macOS原生客户端接入IPSec(IKEv2预共享密钥认证)

本文基于macOS 13.2编写。

组网需求

通过macOS原生客户端(IKEv2预共享密钥认证)连接FortiGate的IPSec,并访问VPN内部资源。

网络拓扑

image-20230315092944393

配置步骤

FortiGate配置

  1. 配置FortiGate的接口IP。

    image-20230314161154582

  2. 进入FortiGate的VPN→IPSec隧道页面,点击新建按钮,新建IPSec隧道。

    image-20230314160655376

  3. 填写VPN名称,模版选择自定义,点击下一步。

    image-20230315135042812

  4. 按照下图修改配置,其他配置保持默认即可,点击确认下发配置。

    image-20230315141301766

    image-20230315141624520

    请注意如果开启了隧道分割,本地地址不要填写为0.0.0.0/0,否则会导致客户端连接失败。

  5. 对应的CLI如下:

    第一阶段配置:
    config vpn ipsec phase1-interface
        edit "IKEv2_PSK"
            set type dynamic
            set interface "port2"
            set ike-version 2
            set peertype any
            set net-device disable
            set mode-cfg enable
            set ipv4-dns-server1 10.10.1.2
            set proposal aes128-sha256 aes256-sha256
            set dpd on-idle
            set ipv4-start-ip 10.10.100.1
            set ipv4-end-ip 10.10.100.100
            set ipv4-split-include "LAN_10.10.1.0/24"
            set psksecret xxxxxxxx
            set dpd-retryinterval 60
        next
    end
    
    第二阶段配置:
    config vpn ipsec phase2-interface
        edit "IKEv2_PSK"
            set phase1name "IKEv2_PSK"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
            set pfs disable
            set keepalive enable
        next
    end
    
    地址对象:
    config firewall address
        edit "LAN_10.10.1.0/24"
            set subnet 10.10.1.0 255.255.255.0
        next
    end
    
  6. 配置防火墙策略,允许客户端访问内网VPN资源。

    image-20230315143656587

    客户端地址对象:
    config firewall address
        edit "VPN_10.10.100.0/24"
            set subnet 10.10.100.0 255.255.255.0
        next
    end
    
    防火墙策略:
    config firewall policy
        edit 1
            set name "IKEv2_PSK"
            set srcintf "IKEv2_PSK"
            set dstintf "port3"
            set action accept
            set srcaddr "VPN_10.10.100.0/24"
            set dstaddr "LAN_10.10.1.0/24"
            set schedule "always"
            set service "ALL"
        next
    end
    

客户端配置

  1. 打开系统设置→VPN,点击“添加VPN配置”,选择IKEv2。

    image-20230315145522835

  2. 填写VPN名称、服务器IP,远程ID随意填写,用户认证选择“无”,机器认证选择“共享密钥”,填写预共享密钥,点击创建完成客户端VPN配置。

    image-20230315154445446

  3. VPN连接配置完成。

    image-20230315150147800

结果验证

  1. 在客户端点击连接按钮,查看连接状态,点击VPN连接右侧的信息按钮,可以看到连接的具体信息,获取的IP为FortiGate配置的网段。

    image-20230315151027686

    image-20230315151052501

  2. 在FortiGate侧查看连接状态。

    image-20230315144424436

    FortiGate # diagnose vpn ike gateway list 
    
    vd: root/0
    name: IKEv2_PSK_0
    version: 2
    interface: port2 4
    addr: 202.103.12.2:4500 -> 202.103.23.2:64916
    tun_id: 10.10.100.1/::10.0.0.12
    remote_location: 0.0.0.0
    network-id: 0
    created: 27s ago
    assigned IPv4 address: 10.10.100.1/255.255.255.255
    nat: peer
    PPK: no
    IKE SA: created 1/1  established 1/1  time 370/370/370 ms
    IPsec SA: created 1/1  established 1/1  time 110/110/110 ms
      id/spi: 16 675a02dbbef8cc4a/096820e48922db26
      direction: responder
      status: established 27-27s ago = 370ms
      proposal: aes256-sha256
      child: no
      SK_ei: d5113c70c4d78f54-f34f30091bf79475-aa35a97d71c0a5aa-2c9859861946d414
      SK_er: 9414d48bd22ecbc1-709aa14d0de11cd6-64b0829447435a9f-3b31a85afdeeff38
      SK_ai: 36305c3ad8a415b5-bee89c242a7faf32-04dee1ec7526fd4d-d952bf68c9014731
      SK_ar: 13adcd000ee30fde-d6c84d005c113924-1c3866f0d5b8a973-224225fb19d7e865
      PPK: no
      message-id sent/recv: 0/2
      lifetime/rekey: 86400/86102
      DPD sent/recv: 00000000/00000000
    
    FortiGate # diagnose vpn tunnel list 
    
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=IKEv2_PSK_0 ver=2 serial=13 202.103.12.2:4500->202.103.23.2:64916 tun_id=10.10.100.1 tun_id6=::10.0.0.12 dst_mtu=1500 dpd-link=on weight=1
    bound_if=4 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/9128 options[23a8]=npu rgwy-chg rport-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0
    parent=IKEv2_PSK index=0
    proxyid_num=1 child_num=0 refcnt=5 ilast=0 olast=0 ad=/0
    stat: rxp=533 txp=28 rxb=48088 txb=2804
    dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=1
    natt: mode=silent draft=0 interval=10 remote_port=64916
    proxyid=IKEv2_PSK proto=0 sa=1 ref=15 serial=1 add-route
      src: 0:0.0.0.0-255.255.255.255:0
      dst: 0:10.10.100.1-10.10.100.1:0
      SA:  ref=3 options=20483 type=00 soft=0 mtu=1422 expire=43160/0B replaywin=2048
           seqno=1d esn=0 replaywin_lastseq=00000215 qat=0 rekey=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=43191/43200
      dec: spi=4d83686c esp=aes key=32 ccab803299265af9f609977a5bb055b3c66537ac6500719ba9c78d4fa04b6738
           ah=sha256 key=32 b808b44ed4d288c2a2d518f1ff6bf6380c20247cbb1ed2bd3c3ffb3779854d34
      enc: spi=093170d2 esp=aes key=32 63423c52af9b3e35dcccfd7e9d0d1ceaca390652a45506419d8a339e89a5b714
           ah=sha256 key=32 a66edb55e69ac116d48c073458319388b2b413966a273f38898e22580b93adfe
      dec:pkts/bytes=1066/96176, enc:pkts/bytes=56/7812
      npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.12.2 npu_selid=a dec_npuid=0 enc_npuid=0
    ------------------------------------------------------
    name=IKEv2_PSK ver=2 serial=e 202.103.12.2:0->0.0.0.0:0 tun_id=10.0.0.7 tun_id6=::10.0.0.7 dst_mtu=0 dpd-link=on weight=1
    bound_if=4 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu frag-rfc  role=primary accept_traffic=1 overlay_id=0
    proxyid_num=0 child_num=1 refcnt=3 ilast=43033783 olast=43033783 ad=/0
    stat: rxp=3330 txp=1051 rxb=236299 txb=103007
    dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    run_tally=0
    
  3. 在FortiGate侧查看路由kernel表,可以看到FortiGate已经自动添加了到客户端的路由。

    FortiGate # get router info kernel 
    ...
    tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->10.10.100.1/32 pref=0.0.0.0 gwy=10.10.100.1 dev=25(IKEv2_PSK)
    ...
    
  4. 使用客户端访问VPN内网资源(Ping和HTTP访问)。

    image-20230314173119391

    实际测试iOS/macOS使用IKEv2,无法使用隧道分割功能,VPN建立后,所有流量被送入VPN隧道。

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-09-12 15:24:01

results matching ""

    No results matching ""