与Juniper SRX防火墙建立IPSec VPN

组网需求

如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现10.10.1.0/24与10.10.2.0/24两个网段的通信。与Juniper SRX防火墙进行IPsec VPN(IKE v1)对接。

Juniper SRX防火墙版本:

root# show version 
## Last changed: 2023-04-11 03:02:08 UTC
version 23.1R1.8;

网络拓扑

image-20230411111306846

配置要点

  • 配置FortiGate
    • 基本上网配置
    • 配置IPsec VPN
  • 配置Juniper SRX防火墙
    • 基本上网配置
    • 配置IPsec VPN
  • 说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

配置步骤

FortiGate

  1. 基本上网配置。

    image-20230406170902324

    image-20230406162053557

    image-20230406152810519

  2. 配置IPSec VPN,进入VPN→IPSec隧道,点击新建→IPSec隧道按钮。

    image-20230406151353826

  3. 选择IPsec VPN自定义模板进行配置,点击下一步。

    image-20230406151654592

  4. 如图配置网络、认证、第一阶段、第二阶段。

    注意:由于Juniper的IPSec配置向导会创建明细的感兴趣流,FortiGate与Juniper防火墙对接IPSec推荐对应使用明细的感兴趣流。

    image-20230406152527280

    config vpn ipsec phase1-interface
        edit "VPN-to-Remote"
            set interface "port2"
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set remote-gw 202.103.23.2
            set psksecret xxxxxxxx
        next
    end
    
    config vpn ipsec phase2-interface
        edit "VPN-to-Remote"
            set phase1name "VPN-to-Remote"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set auto-negotiate enable
            set src-subnet 10.10.1.0 255.255.255.0
            set dst-subnet 10.10.2.0 255.255.255.0
        next
    end
    
  5. 配置VPN相关的网段地址对象和防火墙策略。

    image-20230406152921211

    image-20230406153125073

    config firewall address
        edit "Local_10.10.1.0/24"
            set subnet 10.10.1.0 255.255.255.0
        next
        edit "Remote_10.10.2.0/24"
            set subnet 10.10.2.0 255.255.255.0
        next
    end
    
    config firewall policy
        edit 2
            set name "VPN-Local-to-Remote"
            set srcintf "port3"
            set dstintf "VPN-to-Remote"
            set action accept
            set srcaddr "Local_10.10.1.0/24"
            set dstaddr "Remote_10.10.2.0/24"
            set schedule "always"
            set service "ALL"
        next
        edit 3
            set name "VPN-Remote-to-Local"
            set srcintf "VPN-to-Remote"
            set dstintf "port3"
            set action accept
            set srcaddr "Remote_10.10.2.0/24"
            set dstaddr "LAN_10.10.1.0/24"
            set schedule "always"
            set service "ALL"
        next
    end
    
  6. 配置VPN业务网段的静态路由。

    相关VPN的路由配置中“黑洞路由的意义:

    你可能会遇到以下的VPN业务问题:通过VPN的SIP电话,时不时中断,无法向服务器成功注册 ?通过VPN的Radius认证无法经常会无法认证成功? 通过VPN的AP注册到总部时不时会中断?持续的PRGT监控ping总部的服务器,时不时会显示中断? VPN有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE重新连接更换公网IP地址等,VPN tunnel此时会出现短暂的DOWN,而去往对方的VPN业务网段的路由也会短暂消失,此时VPN的业务流量(SIP注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了WAN(Internet),从而产生了错误的UDP-NAT-Seesion,此时即便VPN tunnel再次UP,VPN业务网段的路由再次恢复,SIP等VPN旧的业务流量依旧会走到错误的Session上去,从而引起该业务异常。

    解决方法:

    • 方法一:配置去往VPN业务网段的“黑洞路由”,管理距离为254,VPN正常的情况下此黑洞路由不生效,而当VPN中断的时候,黑洞路由浮起来并且生效,将VPN中断时候的VPN流量丢弃,避免将流量转发到互联网而产生错误的session。配置VPN的备份黑洞路由的意义在此。
    • 方法二:配置源接口:LAN,目的接口:WAN,源IP:本地内网网段,目的IP:对端内网网段,动作:丢包的策略。将此去往Internet的私网(无用的)流量丢弃掉,避免FGT产生这种错误的session,从而避免了UDP业务时不时中断的问题。
    • 方法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话flag置位为“Dirty”,清除路由缓存并重新查找目的IP的下一跳地址,这样VPN隧道恢复的时候,流量也会相应的切换到VPN隧道里面来。
      FortiGate # config system global
      FortiGate (global) # set snat-route-change enable                             
      FortiGate (global) # end
      
    三种方式任意选择一种即可。推荐使用黑洞路由方式。

    image-20230406162206218

    config router static
        edit 1
            set gateway 202.103.12.1
            set device "port2"
        next
        edit 2
            set dst 10.10.2.0 255.255.255.0
            set device "VPN-to-Remote"
        next
        edit 3
            set dst 10.10.2.0 255.255.255.0
            set distance 254
            set blackhole enable
        next
    end
    

Juniper SRX

  1. 基本IP与路由配置。

    image-20230411112124506

    image-20230411112304600

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 202.103.23.2/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 10.10.2.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 202.103.23.1;
        }
    }
    
  2. 地址对象、上网策略(默认存在)、上网NAT配置。

    image-20230411141540209

    image-20230411141651508

    image-20230411141758843

    security {
        address-book {
            global {
                address Local 10.10.2.0/24;
                address Remote 10.10.1.0/24;
            }
        }
        nat {
            source {
                rule-set Zone_trust-Zone_untrust {
                    from zone trust;
                    to zone untrust;
                    rule to_Internet {      
                        match {
                            source-address-name Local;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy default-permit {
                    match {
                        source-address Local;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
    }
    
  3. 在IPSec VPN页面点击“Create VPN”按钮,并选择“Site to Site”模式。

    image-20230411142352716

  4. 填写IPSec VPN名称,“Routing mode”选择“Traffic Selector”(明细感兴趣流,并自动添加到对端VPN网段的路由),“Authentication method”选择“Pre-shared Key”,“Auto-create firewall policy”选择“Yes”(自动添加VPN网段之间的放通策略)。随后点击左下角的“IKE and IPSec Settings”。

    image-20230411150410445

  5. 配置IKE与IPSec协商参数,与FortiGate配置为一致,配置完成后,点击“Remote Gateway”配置远程网关。

    image-20230411150531004

  6. 根据实际情况选择是否修改“Gateway is behind NAT”以及ID配置。在“External IP address”中配置FortiGate侧的VPN网关地址,“Protected networks”选中FortiGate侧的VPN网段,点击OK下发配置。随后点击“Local Gateway”配置本地网关。

    image-20230411151017158

  7. 点击“Local Gateway”配置本地网关,选择“External interface”为本地网关公网接口,填写预共享密钥,“Protected networks”选择本地的VPN网段,随后在“Tunnel interface”右侧点击“Add”。

    image-20230411150922577

  8. 新建Tunnel接口,配置Unit号与安全域信息,随后下发本地网关的配置。

    image-20230411144950214

  9. 点击“Save”保存IPSec VPN配置。

    image-20230411151216177

    interfaces {
        st0 {
            unit 0 {
                family inet;
            }
        }
    }
    security {
        ike {
            proposal to_FortiGate {
                authentication-method pre-shared-keys;
                dh-group group14;
                authentication-algorithm sha-256;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 86385;
            }
            policy to_FortiGate {
                mode main;
                proposals to_FortiGate;     
                pre-shared-key ascii-text "$9$KnSMxNdbs2oJx7Dikqf51REcev"; ## SECRET-DATA
            }
            gateway to_FortiGate {
                ike-policy to_FortiGate;
                address 202.103.13.2;
                dead-peer-detection {
                    optimized;
                    interval 10;
                    threshold 5;
                }
                external-interface ge-0/0/0;
                local-address 202.103.23.2;
                version v1-only;
            }
        }
        ipsec {
            proposal to_FortiGate {
                protocol esp;
                authentication-algorithm hmac-sha-256-128;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 43200;
            }                               
            policy to_FortiGate {
                perfect-forward-secrecy {
                    keys group14;
                }
                proposals to_FortiGate;
            }
            vpn to_FortiGate {
                bind-interface st0.0;
                df-bit clear;
                copy-outer-dscp;
                ike {
                    gateway to_FortiGate;
                    ipsec-policy to_FortiGate;
                }
                traffic-selector ts-1 {
                    local-ip 10.10.2.0/24;
                    remote-ip 10.10.1.0/24;
                }
                establish-tunnels immediately;
            }
        }
    }
    
  10. 查看自动添加的VPN网段安全策略。

    image-20230411153313306

    security {
        policies {
                policy to_FortiGate-1 {
                    match {
                        source-address Local;
                        destination-address Remote;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-close;
                        }
                    }
                }
            }
            from-zone junos-host to-zone untrust {
                policy to_FortiGate-1 {
                    match {
                        source-address Local;
                        destination-address Remote;
                        application any;
                    }
                    then {
                        permit;             
                        log {
                            session-close;
                        }
                    }
                }
            }
            from-zone untrust to-zone junos-host {
                policy to_FortiGate-2 {
                    match {
                        source-address Remote;
                        destination-address Local;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-close;
                        }
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy to_FortiGate-2 {     
                    match {
                        source-address Remote;
                        destination-address Local;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-close;
                        }
                    }
                }
            }
        }
    }
    
  11. 最后,点击页面右上角的Commit按钮提交所有配置。

结果验证

  1. FortiGate上查看IPSec隧道建立,在仪表盘新建IPSec监控,可以看到IPSec建立成功。

    image-20230411154135757

    FortiGate # diagnose vpn ike gateway list
    vd: root/0
    name: VPN-to-Remote
    version: 1
    interface: port2 4
    addr: 202.103.13.2:500 -> 202.103.23.2:500
    tun_id: 202.103.23.2/::202.103.23.2
    remote_location: 0.0.0.0
    network-id: 0
    created: 3s ago
    IKE SA: created 1/1  established 1/1  time 10/10/10 ms
    IPsec SA: created 1/1  established 1/1  time 10/10/10 ms
      id/spi: 84 81f7935c958dc231/0d50274a3603ed0c
      direction: initiator
      status: established 3-3s ago = 10ms
      proposal: aes256-sha256
      key: 7617c0e9088a38f0-ba9b72527df54344-75a4f0b475a5c89a-ea60570f9f6a7f36
      lifetime/rekey: 86400/86096
      DPD sent/recv: 00000000/00000000
    
    FortiGate # diagnose vpn tunnel list
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=VPN-to-Remote ver=1 serial=1 202.103.13.2:0->202.103.23.2:0 tun_id=202.103.23.2 tun_id6=::202.103.23.2 dst_mtu=1500 dpd-link=on weig1
    bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overla0
    proxyid_num=1 child_num=0 refcnt=4 ilast=2 olast=2 ad=/0
    stat: rxp=0 txp=0 rxb=0 txb=0
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=65
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=VPN-to-Remote proto=0 sa=1 ref=2 serial=2 auto-negotiate
      src: 0:10.10.1.0-10.10.1.255:0
      dst: 0:10.10.2.0-10.10.2.255:0
      SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42888/0B replaywin=2048
           seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42902/43200
      dec: spi=0f3295e9 esp=aes key=32 1ef676bbce325c056b2bd2e7bdcc04b53d5493123ffff37734b92d7f0be650dc
           ah=sha256 key=32 1e0dd4317b3cf00168dad8528b820aadae59a09dac665d094324210b22abcadf
      enc: spi=06cf5a4d esp=aes key=32 06d4be5946563a9b7db6ad62c12625e61c18f83807abf62dbdf96d62f4dd2856
           ah=sha256 key=32 a11616829e581b70f3ec1e4fbecde7efb85a6da8cdb1718e34b40e12fbc5779f
      dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
      npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.13.2 npu_selid=1 dec_npuid=0 enc_npuid=0
    run_tally=0
    
  2. 查看FortiGate的路由表。

    FortiGate # get router info routing-table all
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    Routing table for VRF=0
    S*      0.0.0.0/0 [10/0] via 202.103.13.1, port2, [1/0]
    C       10.10.1.0/24 is directly connected, port3
    S       10.10.2.0/24 [10/0] via VPN-to-Remote tunnel 202.103.23.2, [1/0]
    C       192.168.100.0/24 is directly connected, port1
    C       202.103.13.0/24 is directly connected, port2
    
  3. FortiGate侧PC1业务测试。

    VPCS> show
    
    NAME   IP/MASK              GATEWAY                             GATEWAY
    VPCS1  10.10.1.2/24         10.10.1.1
           fe80::250:79ff:fe66:6805/64
    
    VPCS> ping 10.10.2.2
    
    84 bytes from 10.10.2.2 icmp_seq=1 ttl=62 time=4.768 ms
    84 bytes from 10.10.2.2 icmp_seq=2 ttl=62 time=1.770 ms
    84 bytes from 10.10.2.2 icmp_seq=3 ttl=62 time=1.698 ms
    84 bytes from 10.10.2.2 icmp_seq=4 ttl=62 time=2.116 ms
    84 bytes from 10.10.2.2 icmp_seq=5 ttl=62 time=1.780 ms
    
  4. Juniper防火墙查看IPSec连接状态。

    image-20230411154514326

    root@Juniper-SRX> show security ike security-associations 
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
    7667814 UP     81f7935c958dc231  0d50274a3603ed0c  Main           202.103.13.2  
    
    root@Juniper-SRX>  show security ike security-associations 202.103.13.2 detail
    IKE peer 202.103.13.2, Index 7667814, Gateway Name: to_FortiGate
      Role: Responder, State: UP
      Initiator cookie: 81f7935c958dc231, Responder cookie: 0d50274a3603ed0c
      Exchange type: Main, Authentication method: Pre-shared-keys
      Local: 202.103.23.2:500, Remote: 202.103.13.2:500
      Lifetime: Expires in 86162 seconds
      Reauth Lifetime: Disabled
      IKE Fragmentation: Disabled, Size: 0
      Remote Access Client Info: Unknown Client
      Peer ike-id: 202.103.13.2
      AAA assigned IP: 0.0.0.0
      Algorithms:
       Authentication        : hmac-sha256-128 
       Encryption            : aes256-cbc
       Pseudo random function: hmac-sha256
       Diffie-Hellman group  : DH-group-14
      Traffic statistics:
       Input  bytes  :                 2996
       Output bytes  :                 2196
       Input  packets:                   15
       Output packets:                   14
       Input  fragmentated packets:       0
       Output fragmentated packets:       0
      IPSec security associations: 1 created, 0 deleted
      Phase 2 negotiations in progress: 1
        Negotiation type: Quick mode, Role: Responder, Message ID: 0
        Local: 202.103.23.2:500, Remote: 202.103.13.2:500
        Local identity: 202.103.23.2
        Remote identity: 202.103.13.2
        Flags: IKE SA is created
    
    root@Juniper-SRX> show security ipsec security-associations 
      Total active tunnels: 1     Total Ipsec sas: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
      <67108865 ESP:aes-cbc-256/sha256 6cf5a4d 42899/ unlim - root 500 202.103.13.2    
      >67108865 ESP:aes-cbc-256/sha256 f3295e9 42899/ unlim - root 500 202.103.13.2  
    
    root@Juniper-SRX> show security ipsec security-associations vpn-name to_FortiGate detail        
    ID: 67108865 Virtual-system: root, VPN Name: to_FortiGate
      Local Gateway: 202.103.23.2, Remote Gateway: 202.103.13.2
      Traffic Selector Name: ts-1
      Local Identity: ipv4(10.10.2.0-10.10.2.255)
      Remote Identity: ipv4(10.10.1.0-10.10.1.255)
      Version: IKEv1
      DF-bit: clear, Copy-Outer-DSCP Enabled, Bind-interface: st0.0
      Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 
      Multi-sa, Configured SAs# 1, Negotiated SAs#: 1 
      Tunnel events: 
        Tue Apr 11 2023 15:42:30
        : IPSec SA negotiation successfully completed          (1 times)
        Tue Apr 11 2023 15:42:30
        : IKE SA negotiation successfully completed            (4 times)
        Tue Apr 11 2023 15:42:29
        : IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times)
        Tue Apr 11 2023 15:42:25
        : IPSec SA negotiation successfully completed          (1 times)
        Tue Apr 11 2023 15:42:25
        : IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times)
        Tue Apr 11 2023 15:20:00
        : IPSec SA negotiation successfully completed          (1 times)
        Tue Apr 11 2023 15:20:00
        : Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
      Direction: inbound, SPI: 6cf5a4d, AUX-SPI: 0
                                  , VPN Monitoring: -
        Hard lifetime: Expires in 42865 seconds
        Lifesize Remaining:  Unlimited
        Soft lifetime: Expires in 42302 seconds
        Mode: Tunnel(0 0), Type: dynamic, State: installed
        Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
        Anti-replay service: counter-based enabled, Replay window size: 64
      Direction: outbound, SPI: f3295e9, AUX-SPI: 0
                                  , VPN Monitoring: -
        Hard lifetime: Expires in 42865 seconds
        Lifesize Remaining:  Unlimited
        Soft lifetime: Expires in 42302 seconds
        Mode: Tunnel(0 0), Type: dynamic, State: installed
        Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
        Anti-replay service: counter-based enabled, Replay window size: 64
    
  5. 查看Juniper防火墙的路由表,可以看到包含了自动注入的到FortiGate内网的路由,出接口为Tunnel接口。

    root@Juniper-SRX> show route    
    
    inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    0.0.0.0/0          *[Static/5] 00:58:27
                        >  to 202.103.23.1 via ge-0/0/0.0
                        [Access-internal/12] 00:59:24, metric 0
                        >  to 192.168.100.99 via fxp0.0
    10.10.1.0/24       *[Static/5] 00:19:34
                        >  via st0.0
    10.10.2.0/24       *[Direct/0] 00:58:27
                        >  via ge-0/0/1.0
    10.10.2.1/32       *[Local/0] 00:58:27
                           Local via ge-0/0/1.0
    192.168.100.0/24   *[Direct/0] 00:59:24
                        >  via fxp0.0
    192.168.100.4/32   *[Local/0] 00:59:24
                           Local via fxp0.0
    202.103.23.0/24    *[Direct/0] 00:58:27
                        >  via ge-0/0/0.0
    202.103.23.2/32    *[Local/0] 00:58:27
                           Local via ge-0/0/0.0
    
  6. Juniper防火墙侧PC2业务测试。

    VPCS> show          
    
    NAME   IP/MASK              GATEWAY                             GATEWAY
    VPCS1  10.10.2.2/24         10.10.2.1
           fe80::250:79ff:fe66:6806/64
    
    VPCS> ping 10.10.1.2
    
    84 bytes from 10.10.1.2 icmp_seq=1 ttl=62 time=1.410 ms
    84 bytes from 10.10.1.2 icmp_seq=2 ttl=62 time=1.547 ms
    84 bytes from 10.10.1.2 icmp_seq=3 ttl=62 time=1.624 ms
    84 bytes from 10.10.1.2 icmp_seq=4 ttl=62 time=2.176 ms
    84 bytes from 10.10.1.2 icmp_seq=5 ttl=62 time=1.661 ms
    
  7. FortiGate侧抓包查看。

    FortiGate # diagnose sniffer packet any 'host 10.10.2.2 and host 10.10.1.2 and icmp' 4 0 l
    Using Original Sniffing Mode
    interfaces=[any]
    filters=[host 10.10.2.2 and host 10.10.1.2 and icmp]
    2023-04-11 15:49:30.598552 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-11 15:49:30.598585 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-11 15:49:30.598754 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-11 15:49:30.598761 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-11 15:49:31.601426 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-11 15:49:31.601457 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-11 15:49:31.601769 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-11 15:49:31.601774 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-11 15:49:32.604474 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-11 15:49:32.604508 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-11 15:49:32.604694 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-11 15:49:32.604701 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-11 15:49:33.607589 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-11 15:49:33.607647 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-11 15:49:33.608105 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-11 15:49:33.608124 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-11 15:49:34.609922 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-11 15:49:34.609955 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-11 15:49:34.610140 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-11 15:49:34.610153 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    

说明

  1. 关于sniffer抓VPN业务和ESP的包:

    • 抓取IPsec VPN的IKE协商包:

      diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4
      
    • 抓取IPsec VPN的ESP加密数据包:

      diagnose sniffer packet any "host 101.1.1.1 and esp" 4
      
    • 抓取IPsec VPN的明文业务数据包:

      diagnose sniffer packet any "host 192.168.112.100 and icmp" 4
      
    • 注意:由于硬件设备存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:

      FortiGate # config vpn ipsec phase1-interface
      FortiGate (phase1-interface) # edit BJ-OSPF-TO-SH
      FortiGate (BJ-OSPF-TO-SH) # set npu-offload disable
      FortiGate (BJ-OSPF-TO-SH) # end
      
  2. juniper防火墙相关:

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-09-12 15:24:01

results matching ""

    No results matching ""