与山石SG6000防火墙建立IPSec VPN
组网需求
如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现10.10.1.0/24与10.10.2.0/24两个网段的通信。与山石SG6000-CloudEdge防火墙进行IPsec VPN(IKE v1)对接。
山石防火墙版本:
SG-6000# show version
Hillstone Networks StoneOS software, Version 5.5
Copyright (c) 2009-2023 by Hillstone Networks
Product name: SG-6000-VM00 S/N: 0010082687152785 Assembly number: 0000
Boot file is SG6000-CloudEdge-5.5R10P1-v6
Storage UUID is 2a771694-c137-483a-a7e2-ff93722c32ee
Instance UUID is iid-datasource-none
Update magic: 002300130532f202d5
Built by buildmaster8 2023/03/14 07:04:14
网络拓扑
配置要点
- 配置FortiGate
- 基本上网配置
- 配置IPsec VPN
- 配置山石SG6000防火墙
- 基本上网配置
- 配置IPsec VPN
- 说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。
配置步骤
FortiGate
基本上网配置。
配置IPSec VPN,进入VPN→IPSec隧道,点击新建→IPSec隧道按钮。
选择IPsec VPN自定义模板进行配置,点击下一步。
如图配置网络、认证、第一阶段、第二阶段。
注意:和山石/Juniper/Palo Alto防火墙对接IPSec推荐使用全0的感兴趣流,这些厂商设备与FortiGate一致,创建IPSec时会创建虚拟的IPSec接口,通过路由对VPN流量进行引流,将需要加密的数据送到IPSec接口(当然写细化的感兴趣流也是可以的)。
config vpn ipsec phase1-interface edit "VPN-to-Remote" set interface "port2" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set dhgrp 14 5 2 set remote-gw 202.103.23.2 set psksecret xxxxxxxx next end config vpn ipsec phase2-interface edit "VPN-to-Remote" set phase1name "VPN-to-Remote" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set dhgrp 14 5 2 set auto-negotiate enable next end配置VPN相关的网段地址对象和防火墙策略。
config firewall address edit "Local_10.10.1.0/24" set subnet 10.10.1.0 255.255.255.0 next edit "Remote_10.10.2.0/24" set subnet 10.10.2.0 255.255.255.0 next end config firewall policy edit 2 set name "VPN-Local-to-Remote" set srcintf "port3" set dstintf "VPN-to-Remote" set action accept set srcaddr "Local_10.10.1.0/24" set dstaddr "Remote_10.10.2.0/24" set schedule "always" set service "ALL" next edit 3 set name "VPN-Remote-to-Local" set srcintf "VPN-to-Remote" set dstintf "port3" set action accept set srcaddr "Remote_10.10.2.0/24" set dstaddr "LAN_10.10.1.0/24" set schedule "always" set service "ALL" next end配置VPN业务网段的静态路由。
相关VPN的路由配置中“黑洞路由的意义:
你可能会遇到以下的VPN业务问题:通过VPN的SIP电话,时不时中断,无法向服务器成功注册 ?通过VPN的Radius认证无法经常会无法认证成功? 通过VPN的AP注册到总部时不时会中断?持续的PRGT监控ping总部的服务器,时不时会显示中断? VPN有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE重新连接更换公网IP地址等,VPN tunnel此时会出现短暂的DOWN,而去往对方的VPN业务网段的路由也会短暂消失,此时VPN的业务流量(SIP注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了WAN(Internet),从而产生了错误的UDP-NAT-Seesion,此时即便VPN tunnel再次UP,VPN业务网段的路由再次恢复,SIP等VPN旧的业务流量依旧会走到错误的Session上去,从而引起该业务异常。解决方法:
- 方法一:配置去往VPN业务网段的“黑洞路由”,管理距离为254,VPN正常的情况下此黑洞路由不生效,而当VPN中断的时候,黑洞路由浮起来并且生效,将VPN中断时候的VPN流量丢弃,避免将流量转发到互联网而产生错误的session。配置VPN的备份黑洞路由的意义在此。
- 方法二:配置源接口:LAN,目的接口:WAN,源IP:本地内网网段,目的IP:对端内网网段,动作:丢包的策略。将此去往Internet的私网(无用的)流量丢弃掉,避免FGT产生这种错误的session,从而避免了UDP业务时不时中断的问题。
- 方法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话flag置位为“Dirty”,清除路由缓存并重新查找目的IP的下一跳地址,这样VPN隧道恢复的时候,流量也会相应的切换到VPN隧道里面来。
FortiGate # config system global FortiGate (global) # set snat-route-change enable FortiGate (global) # end
config router static edit 1 set gateway 202.103.12.1 set device "port2" next edit 2 set dst 10.10.2.0 255.255.255.0 set device "VPN-to-Remote" next edit 3 set dst 10.10.2.0 255.255.255.0 set distance 254 set blackhole enable next end
山石SG6000
基本IP与路由配置。
interface ethernet0/1 zone "untrust" ip address 202.103.23.2 255.255.255.0 manage ping exit interface ethernet0/2 zone "trust" ip address 10.10.2.1 255.255.255.0 manage ping exit ip vrouter "trust-vr" ip route 0.0.0.0/0 202.103.23.1 exit地址对象、策略、NAT配置。
address "Local_10.10.2.0/24" ip 10.10.2.0/24 exit address "Remote_10.10.1.0/24" ip 10.10.1.0/24 exit rule id 1 action permit src-zone "trust" dst-zone "untrust" src-addr "Local_10.10.2.0/24" dst-addr "Any" service "Any" name "to_Internet" exit ip vrouter "trust-vr" snatrule id 1 from-zone "trust" to-zone "untrust" from address-book "Local_10.10.2.0/24" to address-book "Any" service "Any" trans-to eif-ip mode dynamicport exit在IPSec VPN页面点击新建按钮。
点击对端选项,点击右侧的“+”,创建新的对端选项,如下图配置VPN对端的相关配置,这里配置的是第一阶段安全提议,注意与FortiGate配置一致,并开启DPD,点击确定下发对端配置。
isakmp peer "to_FortiGate" isakmp-proposal "psk-sha256-aes256-g2" pre-share "$01011NMr$XE3F0ui+whYFfilc+Fx6mDJ7I8Y=" peer 202.103.13.2 accept-all-peer-id dpd interval 10 retry 3 periodic interface ethernet0/1 exit“VPN对端配置”创建完成后,继续配置IPSec VPN,对端选项选择上步创建的“to_FortiGate”,配置二阶段安全提议与FortiGate端一致,高级配置中无需配置。
tunnel ipsec "to_FortiGate" auto sa-index 2 ipsec-proposal "esp-sha256-aes128-g2" isakmp-peer "to_FortiGate" exit创建隧道接口,并将IPSec VPN连接绑定至IPSec接口。
interface tunnel1 zone "untrust" tunnel ipsec "to_FortiGate" exit配置IPSec VPN相关网段放通的安全策略,并将他们移动至上网策略之前。
rule id 2 action permit src-zone "untrust" dst-zone "trust" src-addr "Remote_10.10.1.0/24" dst-addr "Local_10.10.2.0/24" service "Any" name "VPN_from_FortiGate" exit rule id 3 action permit src-zone "trust" dst-zone "untrust" src-addr "Local_10.10.2.0/24" dst-addr "Remote_10.10.1.0/24" service "Any" name "VPN_to_FortiGate" exit rule id 1 action permit src-zone "trust" dst-zone "untrust" src-addr "Local_10.10.2.0/24" dst-addr "Any" service "Any" name "to_Internet" exit添加去往FortiGate内网VPN网段的静态路由,出接口为tunnel接口。
ip vrouter "trust-vr" ip route 10.10.1.0/24 "tunnel1" exit
结果验证
FortiGate上查看IPSec隧道建立,在仪表盘新建IPSec监控,可以看到IPSec建立成功。
FortiGate # diagnose vpn ike gateway list vd: root/0 name: VPN-to-Remote version: 1 interface: port2 4 addr: 202.103.13.2:500 -> 202.103.23.2:500 tun_id: 202.103.23.2/::202.103.23.2 remote_location: 0.0.0.0 network-id: 0 created: 1254s ago IKE SA: created 1/1 established 1/1 time 120/120/120 ms IPsec SA: created 1/7 established 1/2 time 0/65/130 ms id/spi: 6 682ffbe3bdcd7130/bca06b5547f0a164 direction: initiator status: established 1254-1254s ago = 120ms proposal: aes256-sha256 key: a45c9a51ac96f767-98ce117bc21328d4-431c2a6eeceb933e-af19239a1116dd28 lifetime/rekey: 86400/84845 DPD sent/recv: 00000000/000003bd FortiGate # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=VPN-to-Remote ver=1 serial=2 202.103.13.2:0->202.103.23.2:0 tun_id=202.103.23.2 tun_id6=::202.103.23.2 dst_mtu=1500 dpd-link=on weig1 bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overla0 proxyid_num=1 child_num=0 refcnt=4 ilast=6 olast=6 ad=/0 stat: rxp=10 txp=35 rxb=840 txb=2940 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=VPN-to-Remote proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0 SA: ref=3 options=38203 type=00 soft=0 mtu=1438 expire=28252/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=28503/28800 dec: spi=92c2ead0 esp=aes key=32 22c824606a1f39ec9f9ce853b7e78f0bceacf61695360474d5365d4df8448f0b ah=sha256 key=32 f501d221d046169419833ad4c6f6aa6d90155700048590023024a6e48dc12e3b enc: spi=2008ef27 esp=aes key=32 fbc3d717c22ec085dac575010867f28b798f13b0f95d92f37ebe1eb9baf9d997 ah=sha256 key=32 4dc43f2f80f5b212cb399272a4fc2b765351b7c835bce4fe56370a06692b6b67 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.13.2 npu_selid=1 dec_npuid=0 enc_npuid=0 run_tally=0查看FortiGate的路由表。
FortiGate # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 202.103.13.1, port2, [1/0] C 10.10.1.0/24 is directly connected, port3 S 10.10.2.0/24 [10/0] via VPN-to-Remote tunnel 202.103.23.2, [1/0] C 192.168.100.0/24 is directly connected, port1 C 202.103.13.0/24 is directly connected, port2FortiGate侧PC1业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.1.2/24 10.10.1.1 fe80::250:79ff:fe66:6805/64 VPCS> ping 10.10.2.2 84 bytes from 10.10.2.2 icmp_seq=1 ttl=62 time=3.442 ms 84 bytes from 10.10.2.2 icmp_seq=2 ttl=62 time=4.599 ms 84 bytes from 10.10.2.2 icmp_seq=3 ttl=62 time=1.291 ms 84 bytes from 10.10.2.2 icmp_seq=4 ttl=62 time=1.419 ms 84 bytes from 10.10.2.2 icmp_seq=5 ttl=62 time=1.397 ms山石防火墙查看IPSec连接状态。
SG-6000(config)# show isakmp sa Total: 1 ==================================================================================================== Cookies Gateway Port Algorithms Lifetime ---------------------------------------------------------------------------------------------------- 682ffbe3bdcd7130:bca06b5547f0a164 202.103.13.2 500 pre-share sha256/aes-256 84848 ==================================================================================================== SG-6000(config)# show ipsec sa Total: 1 S - Status, I - Inactive, A - Active; ===================================================================================================== Id VPN Peer IP Port Algorithms SPI Life(s) S ----------------------------------------------------------------------------------------------------- 3 to_FortiGate >202.103.13.2 500 esp:aes256/sha256/- 92c2ead0 28243 A 3 to_FortiGate <202.103.13.2 500 esp:aes256/sha256/- 2008ef27 28243 A ====================================================================================================查看山石防火墙的路由表,可以看到包含了手动配置的到FortiGate内网的路由。
SG-6000(config)# show ip route Codes: K - kernel route, C - connected, S - static, N - Domain, Z - ISP, R - RIP, O - OSPF, B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT, I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b - BFD enable Routing Table for Virtual Router <trust-vr> ============================================================================== S>* 0.0.0.0/0 [1/0/1] via 202.103.23.1, ethernet0/1 S>* 10.10.1.0/24 [1/0/1] is directly connected, tunnel1 C>* 10.10.2.0/24 is directly connected, ethernet0/2 H>* 10.10.2.1/32 [0/0/1] is local address, ethernet0/2 C>* 202.103.23.0/24 is directly connected, ethernet0/1 H>* 202.103.23.2/32 [0/0/1] is local address, ethernet0/1山石防火墙侧PC2业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.2.2/24 10.10.2.1 fe80::250:79ff:fe66:6806/64 VPCS> ping 10.10.1.2 84 bytes from 10.10.1.2 icmp_seq=1 ttl=62 time=1.715 ms 84 bytes from 10.10.1.2 icmp_seq=2 ttl=62 time=1.710 ms 84 bytes from 10.10.1.2 icmp_seq=3 ttl=62 time=7.731 ms 84 bytes from 10.10.1.2 icmp_seq=4 ttl=62 time=2.330 ms 84 bytes from 10.10.1.2 icmp_seq=5 ttl=62 time=1.684 msFortiGate侧抓包查看。
FortiGate # diagnose sniffer packet any 'host 10.10.2.2 and host 10.10.1.2 and icmp' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 10.10.2.2 and host 10.10.1.2 and icmp] 2023-04-10 16:27:56.023973 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-10 16:27:56.024029 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-10 16:27:56.026679 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-10 16:27:56.026698 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-10 16:27:57.029816 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-10 16:27:57.029855 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-10 16:27:57.030097 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-10 16:27:57.030109 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-10 16:27:58.031820 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-10 16:27:58.031856 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-10 16:27:58.032037 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-10 16:27:58.032049 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-10 16:27:59.033955 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-10 16:27:59.033988 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-10 16:27:59.034145 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-10 16:27:59.034151 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-10 16:28:00.036548 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-10 16:28:00.036586 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-10 16:28:00.036803 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-10 16:28:00.036816 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
说明
关于sniffer抓VPN业务和ESP的包:
抓取IPsec VPN的IKE协商包:
diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4抓取IPsec VPN的ESP加密数据包:
diagnose sniffer packet any "host 101.1.1.1 and esp" 4抓取IPsec VPN的明文业务数据包:
diagnose sniffer packet any "host 192.168.112.100 and icmp" 4注意:由于硬件设备存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:
FortiGate # config vpn ipsec phase1-interface FortiGate (phase1-interface) # edit BJ-OSPF-TO-SH FortiGate (BJ-OSPF-TO-SH) # set npu-offload disable FortiGate (BJ-OSPF-TO-SH) # end
山石SG6000防火墙IPsec VPN Debug:
SG-6000[DBG]# debug vpn SG-6000[DBG]# show logging debug