与Check Point防火墙建立IPSec VPN

组网需求

如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现10.10.1.0/24与10.10.2.0/24两个网段的通信。与Check Point防火墙进行IPsec VPN(IKE v1)对接。

Check Point防火墙版本:

gw-000100> ver 
Product version Check Point Gaia R81.10 
OS build 335
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

网络拓扑

image-20230414151016178

配置要点

  • 配置FortiGate
    • 基本上网配置
    • 配置IPsec VPN
  • 配置Check Point防火墙
    • 基本上网配置
    • 配置IPsec VPN
  • 说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

配置步骤

FortiGate

  1. 基本上网配置。

    image-20230406170902324

    image-20230406162053557

    image-20230406152810519

  2. 配置IPSec VPN,进入VPN→IPSec隧道,点击新建→IPSec隧道按钮。

    image-20230406151353826

  3. 选择IPsec VPN自定义模板进行配置,点击下一步。

    image-20230406151654592

  4. 如图配置网络、认证、第一阶段、第二阶段。

    注意:由于Check Point的IPSec配置需要配置明细的感兴趣流,FortiGate与Check Point防火墙对接IPSec需要对应使用明细的感兴趣流。

    image-20230406152527280

    config vpn ipsec phase1-interface
        edit "VPN-to-Remote"
            set interface "port2"
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set dhgrp 14 5 2
            set remote-gw 202.103.23.2
            set psksecret xxxxxxxx
        next
    end
    
    config vpn ipsec phase2-interface
        edit "VPN-to-Remote"
            set phase1name "VPN-to-Remote"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set dhgrp 14 5 2
            set auto-negotiate enable
        next
    end
    
  5. 配置VPN相关的网段地址对象和防火墙策略。

    image-20230406152921211

    image-20230406153125073

    config firewall address
        edit "Local_10.10.1.0/24"
            set subnet 10.10.1.0 255.255.255.0
        next
        edit "Remote_10.10.2.0/24"
            set subnet 10.10.2.0 255.255.255.0
        next
    end
    
    config firewall policy
        edit 2
            set name "VPN-Local-to-Remote"
            set srcintf "port3"
            set dstintf "VPN-to-Remote"
            set action accept
            set srcaddr "Local_10.10.1.0/24"
            set dstaddr "Remote_10.10.2.0/24"
            set schedule "always"
            set service "ALL"
        next
        edit 3
            set name "VPN-Remote-to-Local"
            set srcintf "VPN-to-Remote"
            set dstintf "port3"
            set action accept
            set srcaddr "Remote_10.10.2.0/24"
            set dstaddr "LAN_10.10.1.0/24"
            set schedule "always"
            set service "ALL"
        next
    end
    
  6. 配置VPN业务网段的静态路由。

    相关VPN的路由配置中“黑洞路由的意义:

    你可能会遇到以下的VPN业务问题:通过VPN的SIP电话,时不时中断,无法向服务器成功注册 ?通过VPN的Radius认证无法经常会无法认证成功? 通过VPN的AP注册到总部时不时会中断?持续的PRGT监控ping总部的服务器,时不时会显示中断? VPN有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE重新连接更换公网IP地址等,VPN tunnel此时会出现短暂的DOWN,而去往对方的VPN业务网段的路由也会短暂消失,此时VPN的业务流量(SIP注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了WAN(Internet),从而产生了错误的UDP-NAT-Seesion,此时即便VPN tunnel再次UP,VPN业务网段的路由再次恢复,SIP等VPN旧的业务流量依旧会走到错误的Session上去,从而引起该业务异常。

    解决方法:

    • 方法一:配置去往VPN业务网段的“黑洞路由”,管理距离为254,VPN正常的情况下此黑洞路由不生效,而当VPN中断的时候,黑洞路由浮起来并且生效,将VPN中断时候的VPN流量丢弃,避免将流量转发到互联网而产生错误的session。配置VPN的备份黑洞路由的意义在此。
    • 方法二:配置源接口:LAN,目的接口:WAN,源IP:本地内网网段,目的IP:对端内网网段,动作:丢包的策略。将此去往Internet的私网(无用的)流量丢弃掉,避免FGT产生这种错误的session,从而避免了UDP业务时不时中断的问题。
    • 方法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话flag置位为“Dirty”,清除路由缓存并重新查找目的IP的下一跳地址,这样VPN隧道恢复的时候,流量也会相应的切换到VPN隧道里面来。
      FortiGate # config system global
      FortiGate (global) # set snat-route-change enable                             
      FortiGate (global) # end
      
    三种方式任意选择一种即可。推荐使用黑洞路由方式。

    image-20230406162206218

    config router static
        edit 1
            set gateway 202.103.12.1
            set device "port2"
        next
        edit 2
            set dst 10.10.2.0 255.255.255.0
            set device "VPN-to-Remote"
        next
        edit 3
            set dst 10.10.2.0 255.255.255.0
            set distance 254
            set blackhole enable
        next
    end
    

Check Point防火墙

  1. 进入Check Point防火墙的Web管理页面,配置基本IP与路由。

    image-20230414152610854

    image-20230414152931781

    set interface eth1 comments "WAN" 
    set interface eth1 link-speed 1000M/full 
    set interface eth1 state on 
    set interface eth1 auto-negotiation on 
    set interface eth1 mtu 1500 
    set interface eth1 ipv4-address 202.103.23.2 mask-length 24 
    set interface eth2 comments "LAN" 
    set interface eth2 link-speed 1000M/full 
    set interface eth2 state on 
    set interface eth2 auto-negotiation on 
    set interface eth2 mtu 1500 
    set interface eth2 ipv4-address 10.10.2.1 mask-length 24 
    
    set static-route default nexthop gateway address 202.103.23.1 on
    
  2. 在Check Point防火墙的CLI下使用“save config”命令保存配置。

  3. 使用SmartConsole连接Check Point防火墙,配置地址对象(在本地网段的地址对象中开启NAT,并选择Hide模式的NAT,地址对象创建完成后会自动创建对应的SNAT策略),创建上网的安全策略。

    image-20230414180528977

    image-20230418150331331

    image-20230417100057901

    image-20230417105408341

  4. 创建“Interoperable Device”对象(IPSec远程网关)。

    image-20230417142923363

  5. 在弹出的“Interoperable Device”的“General Properties”中的“Machine”处,填入FortiGate的VPN网关地址。

    image-20230418095809988

  6. 在“Topology”中配置“VPN Domain”为“User defined”,并选择对端(FortiGate侧)VPN感兴趣流的地址对象,点击OK完成创建。

    image-20230418150559491

  7. 进入“GATEWAYS & SERVERS”选项卡,双击管理的防火墙设备,在弹出的页面中的“General Properties”中开启IPSec VPN服务。

    image-20230417150543525

  8. 在“Network Domain→VPN Domain”中,配置“User defined”为本地VPN保护网段的地址对象。

    image-20230418150712929

  9. 在“IPSec VPN→Link Selection”中,配置“Always use this IP address”为“Selected address from topology table”,并选择eth1(本地VPN网关)的接口IP,点击OK下发配置。

    image-20230417164749117

  10. 创建“VPNCommunity”对象。

    image-20230417143737525

  11. 在弹出的页面中,配置Gateway,“Center Gateways”添加上步创建的“Interoperable Device”,“Satellite Gateways”添加本地Gateway。

    image-20230418151010859

  12. 在“Encrypted Traffic”中,不勾选“Accept all encrypted Traffic on”。

    image-20230417153939343

  13. 在“Encryption”中配置一阶段和二阶段的安全提议,注意与FortiGate端保持一致。

    image-20230417145808631

  14. 在“Shared Secret”中开启“Use only Shared Secret for all external members”,编辑预共享密钥与FortiGate端一致。

    image-20230417145915790

  15. 由于Check Point的IPSec绑定在实际链路口,而不是虚拟tunnel接口,在出方向上,SNAT动作优先于IPSec封装,VPN流量经过SNAT后会匹配不上感兴趣流,所以需要配置IPSec流量不被SNAT处理。在“Advanced”选项卡中,勾选“Disable NAT inside the VPN Community”,开启后,进入VPN隧道的流量不会匹配NAT策略。点击OK下发配置。

    image-20230418145751972

  16. 在上网策略之前配置IPSec VPN相关网段放通的安全策略。

    image-20230418151321884

  17. 最后,点击“Install Policy”安装所有策略。

    image-20230417153544145

结果验证

  1. FortiGate上查看IPSec隧道建立,在仪表盘新建IPSec监控,可以看到IPSec建立成功。

    image-20230418141428277

    FortiGate # diagnose vpn ike gateway list 
    vd: root/0
    name: VPN-to-Remote
    version: 1
    interface: port2 4
    addr: 202.103.13.2:500 -> 202.103.23.2:500
    tun_id: 202.103.23.2/::202.103.23.2
    remote_location: 0.0.0.0
    network-id: 0
    created: 127s ago
    IKE SA: created 1/1  established 1/1  time 0/0/0 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
      id/spi: 508 d0481e88ec264101/908a37e3aa3e43be
      direction: initiator
      status: established 127-127s ago = 0ms
      proposal: aes256-sha256
      key: 39c34495a79b54ca-cdd33b755c2150e9-2b31e3f2ace9c0a2-5b9307e2ee57ee63
      lifetime/rekey: 1400/1242
      DPD sent/recv: 0000006e/00000000
    
    FortiGate # diagnose vpn tunnel list 
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=VPN-to-Remote ver=1 serial=1 202.103.13.2:0->202.103.23.2:0 tun_id=202.103.23.2 tun_id6=::202.103.23.2 dst_mtu=1500 dpd-link=on1
    bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 o0
    proxyid_num=1 child_num=0 refcnt=4 ilast=31 olast=31 ad=/0
    stat: rxp=10 txp=10 rxb=840 txb=840
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=110
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=VPN-to-Remote proto=0 sa=1 ref=10 serial=2 auto-negotiate
      src: 0:10.10.1.0-10.10.1.255:0
      dst: 0:10.10.2.0-10.10.2.255:0
      SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=3166/0B replaywin=2048
           seqno=b esn=0 replaywin_lastseq=0000000a qat=0 rekey=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=3297/3600
      dec: spi=daad030c esp=aes key=32 71ddf0ef357e7828acaffcbb4678daa04020591c56c2e6b3371643d4d5c0d1f5
           ah=sha256 key=32 cc7d15cad39ce576d9a1656e51c1b0e870aec41cf5d5e39c7ffcead1750363bd
      enc: spi=ccc51a59 esp=aes key=32 43d629dbc1e0bdb045772b7d5f42f6400a9ae5544be14b52312d7d7543bfb96b
           ah=sha256 key=32 5fdff7bce9562ae578488bbb78e9f050f91cfc137871c947056232114e017b93
      dec:pkts/bytes=20/1680, enc:pkts/bytes=20/2400
      npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.13.2 npu_selid=1 dec_npuid=0 enc_npuid=0
    run_tally=0
    
  2. 查看FortiGate的路由表。

    FortiGate # get router info routing-table all
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    Routing table for VRF=0
    S*      0.0.0.0/0 [10/0] via 202.103.13.1, port2, [1/0]
    C       10.10.1.0/24 is directly connected, port3
    S       10.10.2.0/24 [10/0] via VPN-to-Remote tunnel 202.103.23.2, [1/0]
    C       192.168.100.0/24 is directly connected, port1
    C       202.103.13.0/24 is directly connected, port2
    
  3. FortiGate侧PC1业务测试。

    VPCS> show
    
    NAME   IP/MASK              GATEWAY                             GATEWAY
    VPCS1  10.10.1.2/24         10.10.1.1
           fe80::250:79ff:fe66:6805/64
    
    VPCS> ping 10.10.2.2
    
    84 bytes from 10.10.2.2 icmp_seq=1 ttl=62 time=5.727 ms
    84 bytes from 10.10.2.2 icmp_seq=2 ttl=62 time=2.354 ms
    84 bytes from 10.10.2.2 icmp_seq=3 ttl=62 time=4.145 ms
    84 bytes from 10.10.2.2 icmp_seq=4 ttl=62 time=2.402 ms
    84 bytes from 10.10.2.2 icmp_seq=5 ttl=62 time=3.445 ms
    
  4. Check Point防火墙查看IPSec连接状态。

    image-20230418141719675

    image-20230418141222944

  5. 查看Check Point防火墙的路由表,可以看到VPN流量匹配了默认路由,送往本地VPN网关接口eth1(如果默认路由指向的不是本地VPN网关接口,请自行配置细化的VPN路由指向VPN网关接口)。

    gw-000100> show route
    Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
           O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
           A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
           NP - NAT Pool, U - Unreachable, i - Inactive
    
    S               0.0.0.0/0           via 202.103.23.1, eth1, cost 0, age 12890  
    C               10.10.2.0/24        is directly connected, eth2  
    C               127.0.0.0/8         is directly connected, lo  
    C               192.168.100.0/24    is directly connected, eth0  
    C               202.103.23.0/24     is directly connected, eth1
    
  6. Check Point防火墙侧PC2业务测试。

    VPCS> show
    
    NAME   IP/MASK              GATEWAY                             GATEWAY
    VPCS1  10.10.2.2/24         10.10.2.1
           fe80::250:79ff:fe66:6806/64
    
    VPCS> ping 10.10.1.2
    
    84 bytes from 10.10.1.2 icmp_seq=1 ttl=62 time=2.687 ms
    84 bytes from 10.10.1.2 icmp_seq=2 ttl=62 time=2.235 ms
    84 bytes from 10.10.1.2 icmp_seq=3 ttl=62 time=2.130 ms
    84 bytes from 10.10.1.2 icmp_seq=4 ttl=62 time=2.225 ms
    84 bytes from 10.10.1.2 icmp_seq=5 ttl=62 time=2.170 ms
    
  7. FortiGate侧抓包查看。

    FortiGate # diagnose sniffer packet any 'host 10.10.2.2 and host 10.10.1.2 and icmp' 4 0 l
    Using Original Sniffing Mode
    interfaces=[any]
    filters=[host 10.10.2.2 and host 10.10.1.2 and icmp]
    2023-04-18 15:18:07.196766 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-18 15:18:07.196805 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-18 15:18:07.197221 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-18 15:18:07.197240 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-18 15:18:08.200924 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-18 15:18:08.200964 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-18 15:18:08.201134 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-18 15:18:08.201143 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-18 15:18:09.204488 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-18 15:18:09.204523 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-18 15:18:09.204736 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-18 15:18:09.204749 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-18 15:18:10.208678 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-18 15:18:10.208715 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-18 15:18:10.209058 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-18 15:18:10.209069 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-18 15:18:11.212295 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-18 15:18:11.212330 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-18 15:18:11.212521 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-18 15:18:11.212534 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    

说明

  1. 关于sniffer抓VPN业务和ESP的包:

    • 抓取IPsec VPN的IKE协商包:

      diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4
      
    • 抓取IPsec VPN的ESP加密数据包:

      diagnose sniffer packet any "host 101.1.1.1 and esp" 4
      
    • 抓取IPsec VPN的明文业务数据包:

      diagnose sniffer packet any "host 192.168.112.100 and icmp" 4
      
    • 注意:由于硬件设备存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:

      FortiGate # config vpn ipsec phase1-interface
      FortiGate (phase1-interface) # edit BJ-OSPF-TO-SH
      FortiGate (BJ-OSPF-TO-SH) # set npu-offload disable
      FortiGate (BJ-OSPF-TO-SH) # end
      
  2. Check Point防火墙IPsec VPN Debug请参考:https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/CLI/vpn-debug.htm

    vpn debug
          on [<Debug_Topic>=<Debug_Level>]
          off
          ikeon [-s <Size_in_MB>]
          ikeoff
          trunc [<Debug_Topic>=<Debug_Level>]
          truncon [<Debug_Topic>=<Debug_Level>]
          truncoff
          timeon [<Seconds>]
          timeoff
          ikefail [-s <Size_in_MB>]
          mon
          moff
          say ["String"]
          tunnel [<Level>]
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-09-12 15:24:01

results matching ""

    No results matching ""