与华为USG6000V防火墙建立IPSec VPN

组网需求

如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现10.10.1.0/24与10.10.2.0/24两个网段的通信。与华为USG6000V防火墙进行IPsec VPN(IKE v1)对接。

华为USG6000V防火墙版本:

<USG6000V2>display version 
2023-04-06 17:43:15.520 +08:00
Huawei Versatile Routing Platform Software
VRP (R) Software, Version 5.170 (USG6000V2 V500R005C00SPC100)
Copyright (C) 2014-2018 Huawei Technologies Co., Ltd.
USG6000V2 uptime is 0 week, 0 day, 2 hours, 40 minutes
IPS Signature Database Version   : 2018070605
IPS Engine Version               : V200R005C00SPC037
AV Signature Database Version    : 
SA Signature Database Version    : 2018062700
C&C Domain Name Database Version : 
FILE Reputation Database Version : 
Location Database Version        : 2014010414

网络拓扑

image-20230406175728299

配置要点

  • 配置FortiGate
    • 基本上网配置
    • 配置IPsec VPN
  • 配置华为USG6000V防火墙
    • 基本上网配置
    • 配置IPsec VPN
  • 说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

配置步骤

FortiGate

  1. 基本上网配置。

    image-20230406170902324

    image-20230406162053557

    image-20230406152810519

  2. 配置IPSec VPN,进入VPN→IPSec隧道,点击新建→IPSec隧道按钮。

    image-20230406151353826

  3. 选择IPsec VPN自定义模板进行配置,点击下一步。

    image-20230406151654592

  4. 如图配置网络、认证、第一阶段、第二阶段。

    注意:不像和Cisco/PA/Juniper/山石使用虚拟接口创建IPSec,感兴趣流是全0。华为防火墙通常都是使用物理口创建IPSec,需要写明细的感兴趣流,所以FortiGate也要对应的写明细感兴趣数据流,不能写全0。

    image-20230406152527280

    config vpn ipsec phase1-interface
        edit "VPN-to-Remote"
            set interface "port2"
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set remote-gw 202.103.23.2
            set psksecret xxxxxxxx
        next
    end
    
    config vpn ipsec phase2-interface
        edit "VPN-to-Remote"
            set phase1name "VPN-to-Remote"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set auto-negotiate enable
            set src-subnet 10.10.1.0 255.255.255.0
            set dst-subnet 10.10.2.0 255.255.255.0
        next
    end
    
  5. 配置VPN相关的网段地址对象和防火墙策略。

    image-20230406152921211

    image-20230406153125073

    config firewall address
        edit "Local_10.10.1.0/24"
            set subnet 10.10.1.0 255.255.255.0
        next
        edit "Remote_10.10.2.0/24"
            set subnet 10.10.2.0 255.255.255.0
        next
    end
    
    config firewall policy
        edit 2
            set name "VPN-Local-to-Remote"
            set srcintf "port3"
            set dstintf "VPN-to-Remote"
            set action accept
            set srcaddr "Local_10.10.1.0/24"
            set dstaddr "Remote_10.10.2.0/24"
            set schedule "always"
            set service "ALL"
        next
        edit 3
            set name "VPN-Remote-to-Local"
            set srcintf "VPN-to-Remote"
            set dstintf "port3"
            set action accept
            set srcaddr "Remote_10.10.2.0/24"
            set dstaddr "LAN_10.10.1.0/24"
            set schedule "always"
            set service "ALL"
        next
    end
    
  6. 配置VPN业务网段的静态路由。

    相关VPN的路由配置中“黑洞路由的意义:

    你可能会遇到以下的VPN业务问题:通过VPN的SIP电话,时不时中断,无法向服务器成功注册 ?通过VPN的Radius认证无法经常会无法认证成功? 通过VPN的AP注册到总部时不时会中断?持续的PRGT监控ping总部的服务器,时不时会显示中断? VPN有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE重新连接更换公网IP地址等,VPN tunnel此时会出现短暂的DOWN,而去往对方的VPN业务网段的路由也会短暂消失,此时VPN的业务流量(SIP注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了WAN(Internet),从而产生了错误的UDP-NAT-Seesion,此时即便VPN tunnel再次UP,VPN业务网段的路由再次恢复,SIP等VPN旧的业务流量依旧会走到错误的Session上去,从而引起该业务异常。

    解决方法:

    • 方法一:配置去往VPN业务网段的“黑洞路由”,管理距离为254,VPN正常的情况下此黑洞路由不生效,而当VPN中断的时候,黑洞路由浮起来并且生效,将VPN中断时候的VPN流量丢弃,避免将流量转发到互联网而产生错误的session。配置VPN的备份黑洞路由的意义在此。
    • 方法二:配置源接口:LAN,目的接口:WAN,源IP:本地内网网段,目的IP:对端内网网段,动作:丢包的策略。将此去往Internet的私网(无用的)流量丢弃掉,避免FGT产生这种错误的session,从而避免了UDP业务时不时中断的问题。
    • 方法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话flag置位为“Dirty”,清除路由缓存并重新查找目的IP的下一跳地址,这样VPN隧道恢复的时候,流量也会相应的切换到VPN隧道里面来。
      FortiGate # config system global
      FortiGate (global) # set snat-route-change enable                             
      FortiGate (global) # end
      
    三种方式任意选择一种即可。推荐使用黑洞路由方式。

    image-20230406162206218

    config router static
        edit 1
            set gateway 202.103.12.1
            set device "port2"
        next
        edit 2
            set dst 10.10.2.0 255.255.255.0
            set device "VPN-to-Remote"
        next
        edit 3
            set dst 10.10.2.0 255.255.255.0
            set distance 254
            set blackhole enable
        next
    end
    

华为USG6000V

  1. 基本IP与路由配置。

    image-20230406155128313

    image-20230406155229845

    interface GigabitEthernet1/0/0
     undo shutdown
     ip address 202.103.23.2 255.255.255.0
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     ip address 10.10.2.1 255.255.255.0
    #
    firewall zone trust
     set priority 85
     add interface GigabitEthernet0/0/0
     add interface GigabitEthernet1/0/1
    #
    firewall zone untrust
     set priority 5
     add interface GigabitEthernet1/0/0
    #
    ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 202.103.23.1
    
  2. 地址对象、策略、NAT配置。

    image-20230406155803151

    image-20230406155959468

    image-20230406160134036

    ip address-set Local_10.10.2.0/24 type object
     address 0 10.10.2.0 mask 24
    #
    ip address-set Remote_10.10.1.0/24 type object
     address 0 10.10.1.0 mask 24
    #
    security-policy
     default action permit
     rule name to_Internet
      source-zone trust
      destination-zone untrust
      source-address address-set Local_10.10.2.0/24
      action permit
    #
    nat-policy
     rule name to_Internet
      source-zone trust
      destination-zone untrust
      source-address address-set Local_10.10.2.0/24
      action source-nat easy-ip
    
  3. 配置IPSec,新建IPSec VPN策略。

    image-20230406160424280

  4. 如下图参数配置,注意与FortiGate端的安全提议要一致(注意加密数据流不要选择地址对象,需要手动输入,否则第二阶段可能无法建立),开启反向路由注入。

    image-20230406165724763

    acl number 3000
     rule 5 permit ip source 10.10.2.0 0.0.0.255 destination 10.10.1.0 0.0.0.255
    #
    ike proposal 1
     encryption-algorithm aes-256
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer ike64165343931
     pre-shared-key %^%#GFRw6k/f}&DP2(A}Sh*9",ym@xVr%!NO~3!N]5u!%^%#
     ike-proposal 1
     remote-id-type none
     dpd type periodic
     remote-address 202.103.13.2
    #
    ipsec policy ipsec6416534390 1 isakmp
     security acl 3000
     pfs dh-group14
     ike-peer ike64165343931
     proposal prop64165343931
     tunnel local applied-interface
     alias to_FortiGate                       
     sa trigger-mode auto
     sa duration traffic-based 10485760
     sa duration time-based 43200
     route inject dynamic
    
  5. 配置IPSec VPN相关网段放通的安全策略,并将他们移动至上网策略之前。

    image-20230406163001155

    security-policy
     default action permit
     rule name VPN_to_FortiGate
      source-zone trust
      destination-zone untrust
      source-address address-set Local_10.10.2.0/24
      destination-address address-set Remote_10.10.1.0/24
      action permit
     rule name VPN_from_FortiGate
      source-zone untrust
      destination-zone trust
      source-address address-set Local_10.10.2.0/24
      destination-address address-set Local_10.10.2.0/24
      action permit
     rule name to_Internet
      source-zone trust
      destination-zone untrust
      source-address address-set Local_10.10.2.0/24
      action permit
    
  6. 华为防火墙的转发流程是先做SNAT,再做IPsec VPN,也就是说,如果按照我们之前配置的SNAT规则,VPN的流量10.10.2.2去访问10.10.1.2的流量会被SNAT成公网IP 202.103.23.2,然后再进入到IPsec VPN流程,这个时候是无法匹配到感兴趣流的,因此流量将无法成功被IPSec加密。所以需要再配置一个VPN流量bypass的SNAT规则,让VPN流量不做SNAT转换,然后将其放置到最前面,优先匹配即可。

    image-20230406171913830

    nat-policy
     rule name VPN_to_FortiGate
      source-zone trust
      destination-zone untrust
      source-address address-set Local_10.10.2.0/24
      destination-address address-set Remote_10.10.1.0/24
      action no-nat
     rule name to_Internet                    
      source-zone trust
      destination-zone untrust
      source-address address-set Local_10.10.2.0/24
      action source-nat easy-ip
    

结果验证

  1. FortiGate上查看IPSec隧道建立,在仪表盘新建IPSec监控,可以看到IPSec建立成功。

    image-20230406172145986

    FortiGate # diagnose vpn ike gateway list 
    
    vd: root/0
    name: VPN-to-Remote
    version: 1
    interface: port2 4
    addr: 202.103.13.2:500 -> 202.103.23.2:500
    tun_id: 202.103.23.2/::202.103.23.2
    remote_location: 0.0.0.0
    network-id: 0
    created: 490s ago
    IKE SA: created 1/1  established 1/1  time 210/210/210 ms
    IPsec SA: created 1/2  established 1/1  time 390/390/390 ms
      id/spi: 257 05b470e04dc4363a/7f25ce9c15e94de3
      direction: initiator
      status: established 490-490s ago = 210ms
      proposal: aes256-sha256
      key: 9b5842bda3877c51-ebbc39ba4a960fde-f76d2defdebe67bd-de35bd7bc5720ec2
      lifetime/rekey: 86400/85609
      DPD sent/recv: 0000004d/135cb4c9
    
    FortiGate # diagnose vpn tunnel list 
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=VPN-to-Remote ver=1 serial=1 202.103.13.2:0->202.103.23.2:0 tun_id=202.103.23.2 tun_id6=::202.103.23.2 dst_mtu=1500 dpd-link=1
    bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=10
    proxyid_num=1 child_num=0 refcnt=4 ilast=15 olast=15 ad=/0
    stat: rxp=12 txp=12 rxb=1008 txb=1008
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=77
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=VPN-to-Remote proto=0 sa=1 ref=4 serial=1 auto-negotiate
      src: 0:10.10.1.0-10.10.1.255:0
      dst: 0:10.10.2.0-10.10.2.255:0
      SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42436/0B replaywin=2048
           seqno=d esn=0 replaywin_lastseq=0000000d qat=0 rekey=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42929/43200
      dec: spi=34dc8977 esp=aes key=32 947441e7c4d219ad7c0cb909942e17d2c8e25b42346ea53f301ba37161d2fdef
           ah=sha256 key=32 df58345781028ba4ac18cc037ce667e974941e4ff544b7368f523307c83d4ea4
      enc: spi=0b11f21b esp=aes key=32 d5dcfee82b332abf9bb62c620c3e42ee42c0f6c990fa380204b02b83f0acdbff
           ah=sha256 key=32 16b2afbcec0b0feb10cf4dedba31d99e3c59ce020823a88b9b99122b02bedf65
      dec:pkts/bytes=24/2016, enc:pkts/bytes=24/2880
      npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.13.2 npu_selid=0 dec_npuid=0 enc_npuid=0
    run_tally=0
    
  2. 查看FortiGate的路由表。

    FortiGate # get router info routing-table all
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    Routing table for VRF=0
    S*      0.0.0.0/0 [10/0] via 202.103.13.1, port2, [1/0]
    C       10.10.1.0/24 is directly connected, port3
    S       10.10.2.0/24 [10/0] via VPN-to-Remote tunnel 202.103.23.2, [1/0]
    C       192.168.100.0/24 is directly connected, port1
    C       202.103.13.0/24 is directly connected, port2
    
  3. FortiGate侧PC1业务测试。

    VPCS> show
    NAME   IP/MASK              GATEWAY                             GATEWAY
    VPCS1  10.10.1.2/24         10.10.1.1
           fe80::250:79ff:fe66:6804/64
    
    VPCS> ping 10.10.2.2
    84 bytes from 10.10.2.2 icmp_seq=1 ttl=62 time=5.413 ms
    84 bytes from 10.10.2.2 icmp_seq=2 ttl=62 time=2.511 ms
    84 bytes from 10.10.2.2 icmp_seq=3 ttl=62 time=2.242 ms
    84 bytes from 10.10.2.2 icmp_seq=4 ttl=62 time=1.902 ms
    84 bytes from 10.10.2.2 icmp_seq=5 ttl=62 time=2.080 ms
    
  4. 华为防火墙查看IPSec连接状态。

    image-20230406172655926

    <USG6000V2>display ike sa verbose remote 202.103.13.2
    2023-04-06 17:27:29.590 +08:00
    Ike sa verbose information :
    ---------------------------------------------------------------
    Ike Sa phase   : 1
    Establish Time : 2023-04-06 17:16:56 
    PortCfg Index  : 0x6
    IKE Peer Name  : ike64165343931           
    Connection Id  : 347
    Version        : v1
    Exchange Mode  : Main
    Flow VPN       :       
    Peer VPN       :       
    ---------------------------------------------------------------
    Intiator Cookie                        : 0x05b470e04dc4363a
    Responder Cookie                       : 0x7f25ce9c15e94de3
    Local Address                          : 202.103.23.2
    Remote Address                         : 202.103.13.2:500
    Encryption Algorithm                   : AES-256
    Authentication Algorithm               : SHA2-256
    Authentication Method                  : Pre-Shared key
    DPD Capability                         : Yes
    DPD Enable                             : Yes
    Remaining Duration                     : 85766
    Reference Counter                      : 1
    Flags                                  : RD|A
    Remote Id Type                         : IP
    Remote Id                              : 202.103.13.2
    DH Group                               : 14
    NAT Traversal Version                  : RFC3947
    ModeCfg IP                             : -
    ---------------------------------------------------------------
      Number of IKE SA : 1
    
    <USG6000V2> display ipsec sa remote 202.103.13.2
    2023-04-06 17:28:30.260 +08:00
    ipsec sa information:
    ===============================
    Interface: GigabitEthernet1/0/0
    ===============================
      -----------------------------
      IPSec policy name: "ipsec6416534390"
      Sequence number  : 1
      Acl group        : 3000
      Acl rule         : 5
      Mode             : ISAKMP
      -----------------------------
        Connection ID     : 350
        Encapsulation mode: Tunnel
        Holding time      : 0d 0h 11m 32s
        Tunnel local      : 202.103.23.2:500
        Tunnel remote     : 202.103.13.2:500
        Flow source       : 10.10.2.0/255.255.255.0 0/0-65535
        Flow destination  : 10.10.1.0/255.255.255.0 0/0-65535
        [Outbound ESP SAs] 
          SPI: 886868343 (0x34dc8977)
          Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
          SA remaining key duration (kilobytes/sec): 10485759/42508
          Max sent sequence-number: 18        
          UDP encapsulation used for NAT traversal: N
          SA encrypted packets (number/bytes): 17/1428
        [Inbound ESP SAs] 
          SPI: 185725467 (0xb11f21b)
          Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
          SA remaining key duration (kilobytes/sec): 10485759/42508
          Max received sequence-number: 1
          UDP encapsulation used for NAT traversal: N
          SA decrypted packets (number/bytes): 17/1428
          Anti-replay : Enable
          Anti-replay window size: 1024
    
  5. 查看华为防火墙的路由表,可以看到自动添加了到FortiGate内网的路由。

    [USG6000V2]display ip routing-table 
    2023-04-06 17:32:20.280 +08:00
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 8        Routes : 8        
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
            0.0.0.0/0   Static  60   0           D   202.103.23.1    GigabitEthernet1/0/0
          10.10.1.0/24  Unr     70   0           D   202.103.13.2    GigabitEthernet1/0/0
          10.10.2.0/24  Direct  0    0           D   10.10.2.1       GigabitEthernet1/0/1
          10.10.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/1
          127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
       202.103.23.0/24  Direct  0    0           D   202.103.23.2    GigabitEthernet1/0/0
       202.103.23.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
    
  6. 华为防火墙侧PC2业务测试。

    VPCS> show
    
    NAME   IP/MASK              GATEWAY                             GATEWAY
    VPCS1  10.10.2.2/24         10.10.2.1
           fe80::250:79ff:fe66:6805/64
    
    VPCS> ping 10.10.1.2
    
    84 bytes from 10.10.1.2 icmp_seq=1 ttl=62 time=3.139 ms
    84 bytes from 10.10.1.2 icmp_seq=2 ttl=62 time=2.126 ms
    84 bytes from 10.10.1.2 icmp_seq=3 ttl=62 time=2.508 ms
    84 bytes from 10.10.1.2 icmp_seq=4 ttl=62 time=2.257 ms
    84 bytes from 10.10.1.2 icmp_seq=5 ttl=62 time=1.767 ms
    
  7. FortiGate侧抓包查看。

    FortiGate # diagnose sniffer packet any 'host 10.10.2.2 and host 10.10.1.2 and icmp' 4 0 l
    Using Original Sniffing Mode
    interfaces=[any]
    filters=[host 10.10.2.2 and host 10.10.1.2 and icmp]
    2023-04-06 17:30:20.440445 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-06 17:30:20.441055 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-06 17:30:20.441296 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-06 17:30:20.441308 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-06 17:30:21.444661 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-06 17:30:21.444753 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-06 17:30:21.444962 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-06 17:30:21.444969 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-06 17:30:22.447197 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-06 17:30:22.447332 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-06 17:30:22.447520 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-06 17:30:22.447527 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-06 17:30:23.451289 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-06 17:30:23.451454 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-06 17:30:23.451667 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-06 17:30:23.451676 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-06 17:30:24.453906 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-06 17:30:24.453939 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-06 17:30:24.454165 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-06 17:30:24.454176 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    

说明

关于sniffer抓VPN业务和ESP的包:

  • 抓取IPsec VPN的IKE协商包:

    diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4
    
  • 抓取IPsec VPN的ESP加密数据包:

    diagnose sniffer packet any "host 101.1.1.1 and esp" 4
    
  • 抓取IPsec VPN的明文业务数据包:

    diagnose sniffer packet any "host 192.168.112.100 and icmp" 4
    
  • 注意:由于硬件设备存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:

    FortiGate # config vpn ipsec phase1-interface        
    FortiGate (phase1-interface) # edit BJ-OSPF-TO-SH        
    FortiGate (BJ-OSPF-TO-SH) # set npu-offload disable
    FortiGate (BJ-OSPF-TO-SH) # end
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-09-12 15:24:01

results matching ""

    No results matching ""