macOS原生客户端接入IPSec(IKEv1)
本文基于macOS 13.2编写。
组网需求
通过macOS原生客户端(IKEv1)连接FortiGate的IPSec,并访问VPN内部资源。
网络拓扑
配置步骤
FortiGate配置
配置FortiGate的接口IP。
创建本地VPN用户和用户组,参考用户与认证→本地用户和用户组章节(如需使用远程认证,请参考用户与认证→LDAP认证→LDAP认证配置与排错或用户与认证→Radius认证→Radius认证配置与排错章节)。
config user local edit "vpn_user" set type password set passwd xxxxxxxx next end
config user group edit "VPN" set member "vpn_user" next end进入FortiGate的VPN→IPSec隧道页面,点击新建按钮,新建IPSec隧道。
填写VPN名称,模版选择远程拨号,远程设备选择Native,然后选择iOS Native,点击下一步。
配置流入接口为wan口,填入预共享密钥,选择VPN用户组,点击下一步。
配置本地接口(VPN客户端要访问的网络所属出接口),本地地址新建并选择内网的VPN网段地址对象,分配客户端地址范围(注意不要和现有网段冲突),DNS可选择系统DNS或指定DNS,默认开启隧道分割,只有本地地址中的网段会被客户端转发至VPN隧道(关闭隧道分割的话,客户端会将自身发起的所有流量转发至VPN隧道)。点击下一步。
请注意如果开启了隧道分割,本地地址不要填写为0.0.0.0/0,否则会导致客户端连接失败。
检查配置无误后,点击完成按钮,完成隧道建立。
向导配置完成后,FortiGate会自动创建IPSec一阶段和二阶段、内网地址对象、客户端到内网的防火墙访问策略,对应的CLI如下:
第一阶段和第二阶段VPN配置: config vpn ipsec phase1-interface edit "macOS_IKEv1" set type dynamic set interface "port2" set peertype any set net-device disable set mode-cfg enable set proposal aes256-sha256 aes256-md5 aes256-sha1 set comments "VPN: macOS_IKEv1 (Created by VPN wizard)" set dhgrp 14 5 2 set wizard-type dialup-ios set xauthtype auto set authusrgrp "VPN" set ipv4-start-ip 10.10.100.1 set ipv4-end-ip 10.10.100.100 set dns-mode auto set ipv4-split-include "macOS_IKEv1_split" set psksecret xxxxxxxx next end config vpn ipsec phase2-interface edit "macOS_IKEv1" set phase1name "macOS_IKEv1" set proposal aes256-sha256 aes256-md5 aes256-sha1 set pfs disable set keepalive enable set comments "VPN: macOS_IKEv1 (Created by VPN wizard)" next end地址和地址组: config firewall address edit "LAN_10.10.1.0/24" set subnet 10.10.1.0 255.255.255.0 next edit "macOS_IKEv1_range" set type iprange set comment "VPN: macOS_IKEv1 (Created by VPN wizard)" set start-ip 10.10.100.1 set end-ip 10.10.100.100 next end config firewall addrgrp edit "macOS_IKEv1_split" set member "LAN_10.10.1.0/24" set comment "VPN: macOS_IKEv1 (Created by VPN wizard)" next end允许客户端访问内网VPN资源的防火墙策略: config firewall policy edit 1 set name "vpn_macOS_IKEv1_remote_0" set srcintf "macOS_IKEv1" set dstintf "port3" set action accept set srcaddr "macOS_IKEv1_range" set dstaddr "LAN_10.10.1.0/24" set schedule "always" set service "ALL" set nat enable set comments "VPN: macOS_IKEv1 (Created by VPN wizard)" next end
客户端配置
打开系统设置→VPN,点击“添加VPN配置”,选择Cisco IPSec VPN。
填写VPN名称、服务器IP、用户名、用户密码,认证类型选择共享密钥,填写预共享密钥,其他不填写(如果想要使用群组名称,请在FortiGate侧配置),点击创建按钮建立IPSec。
VPN连接配置完成。
结果验证
在客户端点击连接按钮,查看连接状态,点击VPN连接右侧的信息按钮,可以看到连接的具体信息,获取的IP为FortiGate配置的网段。
在FortiGate侧查看IPSec连接状态。
FortiGate # diagnose vpn ike gateway list vd: root/0 name: macOS_IKEv1_0 version: 1 interface: port2 4 addr: 202.103.12.2:4500 -> 202.103.23.2:60417 tun_id: 10.10.100.1/::10.0.0.4 remote_location: 0.0.0.0 network-id: 0 created: 1144s ago xauth-user: vpn_user 2FA: no assigned IPv4 address: 10.10.100.1/255.255.255.255 nat: peer IKE SA: created 1/1 established 1/1 time 60/60/60 ms IPsec SA: created 1/1 established 1/1 time 10/10/10 ms id/spi: 2 1ab45dd9b8ad53a1/229987eaaab4142e direction: responder status: established 1144-1144s ago = 60ms proposal: aes256-sha256 key: 26d033d72c0d55fe-6652a7159cf151dd-1113c3dd29c29cf9-74dabccc059f96ac lifetime/rekey: 3600/2185 DPD sent/recv: 00000000/00000000 FortiGate # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=macOS_IKEv1 ver=1 serial=1 202.103.12.2:0->0.0.0.0:0 tun_id=10.0.0.1 tun_id6=::10.0.0.1 dst_mtu=0 dpd-link=on weight=1 bound_if=4 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu frag-rfc role=primary accept_traffic=1 overlay_id=0 proxyid_num=0 child_num=1 refcnt=3 ilast=42957570 olast=42957570 ad=/0 stat: rxp=115 txp=96 rxb=10525 txb=16656 dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 run_tally=0 ------------------------------------------------------ name=macOS_IKEv1_0 ver=1 serial=4 202.103.12.2:4500->202.103.23.2:60417 tun_id=10.10.100.1 tun_id6=::10.0.0.4 dst_mtu=1500 dpd-link=on weight=1 bound_if=4 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/9128 options[23a8]=npu rgwy-chg rport-chg frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0 parent=macOS_IKEv1 index=0 proxyid_num=1 child_num=0 refcnt=5 ilast=873 olast=873 ad=/0 stat: rxp=51 txp=44 rxb=4704 txb=6692 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=silent draft=32 interval=10 remote_port=60417 proxyid=macOS_IKEv1 proto=0 sa=1 ref=2 serial=1 add-route src: 0:10.10.1.0-10.10.1.255:0 dst: 0:10.10.100.1-10.10.100.1:0 SA: ref=3 options=20083 type=00 soft=0 mtu=1422 expire=2440/0B replaywin=2048 seqno=2d esn=0 replaywin_lastseq=00000033 qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=3588/3600 dec: spi=f3a58344 esp=aes key=32 a8ff490c9fb2e89be964d1a6993b11eedf71191e520ca99ed294c8eb4ea26301 ah=sha256 key=32 7be5011c5d5a80768497ea9a4421bf8016797480cf6e31bd887d7367db35f30b enc: spi=05a9cf2e esp=aes key=32 83392937fdf5872826b529822a07a81c22e076d7bd648c8887451a2ce51b8336 ah=sha256 key=32 a1897271122f887c59149acb755abc2959d1916a2c3340a35ef40f7172809d9b dec:pkts/bytes=102/9408, enc:pkts/bytes=88/16868 npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.12.2 npu_selid=2 dec_npuid=0 enc_npuid=0在FortiGate侧查看路由kernel表,可以看到FortiGate已经自动添加了到客户端的路由。
FortiGate # get router info kernel ... tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->10.10.100.1/32 pref=0.0.0.0 gwy=10.10.100.1 dev=25(macOS_IKEv1) ...使用客户端访问VPN内网资源(Ping和HTTP访问)。
查看客户端的路由表(netstat -nr),可以看到隧道分割的路由。
