与H3C SecPath防火墙建立IPSec VPN
组网需求
如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现10.10.1.0/24与10.10.2.0/24两个网段的通信。与H3C SecPath防火墙进行IPsec VPN(IKE v1)对接。
H3C SecPath防火墙版本:
<H3C>display version
H3C Comware Software, Version 7.1.064, ESS 1185P29
Copyright (c) 2004-2022 New H3C Technologies Co., Ltd. All rights reserved.
H3C SecPath vFW1000 uptime is 0 weeks, 0 days, 0 hours, 7 minutes
Last reboot reason : Power on
Boot image: flash:/vFW1000-CMW710-BOOT-E1185P29-X64.bin
Boot image version: 7.1.064, ESS 1185P29
Compiled Oct 31 2022 14:00:00
System image: flash:/vFW1000-CMW710-SYSTEM-E1185P29-X64.bin
System image version: 7.1.064, ESS 1185P29
Compiled Oct 31 2022 14:00:00
网络拓扑
配置要点
- 配置FortiGate
- 基本上网配置
- 配置IPsec VPN
- 配置H3C SecPath防火墙
- 基本上网配置
- 配置IPsec VPN
- 说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。
配置步骤
FortiGate
基本上网配置。
配置IPSec VPN,进入VPN→IPSec隧道,点击新建→IPSec隧道按钮。
选择IPsec VPN自定义模板进行配置,点击下一步。
如图配置网络、认证、第一阶段、第二阶段。
注意:不像和Cisco/PA/Juniper/山石使用虚拟接口创建IPSec,感兴趣流是全0。H3C防火墙通常都是使用物理口创建IPSec,需要写明细的感兴趣流,所以FortiGate也要对应的写明细感兴趣数据流,不能写全0。
config vpn ipsec phase1-interface edit "VPN-to-Remote" set interface "port2" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 202.103.23.2 set psksecret xxxxxxxx next end config vpn ipsec phase2-interface edit "VPN-to-Remote" set phase1name "VPN-to-Remote" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 10.10.1.0 255.255.255.0 set dst-subnet 10.10.2.0 255.255.255.0 next end配置VPN相关的网段地址对象和防火墙策略。
config firewall address edit "Local_10.10.1.0/24" set subnet 10.10.1.0 255.255.255.0 next edit "Remote_10.10.2.0/24" set subnet 10.10.2.0 255.255.255.0 next end config firewall policy edit 2 set name "VPN-Local-to-Remote" set srcintf "port3" set dstintf "VPN-to-Remote" set action accept set srcaddr "Local_10.10.1.0/24" set dstaddr "Remote_10.10.2.0/24" set schedule "always" set service "ALL" next edit 3 set name "VPN-Remote-to-Local" set srcintf "VPN-to-Remote" set dstintf "port3" set action accept set srcaddr "Remote_10.10.2.0/24" set dstaddr "LAN_10.10.1.0/24" set schedule "always" set service "ALL" next end配置VPN业务网段的静态路由。
相关VPN的路由配置中“黑洞路由的意义:
你可能会遇到以下的VPN业务问题:通过VPN的SIP电话,时不时中断,无法向服务器成功注册 ?通过VPN的Radius认证无法经常会无法认证成功? 通过VPN的AP注册到总部时不时会中断?持续的PRGT监控ping总部的服务器,时不时会显示中断? VPN有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE重新连接更换公网IP地址等,VPN tunnel此时会出现短暂的DOWN,而去往对方的VPN业务网段的路由也会短暂消失,此时VPN的业务流量(SIP注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了WAN(Internet),从而产生了错误的UDP-NAT-Seesion,此时即便VPN tunnel再次UP,VPN业务网段的路由再次恢复,SIP等VPN旧的业务流量依旧会走到错误的Session上去,从而引起该业务异常。解决方法:
- 方法一:配置去往VPN业务网段的“黑洞路由”,管理距离为254,VPN正常的情况下此黑洞路由不生效,而当VPN中断的时候,黑洞路由浮起来并且生效,将VPN中断时候的VPN流量丢弃,避免将流量转发到互联网而产生错误的session。配置VPN的备份黑洞路由的意义在此。
- 方法二:配置源接口:LAN,目的接口:WAN,源IP:本地内网网段,目的IP:对端内网网段,动作:丢包的策略。将此去往Internet的私网(无用的)流量丢弃掉,避免FGT产生这种错误的session,从而避免了UDP业务时不时中断的问题。
- 方法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话flag置位为“Dirty”,清除路由缓存并重新查找目的IP的下一跳地址,这样VPN隧道恢复的时候,流量也会相应的切换到VPN隧道里面来。
FortiGate # config system global FortiGate (global) # set snat-route-change enable FortiGate (global) # end
config router static edit 1 set gateway 202.103.12.1 set device "port2" next edit 2 set dst 10.10.2.0 255.255.255.0 set device "VPN-to-Remote" next edit 3 set dst 10.10.2.0 255.255.255.0 set distance 254 set blackhole enable next end
H3C SecPath
基本IP与路由配置。
interface GigabitEthernet2/0 port link-mode route ip address 202.103.23.2 255.255.255.0 manage ping inbound manage ping outbound # interface GigabitEthernet3/0 port link-mode route ip address 10.10.2.1 255.255.255.0 manage ping inbound manage ping outbound # security-zone name Trust import interface GigabitEthernet3/0 # security-zone name Untrust import interface GigabitEthernet2/0 # ip route-static 0.0.0.0 0 GigabitEthernet2/0 202.103.23.1地址对象、策略、NAT配置。
object-group ip address Local_10.10.2.0/24 0 network subnet 10.10.2.0 255.255.255.0 # object-group ip address Remote_10.10.1.0/24 0 network subnet 10.10.1.0 255.255.255.0 # security-policy ip rule 2 name to_Internet action pass source-zone Trust destination-zone Untrust source-ip Local_10.10.2.0/24 # nat policy rule name to_Internet source-ip Local_10.10.2.0/24 outbound-interface GigabitEthernet2/0 action easy-ip配置IPSec,新建IKE提议,按照如图安全提议配置,点击确定下发配置。
新建IPSec策略,如下图参数配置,注意与FortiGate端的安全提议要一致,注意对端ID选择“IPv4地址”,内容填写为FortiGate的公网口IP地址,如果FortiGate的地址是动态的,可以选择FQDN形式的ID,FortiGate侧本地ID也要对应修改为FQDN形式,开启“自动触发”和“DPD”,勾选“自动生成安全策略”(这里自动创建的策略是允许IPSec协商的发起和接受)。
acl advanced name IPsec_to_FortiGate_IPv4_1 rule 0 permit ip source 10.10.2.0 0.0.0.255 destination 10.10.1.0 0.0.0.255 # ipsec transform-set to_FortiGate_IPv4_1 esp encryption-algorithm aes-cbc-256 esp authentication-algorithm sha256 pfs dh-group14 # ipsec policy to_FortiGate 1 isakmp transform-set to_FortiGate_IPv4_1 security acl name IPsec_to_FortiGate_IPv4_1 local-address 202.103.23.2 remote-address 202.103.13.2 ike-profile to_FortiGate_IPv4_1 sa trigger-mode auto sa duration time-based 43200 sa idle-time 60 # ike profile to_FortiGate_IPv4_1 keychain to_FortiGate_IPv4_1 dpd interval 20 on-demand match remote identity address 202.103.13.2 255.255.255.255 match local address GigabitEthernet2/0 # ike proposal 1 encryption-algorithm aes-cbc-256 dh group14 authentication-algorithm sha256 # ike keychain to_FortiGate_IPv4_1 match local address GigabitEthernet2/0 pre-shared-key address 202.103.13.2 255.255.255.255 key cipher $c$3$OAC3tjUo2G+AOc7w0iW8jeQvV2wpRj96iHSZ # interface GigabitEthernet2/0 ipsec apply policy to_FortiGate # security-policy ip rule 4 name IPsec_to_FortiGate_1_20230407151324_IN action pass destination-zone Local service ike service nat-t-ipsec service ipsec-ah service ipsec-esp rule 3 name IPsec_to_FortiGate_1_20230407151324_OUT action pass source-zone Local service ike service nat-t-ipsec service ipsec-ah service ipsec-esp配置IPSec VPN相关网段放通的安全策略,并将他们移动至上网策略之前。
security-policy ip rule 6 name VPN_from_FortiGate action pass source-zone Untrust destination-zone Trust source-ip Remote_10.10.1.0/24 destination-ip Local_10.10.2.0/24 rule 5 name VPN_to_FortiGate action pass source-zone Trust destination-zone Untrust source-ip Local_10.10.2.0/24 destination-ip Remote_10.10.1.0/24 rule 4 name IPsec_to_FortiGate_1_20230407151324_IN action pass destination-zone Local service ike service nat-t-ipsec service ipsec-ah service ipsec-esp rule 3 name IPsec_to_FortiGate_1_20230407151324_OUT action pass source-zone Local service ike service nat-t-ipsec service ipsec-ah service ipsec-esp rule 2 name to_Internet action pass source-zone Trust destination-zone Untrust source-ip Local_10.10.2.0/24H3C防火墙的转发流程是先做SNAT,再做IPsec VPN,也就是说,如果按照我们之前配置的SNAT规则,VPN的流量10.10.2.2去访问10.10.1.2的流量会被SNAT成公网IP 202.103.23.2,然后再进入到IPsec VPN流程,这个时候是无法匹配到感兴趣流的,因此流量将无法成功被IPSec加密。所以需要再配置一个VPN流量bypass的SNAT规则,让VPN流量不做SNAT转换,然后将其放置到最前面,优先匹配即可。
nat policy rule name VPN_to_FortiGate source-ip Local_10.10.2.0/24 destination-ip Remote_10.10.1.0/24 outbound-interface GigabitEthernet2/0 action no-nat rule name to_Internet source-ip Local_10.10.2.0/24 outbound-interface GigabitEthernet2/0 action easy-ip添加去往FortiGate内网VPN网段的静态路由(由于已经配置了默认路由从IPSec绑定的物理口出去,其实这里不需要配置,但如果没有默认路由或默认路由是其他接口,可以参考此配置)。
ip route-static 10.10.1.0 24 GigabitEthernet2/0 202.103.23.1
结果验证
FortiGate上查看IPSec隧道建立,在仪表盘新建IPSec监控,可以看到IPSec建立成功。
FortiGate # diagnose vpn ike gateway list vd: root/0 name: VPN-to-Remote version: 1 interface: port2 4 addr: 202.103.13.2:500 -> 202.103.23.2:500 tun_id: 202.103.23.2/::202.103.23.2 remote_location: 0.0.0.0 network-id: 0 created: 2435s ago IKE SA: created 1/1 established 1/1 time 20/20/20 ms IPsec SA: created 1/38 established 1/38 time 20/75/2030 ms id/spi: 365 3f178bf07066db5b/4bc6621ed12c3030 direction: initiator status: established 2435-2435s ago = 20ms proposal: aes256-sha256 key: 2f13f4b81d3eb4c1-575e1272457cc854-d37978c764f9a778-cd5724cdc244f07a lifetime/rekey: 86400/83664 DPD sent/recv: 00000a61/000030dd FortiGate # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=VPN-to-Remote ver=1 serial=1 202.103.13.2:0->202.103.23.2:0 tun_id=202.103.23.2 tun_id6=::202.103.23.2 dst_mtu=1500 dpd-link=on weight=1 bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0 proxyid_num=1 child_num=0 refcnt=4 ilast=13 olast=13 ad=/0 stat: rxp=10 txp=15 rxb=840 txb=1260 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=2658 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=VPN-to-Remote proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:10.10.1.0-10.10.1.255:0 dst: 0:10.10.2.0-10.10.2.255:0 SA: ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42881/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=42901/43200 dec: spi=34dc89a0 esp=aes key=32 9ebf3ec4affd4b4a57b18fe15c1c505184622c2cdcba87d788887f569cfaa23e ah=sha256 key=32 c3efca48ffbcd7fb0e8013fef745576010a71ec3c9a02a32f333c380de01e2a6 enc: spi=bc07e7b7 esp=aes key=32 660dedaa1a6d145b94073c031a3e9f1587dcb44d3b50b9683382b27ecd5562ce ah=sha256 key=32 308adc9899b8775255c59053ed4a5edc3df8231135007d2a26614097619361de dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.13.2 npu_selid=0 dec_npuid=0 enc_npuid=0 run_tally=0查看FortiGate的路由表。
FortiGate # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 202.103.13.1, port2, [1/0] C 10.10.1.0/24 is directly connected, port3 S 10.10.2.0/24 [10/0] via VPN-to-Remote tunnel 202.103.23.2, [1/0] C 192.168.100.0/24 is directly connected, port1 C 202.103.13.0/24 is directly connected, port2FortiGate侧PC1业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.1.2/24 10.10.1.1 fe80::250:79ff:fe66:6804/64 VPCS> ping 10.10.2.2 84 bytes from 10.10.2.2 icmp_seq=1 ttl=62 time=4.769 ms 84 bytes from 10.10.2.2 icmp_seq=2 ttl=62 time=2.769 ms 84 bytes from 10.10.2.2 icmp_seq=3 ttl=62 time=2.194 ms 84 bytes from 10.10.2.2 icmp_seq=4 ttl=62 time=3.881 ms 84 bytes from 10.10.2.2 icmp_seq=5 ttl=62 time=2.335 msH3C防火墙查看IPSec连接状态。
<H3C>display ike sa verbose remote 202.103.13.2 ----------------------------------------------- Connection ID: 2 Outside VPN: Inside VPN: Profile: to_FortiGate_IPv4_1 Transmitting entity: Responder Initiator cookie: 3f178bf07066db5b Responder cookie: 4bc6621ed12c3030 ----------------------------------------------- Local IP/port: 202.103.23.2/500 Local ID type: IPV4_ADDR Local ID: 202.103.23.2 Remote IP/port: 202.103.13.2/500 Remote ID type: IPV4_ADDR Remote ID: 202.103.13.2 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: SHA256 Encryption-algorithm: AES-CBC-256 Life duration(sec): 86400 Remaining key duration(sec): 83791 Exchange-mode: Main Diffie-Hellman group: Group 14 NAT traversal: Not detected Extend authentication: Disabled Assigned IP address: Vendor ID index:0xffffffff Vendor ID sequence number:0x0<H3C> display ipsec sa remote 202.103.13.2 ------------------------------- Interface: GigabitEthernet2/0 ------------------------------- ----------------------------- IPsec policy: to_FortiGate Sequence number: 1 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: dh-group14 Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Transmitting entity: Responder Path MTU: 1424 Tunnel: local address: 202.103.23.2 remote address: 202.103.13.2 Flow: sour addr: 10.10.2.0/255.255.255.0 port: 0 protocol: ip dest addr: 10.10.1.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 1271313254 (0x4bc6b366) Connection ID: 347892350977 Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA256 SA idle time: 60 SA duration (kilobytes/sec): 1843200/43200 SA remaining duration (kilobytes/sec): 1843200/43177 Max received sequence-number: 0 Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 886868385 (0x34dc89a1) Connection ID: 347892350976 Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA256 SA idle time: 60 SA duration (kilobytes/sec): 1843200/43200 SA remaining duration (kilobytes/sec): 1843200/43177 Max sent sequence-number: 0 UDP encapsulation used for NAT traversal: N Status: Active查看H3C防火墙的路由表,可以看到包含了手动配置的到FortiGate内网的路由。
<H3C>display ip routing-table Destinations : 18 Routes : 18 Destination/Mask Proto Pre Cost NextHop Interface 0.0.0.0/0 Static 60 0 202.103.23.1 GE2/0 0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0 10.10.1.0/24 Static 60 0 202.103.23.1 GE2/0 10.10.2.0/24 Direct 0 0 10.10.2.1 GE3/0 10.10.2.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.2.255/32 Direct 0 0 10.10.2.1 GE3/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0 192.168.100.0/24 Direct 0 0 192.168.100.6 GE1/0 192.168.100.6/32 Direct 0 0 127.0.0.1 InLoop0 192.168.100.255/32 Direct 0 0 192.168.100.6 GE1/0 202.103.23.0/24 Direct 0 0 202.103.23.2 GE2/0 202.103.23.2/32 Direct 0 0 127.0.0.1 InLoop0 202.103.23.255/32 Direct 0 0 202.103.23.2 GE2/0 224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0 224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0 255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0H3C防火墙侧PC2业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.2.2/24 10.10.2.1 fe80::250:79ff:fe66:6805/64 VPCS> ping 10.10.1.2 84 bytes from 10.10.1.2 icmp_seq=1 ttl=62 time=3.529 ms 84 bytes from 10.10.1.2 icmp_seq=2 ttl=62 time=2.741 ms 84 bytes from 10.10.1.2 icmp_seq=3 ttl=62 time=2.472 ms 84 bytes from 10.10.1.2 icmp_seq=4 ttl=62 time=2.250 ms 84 bytes from 10.10.1.2 icmp_seq=5 ttl=62 time=2.193 msFortiGate侧抓包查看。
FortiGate # diagnose sniffer packet any 'host 10.10.2.2 and host 10.10.1.2 and icmp' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 10.10.2.2 and host 10.10.1.2 and icmp] 2023-04-07 16:07:08.123477 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:08.123667 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:08.123902 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:08.123914 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:09.127191 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:09.127380 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:09.127691 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:09.127700 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:10.131278 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:10.131445 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:10.131618 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:10.131624 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:11.134468 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:11.134502 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:11.134737 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:11.134744 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:12.137190 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:12.137220 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:12.137409 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:12.137416 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
说明
关于sniffer抓VPN业务和ESP的包:
抓取IPsec VPN的IKE协商包:
diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4抓取IPsec VPN的ESP加密数据包:
diagnose sniffer packet any "host 101.1.1.1 and esp" 4抓取IPsec VPN的明文业务数据包:
diagnose sniffer packet any "host 192.168.112.100 and icmp" 4注意:由于硬件设备存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:
FortiGate # config vpn ipsec phase1-interface FortiGate (phase1-interface) # edit BJ-OSPF-TO-SH FortiGate (BJ-OSPF-TO-SH) # set npu-offload disable FortiGate (BJ-OSPF-TO-SH) # end