与阿里云建立IPSec VPN

组网需求

如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现10.10.1.0/24与172.17.112.0/20两个网段的通信。与阿里云进行IPsec VPN(IKE v1)对接。

组网拓扑

image-20230214102208176

配置要点

  • 配置FortiGate
    • 基本上网配置
    • 配置IPsec VPN
  • 配置阿里云VPN
    • 配置VPN网关
    • 配置IPsec VPN连接
  • 说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略

注意事项

  1. 在阿里云IPSec的工作机制中,阿里云IPSec一二阶段并没有关联,当阿里云的一阶段到期后,并不会重新发起一阶段的重协商,也不会删除对应的二阶段,而是需要满足一二阶段同时到期后才会发起一阶段的重协商。而对于FortiGate来说,只要一阶段的SA到期,就会删除二阶段的SA连接(FortiGate作为安全设备,这是正常的操作)。如下图为阿里云工程师对于阿里云IPSec协商工作机制的解释。

    image-20230220163919452

  2. 这样就会导致当FortiGate为IPSec协商的响应方,而阿里云为IPSec协商的发起方时,可能会出现一阶段协商到期后,FortiGate将自己的一阶段和关联的二阶段连接删除,阿里云IPSec仅将自己的一阶段删除,保留二阶段直到二阶段倒计时结束,才会重新发起一阶段连接。

  3. 此时FortiGate重新发起一阶段协商,阿里云是不响应的。会出现FortiGate端IPSec连接已经断开,而阿里云端仍然显示连接存在的情况,此时业务是不通的,需要等到阿里云残留的二阶段到期后,才会重新发起协商,如果两端二阶段配置的时间较长,则会中断较长的时间。

  4. 想要规避此问题,需要FortiGate始终作为IPSec VPN的发起方,阿里云作为响应方,这样在一阶段到期前(30s或300s),FortiGate总能主动重新发起新的一阶段和二阶段连接。

  5. 由于阿里云端的IPSec协商机制无法配置修改,Workaround是在FortiGate侧配置Local-in Policy,在没有IKE会话建立的情况下,丢弃对端发来的IKE协商包(另外,FortiGate在IPSec连接建立后会删除IKE会话,也会丢弃在连接建立后对端发送的IKE协商包,避免自己成为响应方)。详情见配置步骤。

配置步骤

配置FortiGate

  1. 基本上网配置。

    image-20230213181516623

    image-20230213152126927

  2. 配置IPSec VPN,进入VPN→IPSec隧道,点击新建→IPSec隧道按钮。

    image-20230213152637051

  3. 选择IPsec VPN自定义模板进行配置,点击下一步。

    image-20230213153020852

  4. 配置网络、认证、第一阶段。

    image-20230213160137906

    config vpn ipsec phase1-interface
        edit "to_AliCloud"
            set interface "wan"
            set peertype any
            set net-device disable
            set proposal aes128-sha1
            set dpd on-idle
            set dhgrp 2
            set remote-gw 123.56.116.233
            set psksecret xxxxxx
        next
    end
    
  5. 配置第二阶段。

    image-20230213160438891

    config vpn ipsec phase2-interface
        edit "to_AliCloud"
            set phase1name "to_AliCloud"
            set proposal aes128-sha1
            set dhgrp 2
            set auto-negotiate enable
            set src-subnet 192.168.123.0 255.255.255.0
            set dst-subnet 172.17.112.0 255.255.240.0
        next
    end
    
  6. 配置VPN相关的网段地址对象、阿里云VPN网关地址对象和防火墙策略。

    image-20230213163104952

    image-20230213161446038

    config firewall address
        edit "Local_192.168.123.0/24"
            set subnet 192.168.123.0 255.255.255.0
        next
        edit "Remote_172.17.112.0/20"
            set subnet 172.17.112.0 255.255.240.0
        next
        edit "AliCloud_VPN_Gateway"
            set subnet 123.56.116.233 255.255.255.255
        next
    end
    
    config firewall policy
        edit 4
            set srcintf "lan"
            set dstintf "to_AliCloud"
            set action accept
            set srcaddr "Local_192.168.123.0/24"
            set dstaddr "Remote_172.17.112.0/20"
            set schedule "always"
            set service "ALL"
        next
        edit 5
            set srcintf "to_AliCloud"
            set dstintf "lan"
            set action accept
            set srcaddr "Remote_172.17.112.0/20"
            set dstaddr "Local_192.168.123.0/24"
            set schedule "always"
            set service "ALL"
        next
    end
    
  7. 配置VPN业务网段的静态路由。

    image-20230213182955455

    config router static
        edit 3
            set dst 172.17.112.0 255.255.240.0
            set device "to_AliCloud"
        next
        edit 4
            set dst 172.17.112.0 255.255.240.0
            set distance 254
            set blackhole enable
        next
    end
    
  8. 为FortiGate配置Local-in Policy,在没有IKE会话建立的情况下,丢弃阿里云侧发来的IKE协商包。

    请注意此步非常重要,不配置很可能出现与阿里云IPSec连接中断后无法重新建立的情况。

    config firewall local-in-policy
        edit 1
            set intf "wan"
            set srcaddr "AliCloud_VPN_Gateway"
            set dstaddr "all"
            set service "IKE"
            set schedule "always"
            set action deny
        next
    end
    

配置阿里云IPSec VPN

  1. 进入网间互联→VPN→VPN网关页面,创建VPN网关,注意选择正确的与实例互通的交换机。

    image-20230220163958401

  2. 进入用户网关页面,创建用户网关,即FortiGate的公网地址。

    image-20230213175134449

  3. 进入IPSec连接页面,创建IPSec连接。

    image-20230220163414911

  4. 选择绑定资源为VPN网关,分别选择第2步和第3步创建的VPN网关和用户网关,路由模式选择感兴趣流,填写本端和对端的感兴趣流网段,一二阶段算法与重协商时间与FortiGate保持一致。

    image-20230213175356423

  5. 点击确定按钮,会弹出是否去VPN网关中发布路由的提示,选择确定,则会根据感兴趣流自动添加路由到VPN网关。

    image-20230213171427356

  6. 进入VPN网关,编辑第1步中创建的VPN网关,在下方的策略路由表中可以看到针对VPN感兴趣流的策略路由,点击发布按钮发布路由,使其状态变为已发布。

    image-20230213175658922

    image-20230213175808075

  7. 配置ECS实例的安全组,允许出方向和入方向的流量(根据实际需求配置)。

    image-20230213174059490

    image-20230213174024019

结果验证

  1. FortiGate上查看IPSec隧道建立,在仪表盘新建IPSec监控,可以看到IPSec建立成功。

    image-20230213180000738

  2. 查看FortiGate的路由表。

    FortiGate # get router info routing-table all
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    Routing table for VRF=0
    S*      0.0.0.0/0 [10/0] via 123.112.245.1, wan, [1/0]
    C       192.168.123.0/24 is directly connected, lan
    S       172.17.112.0/20 [10/0] via to_AliCloud tunnel 123.56.116.233, [1/0]
    C       123.112.245.0/24 is directly connected, wan
    
  3. FortiGate侧PC业务测试。

    image-20230214094040408

  4. FortiGate查看隧道建立状态,可以看到,FortiGate成为了initiator,这是正确的状态,如果成为responder,则会出现注意事项中提到的问题(配置Local-in Policy就是为了防止FortiGate成为responder)。

    FortiGate # diagnose vpn ike gateway list name to_AliCloud
    
    vd: root/0
    name: to_AliCloud
    version: 1
    interface: wan 5
    addr: 123.112.245.93:500 -> 123.56.116.233:500
    tun_id: 123.56.116.233/::123.56.116.233
    remote_location: 0.0.0.0
    network-id: 0
    created: 9s ago
    nat: me peer
    IKE SA: created 1/1  established 1/1  time 40/40/40 ms
    IPsec SA: created 1/1  established 1/1  time 70/70/70 ms
    
      id/spi: 1544 dd588fcaa7cdae73/f47afb7c48f8e129
      direction: initiator
      status: established 9-9s ago = 40ms
      proposal: aes128-sha1
      key: b12f333e43d7d263-03a98c2d39015ba5
      lifetime/rekey: 86400/86090
      DPD sent/recv: 00000000/00000000
    
    FortiGate # diagnose vpn tunnel list name to_AliCloud
    list ipsec tunnel by names in vd 0
    ------------------------------------------------------
    name=to_AliCloud ver=1 serial=18 123.112.245.93:500->123.56.116.233:500 tun_id=123.56.116.233 tun_id6=::123.56.116.233 dst_mtu=1500 dpd-link=on weight=1
    bound_if=5 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0
    
    proxyid_num=1 child_num=0 refcnt=6 ilast=7 olast=1 ad=/0
    stat: rxp=116 txp=129 rxb=16390 txb=9310
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=5
    natt: mode=keepalive draft=32 interval=10 remote_port=500
    proxyid=to_AliCloud proto=0 sa=1 ref=3 serial=1 auto-negotiate
      src: 0:192.168.123.0-192.168.123.255:0
      dst: 0:172.17.112.0-172.17.127.255:0
      SA:  ref=6 options=18227 type=00 soft=0 mtu=1422 expire=42774/0B replaywin=2048
           seqno=80 esn=0 replaywin_lastseq=00000073 qat=0 rekey=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42902/43200
      dec: spi=688c1754 esp=aes key=16 2d9485697de2a31671bffbd55a97d91d
           ah=sha1 key=20 ccd0cdfea070180dabba59888f50d6470aaef88d
      enc: spi=4cba32a0 esp=aes key=16 495332b764e20e44523f5de593c14806
           ah=sha1 key=20 a3880ddf07c940ccc18ec827d0f1329094389c16
      dec:pkts/bytes=117/16450, enc:pkts/bytes=131/9566
      npu_flag=03 npu_rgwy=123.56.116.233 npu_lgwy=192.168.123.175 npu_selid=19 dec_npuid=1 enc_npuid=1
    run_tally=0
    
  5. 阿里云侧查看IPSec隧道建立状态,可以看到第二阶段已经建立成功。

    image-20230213180916102

  6. 阿里云侧ECS实例业务测试。

    image-20230214095032205

  7. FortiGate侧抓包查看。

    FortiGate # dia sni pa any "host 172.17.113.228 or host 123.56.116.223" 4
    Using Original Sniffing Mode
    interfaces=[any]
    filters=[host 172.17.113.228 or host 123.56.116.223]
    2.729115 to_AliCloud out 192.168.123.95 -> 172.17.113.228: icmp: echo request
    2.729136 wan out 123.112.245.93 -> 123.56.116.223: ESP(spi=0x4cba32a0,seq=0x7a)
    2.730083 wan in 123.56.116.223 -> 123.112.245.93: ESP(spi=0x688c1754,seq=0x74)
    2.730098 to_AliCloud in 172.17.113.228 -> 192.168.123.95: icmp: echo reply
    3.729410 to_AliCloud out 192.168.123.95 -> 172.17.113.228: icmp: echo request
    3.729430 wan out 123.112.245.93 -> 123.56.116.223: ESP(spi=0x4cba32a0,seq=0x7b)
    3.730364 wan in 123.56.116.223 -> 123.112.245.93: ESP(spi=0x688c1754,seq=0x75)
    3.730382 to_AliCloud in 172.17.113.228 -> 192.168.123.95: icmp: echo reply
    4.729580 to_AliCloud out 192.168.123.95 -> 172.17.113.228: icmp: echo request
    4.729600 wan out 123.112.245.93 -> 123.56.116.223: ESP(spi=0x4cba32a0,seq=0x7c)
    4.730377 wan in 123.56.116.223 -> 123.112.245.93: ESP(spi=0x688c1754,seq=0x76)
    4.730397 to_AliCloud in 172.17.113.228 -> 192.168.123.95: icmp: echo reply
    5.729921 to_AliCloud out 192.168.123.95 -> 172.17.113.228: icmp: echo request
    5.729941 wan out 123.112.245.93 -> 123.56.116.223: ESP(spi=0x4cba32a0,seq=0x7d)
    5.731016 wan in 123.56.116.223 -> 123.112.245.93: ESP(spi=0x688c1754,seq=0x77)
    5.731031 to_AliCloud in 172.17.113.228 -> 192.168.123.95: icmp: echo reply
    6.730170 to_AliCloud out 192.168.123.95 -> 172.17.113.228: icmp: echo request
    6.730191 wan out 123.112.245.93 -> 123.56.116.223: ESP(spi=0x4cba32a0,seq=0x7e)
    6.731200 wan in 123.56.116.223 -> 123.112.245.93: ESP(spi=0x688c1754,seq=0x78)
    6.731219 to_AliCloud in 172.17.113.228 -> 192.168.123.95: icmp: echo reply
    

其他说明

  1. 请注意与阿里云建立IPSec VPN时,如果FortiGate位于NAT后(接口为私网地址),则需要在FortiGate的IPSec一阶段中指定Local-id,id类型为address,地址为FortiGateNAT后的公网地址。

    config vpn ipsec phase1-interface
            edit to_AliCloud
                    set localid-type address
                    set localid 123.112.245.93    //此处填写NAT后的公网地址
        next
    end
    
  2. 如果要使用IKEv2,只需要将两端一阶段配置中的IKE版本修改为IKEv2即可,同样的,需要保证两端的安全算法一致。

  3. 关于sniffer抓VPN业务和ESP的包:

    • 抓取IPsec VPN的IKE协商包:

      diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4
      
    • 抓取IPsec VPN的ESP加密数据包:

      diagnose sniffer packet any "host 101.1.1.1 and esp" 4
      
    • 抓取IPsec VPN的明文业务数据包:

      diagnose sniffer packet any "host 172.17.113.228 and icmp" 4
      
    • 注意:由于硬件设备存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭(VPN流量较大的情况下谨慎开启):

      FortiGate # config vpn ipsec phase1-interface   
      FortiGate (phase1-interface) # edit to_AliCloud        
      FortiGate (to_AliCloud) # set npu-offload disable
      FortiGate (to_AliCloud) # end
      

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-11-29 15:00:01

results matching ""

    No results matching ""