0.0.0.0/0,否则会导致客户端连接失败。

  5. 对应的CLI如下:

    第一阶段配置:
config vpn ipsec phase1-interface
    edit "IKEv2_PSK"
        set type dynamic
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 10.10.1.2
        set proposal aes128-sha256 aes256-sha256
        set dpd on-idle
        set ipv4-start-ip 10.10.100.1
        set ipv4-end-ip 10.10.100.100
        set ipv4-split-include "LAN_10.10.1.0/24"
        set psksecret xxxxxxxx
        set dpd-retryinterval 60
    next
end

第二阶段配置:
config vpn ipsec phase2-interface
    edit "IKEv2_PSK"
        set phase1name "IKEv2_PSK"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set pfs disable
        set keepalive enable
    next
end

    地址对象:
config firewall address
    edit "LAN_10.10.1.0/24"
        set subnet 10.10.1.0 255.255.255.0
    next
end

  6. 配置防火墙策略,允许客户端访问内网VPN资源。

    image-20230315143656587

    客户端地址对象:
config firewall address
    edit "VPN_10.10.100.0/24"
        set subnet 10.10.100.0 255.255.255.0
    next
end

防火墙策略:
config firewall policy
    edit 1
        set name "IKEv2_PSK"
        set srcintf "IKEv2_PSK"
        set dstintf "port3"
        set action accept
        set srcaddr "VPN_10.10.100.0/24"
        set dstaddr "LAN_10.10.1.0/24"
        set schedule "always"
        set service "ALL"
    next
end

客户端配置

  1. 打开系统设置→VPN,点击“添加VPN配置”,选择IKEv2。

    image-20230315145522835

  2. 填写VPN名称、服务器IP,远程ID随意填写,用户认证选择“无”,机器认证选择“共享密钥”,填写预共享密钥,点击创建完成客户端VPN配置。

    image-20230315154445446

  3. VPN连接配置完成。

    image-20230315150147800

结果验证

  1. 在客户端点击连接按钮,查看连接状态,点击VPN连接右侧的信息按钮,可以看到连接的具体信息,获取的IP为FortiGate配置的网段。

    image-20230315151027686

    image-20230315151052501

  2. 在FortiGate侧查看连接状态。

    image-20230315144424436

    FortiGate # diagnose vpn ike gateway list 

vd: root/0
name: IKEv2_PSK_0
version: 2
interface: port2 4
addr: 202.103.12.2:4500 -> 202.103.23.2:64916
tun_id: 10.10.100.1/::10.0.0.12
remote_location: 0.0.0.0
network-id: 0
created: 27s ago
assigned IPv4 address: 10.10.100.1/255.255.255.255
nat: peer
PPK: no
IKE SA: created 1/1  established 1/1  time 370/370/370 ms
IPsec SA: created 1/1  established 1/1  time 110/110/110 ms
  id/spi: 16 675a02dbbef8cc4a/096820e48922db26
  direction: responder
  status: established 27-27s ago = 370ms
  proposal: aes256-sha256
  child: no
  SK_ei: d5113c70c4d78f54-f34f30091bf79475-aa35a97d71c0a5aa-2c9859861946d414
  SK_er: 9414d48bd22ecbc1-709aa14d0de11cd6-64b0829447435a9f-3b31a85afdeeff38
  SK_ai: 36305c3ad8a415b5-bee89c242a7faf32-04dee1ec7526fd4d-d952bf68c9014731
  SK_ar: 13adcd000ee30fde-d6c84d005c113924-1c3866f0d5b8a973-224225fb19d7e865
  PPK: no
  message-id sent/recv: 0/2
  lifetime/rekey: 86400/86102
  DPD sent/recv: 00000000/00000000

FortiGate # diagnose vpn tunnel list 

list all ipsec tunnel in vd 0
------------------------------------------------------
name=IKEv2_PSK_0 ver=2 serial=13 202.103.12.2:4500->202.103.23.2:64916 tun_id=10.10.100.1 tun_id6=::10.0.0.12 dst_mtu=1500 dpd-link=on weight=1
bound_if=4 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/9128 options[23a8]=npu rgwy-chg rport-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0
parent=IKEv2_PSK index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=0 olast=0 ad=/0
stat: rxp=533 txp=28 rxb=48088 txb=2804
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=1
natt: mode=silent draft=0 interval=10 remote_port=64916
proxyid=IKEv2_PSK proto=0 sa=1 ref=15 serial=1 add-route
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:10.10.100.1-10.10.100.1:0
  SA:  ref=3 options=20483 type=00 soft=0 mtu=1422 expire=43160/0B replaywin=2048
       seqno=1d esn=0 replaywin_lastseq=00000215 qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=43191/43200
  dec: spi=4d83686c esp=aes key=32 ccab803299265af9f609977a5bb055b3c66537ac6500719ba9c78d4fa04b6738
       ah=sha256 key=32 b808b44ed4d288c2a2d518f1ff6bf6380c20247cbb1ed2bd3c3ffb3779854d34
  enc: spi=093170d2 esp=aes key=32 63423c52af9b3e35dcccfd7e9d0d1ceaca390652a45506419d8a339e89a5b714
       ah=sha256 key=32 a66edb55e69ac116d48c073458319388b2b413966a273f38898e22580b93adfe
  dec:pkts/bytes=1066/96176, enc:pkts/bytes=56/7812
  npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.12.2 npu_selid=a dec_npuid=0 enc_npuid=0
------------------------------------------------------
name=IKEv2_PSK ver=2 serial=e 202.103.12.2:0->0.0.0.0:0 tun_id=10.0.0.7 tun_id6=::10.0.0.7 dst_mtu=0 dpd-link=on weight=1
bound_if=4 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu frag-rfc  role=primary accept_traffic=1 overlay_id=0
proxyid_num=0 child_num=1 refcnt=3 ilast=43033783 olast=43033783 ad=/0
stat: rxp=3330 txp=1051 rxb=236299 txb=103007
dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0

  3. 在FortiGate侧查看路由kernel表,可以看到FortiGate已经自动添加了到客户端的路由。

    FortiGate # get router info kernel 
...
tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->10.10.100.1/32 pref=0.0.0.0 gwy=10.10.100.1 dev=25(IKEv2_PSK)
...

  4. 使用客户端访问VPN内网资源(Ping和HTTP访问)。

    image-20230314173119391

    实际测试iOS/macOS使用IKEv2,无法使用隧道分割功能,VPN建立后,所有流量被送入VPN隧道。

Copyright © 2023 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇该页面修订于: 2023-09-12 15:24:01

results matching ""

    No results matching ""