与Openswan建立IPSec VPN

组网需求

通过IPsec VPN(接口模式)将2个局域网连接起来,实现192.168.0.0/24与192.168.1.0/24两个网段的通信。

网络拓扑

image-20240102141815450

配置步骤

FortiGate IPSec配置

  1. 基本配置

    配置接口IP和路由。

    image-20230207155321007

    image-20230207155331775

  2. 配置IPSEC

    选择“VPN”-->“IPsec隧道”,点击“新建”,选择“IPsec隧道”。

    image-20221211171718818

    根据“VPN创建向导”进行VPN模板配置,输入名称,拓扑中没有NAT,这里选择“站点之间没有NAT”,并点击下一步。

    image-20230207155353924

    输入对端设备的IP地址(流出接口会根据路由自动选择),以及预共享秘钥。

    image-20230207155622304

    选择“本地接口”,即需要被IPSEC保护的内网的接口,这里是port10接口,本地子网会自动写为该接口的IP所在的IP网段(如果被保护的是其他网段,可以根据实际组网需求修改),输入“远端子网”,即远端需要被保护的网络。然后点击“下一步”。

    image-20230207155713838

    VPN创建向导提示即将创建的内容,然后点击完成。

    image-20230207160316621

    VPN创建成功。

    image-20230207160330671

  3. 设置dpd和自动连接

    在第一阶段中开启DPD周期性检测,每隔10s检测一次Peer状态。

    config vpn ipsec phase1-interface
        edit "to-openswan"
            set dpd on-idle
            set dpd-retrycount 3
            set dpd-retryinterval 10
        next
    end
    

    开启自动协商,主动让隧道UP起来,而非使用VPN业务的时候再去触发VPN的协商,这样可以减少业务的丢包。在VPN主动发起方开启即可。

    IPSEC VPN阶段一自动协商是默认开启的。

    config vpn ipsec phase1-interface
        edit "to-openswan"
            set auto-negotiate enable 
        next
    end
    

    IPSEC VPN阶段二自动协商默认关闭,需要开启。

    config vpn ipsec phase2-interface
        edit "to-openswan"
            set auto-negotiate enable
        next
    end
    

查看IPSEC向导所作的配置

  1. 地址对象配置

    image-20230207161529172

  2. IPSEC配置

    image-20230207161401344

    config vpn ipsec phase1-interface
        edit "to-openswan"
            set interface "port9"
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set comments "VPN: to-openswan (Created by VPN wizard)"
            set wizard-type static-fortigate
            set remote-gw 200.1.1.2
            set psksecret ENC p62NOSnHRHf0H/FDMjbdenLf9XFZ8AWBxxp4ztydCj8wqSRTiYDcbEBov4ZKf/5xUwzXl3tE3mUPLyRP9h6gq1YJGR2kocyO1hqc/Iy3hQa+LYORLlznaMEKcxm6bKsNPeJHCe+FiOBatOW6pw9y8Vxwbp1yGvTkkKmyzfW3FWWzwbFHsa1AxigVRlZCsEKIzbW3dw==
            set dpd-retryinterval 10
        next
    end
    config vpn ipsec phase2-interface
        edit "to-openswan"
            set phase1name "to-openswan"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set auto-negotiate enable
            set comments "VPN: to-openswan (Created by VPN wizard)"
            set src-addr-type name
            set dst-addr-type name
            set src-name "to-openswan_local"
            set dst-name "to-openswan_remote"
        next
    end
    
  3. 策略配置

    image-20230207161545138

  4. 路由配置

    image-20230207161632574

配置openswan

  1. 接口及路由配置

    # ifconfig 
    ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 200.1.1.2  netmask 255.255.255.0  broadcast 200.1.1.255
            inet6 fe80::2652:4dd7:5d0e:941d  prefixlen 64  scopeid 0x20<link>
            inet6 240e:604:109:39::216  prefixlen 64  scopeid 0x0<global>
            ether 00:0c:29:37:f0:ac  txqueuelen 1000  (Ethernet)
            RX packets 10  bytes 2266 (2.2 KiB)
            RX errors 0  dropped 500  overruns 0  frame 0
            TX packets 18  bytes 2284 (2.2 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    ens256: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
            inet6 fe80::227:594:d82:e098  prefixlen 64  scopeid 0x20<link>
            ether 00:0c:29:37:f0:b6  txqueuelen 1000  (Ethernet)
            RX packets 2519  bytes 389134 (380.0 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 150  bytes 10928 (10.6 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         200.1.1.1       0.0.0.0         UG    106    0        0 ens224
    192.168.1.0     0.0.0.0         255.255.255.0   U     105    0        0 ens256
    200.1.1.0       0.0.0.0         255.255.255.0   U     106    0        0 ens224
    
  2. 安装openswan

    测试环境中centos版本

    # rpm --query centos-release
    centos-release-7-9.2009.1.el7.centos.x86_64
    
    # uname -a
    Linux centos7-3 3.10.0-1160.49.1.el7.x86_64 #1 SMP Tue Nov 30 15:51:32 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    

    安装openswan

    yum install -y openswan
    

    查看openswan安装的配置文件,libreswan即openswan。

    # rpm -qc libreswan
    /etc/ipsec.conf
    /etc/ipsec.d/policies/block
    /etc/ipsec.d/policies/clear
    /etc/ipsec.d/policies/clear-or-private
    /etc/ipsec.d/policies/portexcludes.conf
    /etc/ipsec.d/policies/private
    /etc/ipsec.d/policies/private-or-clear
    /etc/ipsec.secrets
    /etc/pam.d/pluto
    
  3. 开启ipv4转发,关闭ICMP重定向

    cat >> /etc/sysctl.conf << EOF
    echo net.ipv4.ip_forward = 1
    EOF
    
    sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}'
    sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf
    sysctl -p /etc/sysctl.conf
    
  4. 关闭SELINUX

    临时关闭:setenforce 0
    
    永久关闭:
    #vi /etc/selinux/config
    SELINUX=disabled
    
  5. 关闭防火墙或者开启IPSEC所需的端口UDP 500,UDP4500,ESP

    这里关闭防火墙

    systemctl stop firewalld
    systemctl disable firewalld
    
  6. 配置openswan

    在/etc/ipsec.conf中默认包含如下配置,建议将IPsec连接作为单独的文件添加到/etc/ipsec.d/
    include /etc/ipsec.d/*.conf
    
    在/etc/ipsec.secrets中默认包含如下配置,建议将IPsec共享密钥作为单独的文件添加到/etc/ipsec.d/
    include /etc/ipsec.d/*.secrets
    

    配置IPSEC预共享密钥

    vim /etc/ipsec.d/ipsec.secrets
    100.1.1.2  : psk "ipsec-key"
    
    格式:本地用于连接的IP+空格+远端网关IP+空格+英文冒号+空格+PSK+预共享密钥,冒号的两边都有空格,密钥用英文双引号。
    

    配置IPSEC连接

    vim /etc/ipsec.d/ipsec.conf
    #ipsec连接名称
    conn ipsec1
    
    #phase1
    #共享密钥
      authby=secret
    #start表示ipsec服务启动后会主动发起IPSEC连接;add只表示添加,服务启动不会发起连接,使用ipsec auto --up ipsec名称发起连接
      auto=start
    #阶段1密钥集
      ike=aes128-sha1;modp1536
    #ike密钥交换方式
      keyexchange=ike
    #阶段1生命周期
      ikelifetime=86400s
    #默认为no主模式,野蛮模式为yes
      aggrmode=no
    
    #phase2
    #段2传输格式
      phase2=esp
    #阶段2密钥集
      phase2alg=aes128-sha1;modp1536
    #关闭压缩
      compress=no
    #开启PFS
      pfs=yes
    #阶段2生命周期
      salifetime=3600s
    #隧道模式
      type=tunnel
    #本地IP
      left=200.1.1.2
    #本地子网
      leftsubnet=192.168.1.0/24
    #远端VPN网关IP
      right=100.1.1.2
    #远端子网
      rightsubnet=192.168.0.0/24
    #远端路由按缺省配置
      rightnexthop=%defaultroute
    #开启dpd检查,每10s发起一次dpd检查,30s没有收到dpd响应,则清楚该ipsec连接
      dpddelay=10
      dpdtimeout=30
      dpdaction=clear
    

    启动IPSEC服务

    systemctl start ipsec
    systemctl enable ipsec
    

    通过ipsec verify进行配置项校验。如果回显信息全部为OK时,表示配置成功。

    # ipsec verify
    Verifying installed system and configuration files
    Version check and ipsec on-path                         [OK]
    Libreswan 3.25 (netkey) on 3.10.0-1160.49.1.el7.x86_64
    Checking for IPsec support in kernel                    [OK]
     NETKEY: Testing XFRM related proc values
             ICMP default/send_redirects                    [OK]
             ICMP default/accept_redirects                  [OK]
             XFRM larval drop                               [OK]
    Pluto ipsec.conf syntax                                 [OK]
    Two or more interfaces found, checking IP forwarding    [OK]
    Checking rp_filter                                      [OK]
    Checking that pluto is running                          [OK]
     Pluto listening for IKE on udp 500                     [OK]
     Pluto listening for IKE/NAT-T on udp 4500              [OK]
     Pluto ipsec.secret syntax                              [OK]
    Checking 'ip' command                                   [OK]
    Checking 'iptables' command                             [OK]
    Checking 'prelink' command does not interfere with FIPS [OK]
    Checking for obsolete ipsec.conf options                [OK]
    

    如果报如下错误:

    Checking rp_filter                                      [ENABLED]
     /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
     /proc/sys/net/ipv4/conf/ens192/rp_filter               [ENABLED]
     /proc/sys/net/ipv4/conf/ens224/rp_filter               [ENABLED]
     /proc/sys/net/ipv4/conf/ens256/rp_filter               [ENABLED]
     /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
    

    则通过如下命令解决:

     关闭源路由检查
     echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter          
     echo 0 > /proc/sys/net/ipv4/conf/ens192/rp_filter          
     echo 0 > /proc/sys/net/ipv4/conf/ens224/rp_filter           
     echo 0 > /proc/sys/net/ipv4/conf/ens256/rp_filter           
     echo 0 > /proc/sys/net/ipv4/conf/ip_vti0/rp_filter
    

查看IPSEC状态

  1. 查看FortiGate IPSEC状态

    image-20230207174923988

    # diagnose vpn ike gateway  list
    
    vd: root/0
    name: to-openswan
    version: 1
    interface: port9 38
    addr: 100.1.1.2:500 -> 200.1.1.2:500
    tun_id: 200.1.1.2/::200.1.1.2
    remote_location: 0.0.0.0
    network-id: 0
    created: 19s ago
    IKE SA: created 1/1  established 1/1  time 10/10/10 ms
    IPsec SA: created 1/1  established 1/1  time 50/50/50 ms
      id/spi: 137 d69345dd761e35e1/0f7cdc8405b9cb8d
      direction: responder
      status: established 19-19s ago = 10ms
      proposal: aes128-sha1
      key: 82d396f4422ed9b5-2031250ed717f7f3
      lifetime/rekey: 86400/86110
      DPD sent/recv: 00000000/00003e85
    
    # diagnose vpn  tunnel list
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=to-openswan ver=1 serial=2 100.1.1.2:0->200.1.1.2:0 tun_id=200.1.1.2 tun_id6=::200.1.1.2 dst_mtu=1500 dpd-link=on weight=1
    bound_if=38 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0
    
    proxyid_num=1 child_num=0 refcnt=4 ilast=7 olast=7 ad=/0
    stat: rxp=0 txp=0 rxb=0 txb=0
    dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=158
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=to-openswan proto=0 sa=1 ref=2 serial=3
      src: 0:192.168.0.0-192.168.0.255:0
      dst: 0:192.168.1.0-192.168.1.255:0
      SA:  ref=3 options=10226 type=00 soft=0 mtu=1438 expire=3312/0B replaywin=2048
           seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=3330/3600
      dec: spi=dc629039 esp=aes key=16 257e01bac6998199e46bb81fcfea8ea7
           ah=sha1 key=20 ae77b59ee36fc4412db7c998b00513655ce05e44
      enc: spi=2d0f59d9 esp=aes key=16 3abe273778a50dd2e45708eaca1af809
           ah=sha1 key=20 5710a515c5a7d1a4bb857e1b62bce8a7ed8f0622
      dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
      npu_flag=00 npu_rgwy=200.1.1.2 npu_lgwy=100.1.1.2 npu_selid=3 dec_npuid=0 enc_npuid=0
    run_tally=0
    
  2. 查看openswan IPSEC状态

    # ipsec status
    000 using kernel interface: netkey
    000 interface lo/lo ::1@500
    000 interface ens192/ens192 2022::231@500
    000 interface ens224/ens224 240e:604:109:39::216@500
    000 interface lo/lo 127.0.0.1@4500
    000 interface lo/lo 127.0.0.1@500
    000 interface ens192/ens192 192.168.88.231@4500
    000 interface ens192/ens192 192.168.88.231@500
    000 interface ens224/ens224 200.1.1.2@4500
    000 interface ens224/ens224 200.1.1.2@500
    000 interface ens256/ens256 192.168.1.1@4500
    000 interface ens256/ens256 192.168.1.1@500
    000  
    000  
    000 fips mode=disabled;
    000 SElinux=disabled
    000 seccomp=disabled
    000  
    000 config setup options:
    000  
    000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
    000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
    000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
    000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
    000 pluto_version=3.25, pluto_vendorid=OE-Libreswan-3.25
    000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
    000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
    000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
    000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
    000 ocsp-trust-name=<unset>
    000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
    000 secctx-attr-type=32001
    000 debug: control
    000  
    000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
    000 virtual-private (%priv):
    000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
    000  
    000 ESP algorithms supported:
    000  
    000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
    000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
    000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
    000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
    000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
    000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
    000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
    000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
    000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
    000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
    000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
    000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
    000  
    000 IKE algorithms supported:
    000  
    000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
    000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
    000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
    000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
    000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
    000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
    000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
    000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
    000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
    000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
    000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
    000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
    000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
    000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
    000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
    000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
    000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
    000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
    000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
    000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
    000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
    000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
    000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
    000 algorithm IKE DH Key Exchange: name=DH19, bits=512
    000 algorithm IKE DH Key Exchange: name=DH20, bits=768
    000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
    000 algorithm IKE DH Key Exchange: name=DH22, bits=1024
    000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
    000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
    000  
    000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,3,64} trans={0,3,6936} attrs={0,3,4624} 
    000  
    000 Connection list:
    000  
    000 "ipsec1": 192.168.1.0/24===200.1.1.2<200.1.1.2>...100.1.1.2<100.1.1.2>===192.168.0.0/24; erouted; eroute owner: #3
    000 "ipsec1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
    000 "ipsec1":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
    000 "ipsec1":   our auth:secret, their auth:secret
    000 "ipsec1":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
    000 "ipsec1":   labeled_ipsec:no;
    000 "ipsec1":   policy_label:unset;
    000 "ipsec1":   ike_life: 86400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
    000 "ipsec1":   retransmit-interval: 500ms; retransmit-timeout: 60s;
    000 "ipsec1":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
    000 "ipsec1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
    000 "ipsec1":   conn_prio: 24,24; interface: ens224; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
    000 "ipsec1":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
    000 "ipsec1":   our idtype: ID_IPV4_ADDR; our id=200.1.1.2; their idtype: ID_IPV4_ADDR; their id=100.1.1.2
    000 "ipsec1":   dpd: action:clear; delay:10; timeout:30; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
    000 "ipsec1":   newest ISAKMP SA: #2; newest IPsec SA: #3;
    000 "ipsec1":   IKE algorithms: AES_CBC_128-HMAC_SHA1-MODP1536
    000 "ipsec1":   IKE algorithm newest: AES_CBC_128-HMAC_SHA1-MODP1536
    000 "ipsec1":   ESP algorithms: AES_CBC_128-HMAC_SHA1_96-MODP1536
    000 "ipsec1":   ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=MODP1536
    000  
    000 Total IPsec connections: loaded 1, active 1
    000  
    000 State Information: DDoS cookies not required, Accepting new IKE connections
    000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
    000 IPsec SAs: total(1), authenticated(1), anonymous(0)
    000  
    000 #2: "ipsec1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85343s; newest ISAKMP; lastdpd=3s(seq in:16011 out:0); idle; import:admin initiate
    000 #3: "ipsec1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2784s; newest IPSEC; eroute owner; isakmp#2; idle; import:admin initiate
    000 #3: "ipsec1" esp.dc629039@100.1.1.2 esp.2d0f59d9@200.1.1.2 tun.0@100.1.1.2 tun.0@200.1.1.2 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 
    000  
    000 Bare Shunt list:
    000
    

业务测试

  1. 从FortiGate端PC ping OPENSWAN端的PC

    PC1# ifconfig ens224
    ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.0.10  netmask 255.255.255.0  broadcast 192.168.0.255
            ether 00:0c:29:0e:4e:c5  txqueuelen 1000  (Ethernet)
            RX packets 58117456  bytes 4943397966 (4.6 GiB)
            RX errors 0  dropped 183  overruns 0  frame 0
            TX packets 3346784  bytes 205418084392 (191.3 GiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    PC1# ping 192.168.1.10 -c 4
    PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
    64 bytes from 192.168.1.10: icmp_seq=1 ttl=62 time=1.13 ms
    64 bytes from 192.168.1.10: icmp_seq=2 ttl=62 time=0.852 ms
    64 bytes from 192.168.1.10: icmp_seq=3 ttl=62 time=0.750 ms
    64 bytes from 192.168.1.10: icmp_seq=4 ttl=62 time=0.775 ms
    
    --- 192.168.1.10 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3001ms
    rtt min/avg/max/mdev = 0.750/0.877/1.132/0.153 ms
    
  2. 从 OPENSWAN端的PC ping FortiGate端PC

    PC2# ifconfig ens224
    ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.1.10  netmask 255.255.255.0  broadcast 192.168.1.255
            inet6 fe80::82c8:edfd:199d:70b0  prefixlen 64  scopeid 0x20<link>
            ether 00:0c:29:e8:ad:a9  txqueuelen 1000  (Ethernet)
            RX packets 6476393  bytes 1884675006 (1.7 GiB)
            RX errors 0  dropped 3749817  overruns 0  frame 0
            TX packets 184443  bytes 12303642 (11.7 MiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    PC2# ping 192.168.0.10 -c 4
    PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
    64 bytes from 192.168.0.10: icmp_seq=1 ttl=62 time=0.681 ms
    64 bytes from 192.168.0.10: icmp_seq=2 ttl=62 time=0.715 ms
    64 bytes from 192.168.0.10: icmp_seq=3 ttl=62 time=0.801 ms
    64 bytes from 192.168.0.10: icmp_seq=4 ttl=62 time=0.771 ms
    
    --- 192.168.0.10 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3000ms
    rtt min/avg/max/mdev = 0.681/0.742/0.801/0.046 ms
    

OPENSWAN debug查看

开启openswan debug

# /etc/ipsec.conf - Libreswan IPsec configuration file
# see 'man ipsec.conf' and 'man pluto' for more information
# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
        # Normally, pluto logs via syslog.
        logfile=/var/log/pluto.log
        #
        # Do not enable debug options to debug configuration issues!
        #
        # plutodebug="control parsing"
        # plutodebug="all crypt"
        plutodebug=control
  1. 阶段1密钥机不匹配时,openswan debug显示如下:

    Feb  7 17:58:48.108027: | *received 332 bytes from 100.1.1.2:500 on ens224 (port=500)
    Feb  7 17:58:48.108082: | processing: start from 100.1.1.2:500 (in process_md() at demux.c:392)
    Feb  7 17:58:48.108103: |  processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
    Feb  7 17:58:48.108119: | icookie table: hash icookie fc 65 ed f1  76 0e d2 08 to 15842219016969466431 slot 0x558680eded00
    Feb  7 17:58:48.108126: | v1 state object not found
    Feb  7 17:58:48.108148: | received Vendor ID payload [RFC 3947]
    Feb  7 17:58:48.108160: | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    Feb  7 17:58:48.108171: | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    Feb  7 17:58:48.108179: | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    Feb  7 17:58:48.108186: | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-01]
    Feb  7 17:58:48.108195: | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    Feb  7 17:58:48.108205: | received Vendor ID payload [Dead Peer Detection]
    Feb  7 17:58:48.108213: | received Vendor ID payload [FRAGMENTATION]
    Feb  7 17:58:48.108224: | received Vendor ID payload [FRAGMENTATION c0000000]
    Feb  7 17:58:48.108237: packet from 100.1.1.2:500: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000]
    Feb  7 17:58:48.108251: | creating state object #2 at 0x558682efea98
    Feb  7 17:58:48.108265: | processing: start state #2 connection "ipsec1" 100.1.1.2:500 (in main_inI1_outR1() at ikev1_main.c:757)
    Feb  7 17:58:48.108313: | inserting state object #2
    Feb  7 17:58:48.108338: "ipsec1" #2: responding to Main Mode
    Feb  7 17:58:48.108372: | started looking for secret for 200.1.1.2->100.1.1.2 of kind PKK_PSK
    Feb  7 17:58:48.108384: | actually looking for secret for 200.1.1.2->100.1.1.2 of kind PKK_PSK
    Feb  7 17:58:48.108397: | 1: compared key 100.1.1.2 to 200.1.1.2 / 100.1.1.2 -> 4
    Feb  7 17:58:48.108406: | 2: compared key 200.1.1.2 to 200.1.1.2 / 100.1.1.2 -> 12
    Feb  7 17:58:48.108413: | line 1: match=12
    Feb  7 17:58:48.108422: | best_match 0>12 best=0x558682efd7c8 (line=1)
    Feb  7 17:58:48.108430: | concluding with best_match=12 best=0x558682efd7c8 (lineno=1)
    Feb  7 17:58:48.108441: "ipsec1" #2: WARNING: connection ipsec1 PSK length of 8 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
    Feb  7 17:58:48.108461: "ipsec1" #2: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP2048] refused
    Feb  7 17:58:48.108471: | started looking for secret for 200.1.1.2->100.1.1.2 of kind PKK_PSK
    Feb  7 17:58:48.108478: | actually looking for secret for 200.1.1.2->100.1.1.2 of kind PKK_PSK
    Feb  7 17:58:48.108486: | 1: compared key 100.1.1.2 to 200.1.1.2 / 100.1.1.2 -> 4
    Feb  7 17:58:48.108495: | 2: compared key 200.1.1.2 to 200.1.1.2 / 100.1.1.2 -> 12
    Feb  7 17:58:48.108505: | line 1: match=12
    Feb  7 17:58:48.108512: | best_match 0>12 best=0x558682efd7c8 (line=1)
    Feb  7 17:58:48.108522: | concluding with best_match=12 best=0x558682efd7c8 (lineno=1)
    Feb  7 17:58:48.108533: "ipsec1" #2: WARNING: connection ipsec1 PSK length of 8 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
    Feb  7 17:58:48.108541: "ipsec1" #2: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP1536] refused
    Feb  7 17:58:48.108548: "ipsec1" #2: no acceptable Oakley Transform
    Feb  7 17:58:48.108556: | complete v1 state transition with NO_PROPOSAL_CHOSEN
    
  2. 当共享密钥错误时,openswan debug显示如下:

    Feb  7 17:57:28.726151: | *received 108 bytes from 100.1.1.2:500 on ens224 (port=500)
    Feb  7 17:57:28.726176: | processing: start from 100.1.1.2:500 (in process_md() at demux.c:392)
    Feb  7 17:57:28.726186: |  processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
    Feb  7 17:57:28.726197: | cookies table: hash icookie 2b 08 9f f0  ed 75 b2 1a rcookie 2e fa 5e f5  8a 50 a4 93 to 10219631855637370284 slot 0x558680ed9da0
    Feb  7 17:57:28.726217: | v1 peer and cookies match on #1, provided msgid 00000000 == 00000000
    Feb  7 17:57:28.726224: | v1 state object #1 found, in STATE_MAIN_R2
    Feb  7 17:57:28.726232: | processing: start state #1 connection "ipsec1" 100.1.1.2:500 (in process_v1_packet() at ikev1.c:1117)
    Feb  7 17:57:28.726270: "ipsec1" #1: byte 2 of ISAKMP Identification Payload should have been zero, but was not (ignored)
    Feb  7 17:57:28.726283: "ipsec1" #1: length of ISAKMP Identification Payload is larger than can fit
    Feb  7 17:57:28.726290: "ipsec1" #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
    Feb  7 17:57:28.726313: | processing: stop from 100.1.1.2:500 (BACKGROUND) (in process_md() at demux.c:394)
    Feb  7 17:57:28.726322: | processing: stop state #1 connection "ipsec1" 100.1.1.2:500 (in process_md() at demux.c:396)
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-01-19 14:24:20

results matching ""

    No results matching ""