与Palo Alto防火墙建立IPSec VPN

组网需求

如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现10.10.1.0/24与10.10.2.0/24两个网段的通信。与Palo Alto防火墙进行IPsec VPN(IKE v1)对接。

Palo Alto防火墙版本信息:

admin@PA-VM> show system info

hostname: PA-VM
ip-address: 192.168.100.3
public-ip-address: unknown
netmask: 255.255.255.0
default-gateway: 192.168.100.99
ip-assignment: dhcp
ipv6-address: unknown
ipv6-link-local-address: fe80::5200:ff:fe01:0/64
ipv6-default-gateway: 
mac-address: 50:00:00:01:00:00
time: Tue Apr 11 19:13:23 2023
uptime: 0 days, 0:10:21
family: vm
model: PA-VM
serial: unknown
vm-mac-base: BA:DB:EE:FB:AD:00
vm-mac-count: 255
vm-uuid: A42F5C9E-B1D9-4A19-B229-D959AF933A2B
vm-cpuid: KVM:63060000FDFB8B07
vm-license: none
vm-cap-tier: unknown
vm-cpu-count: 2
vm-memory: 4031324
vm-mode: KVM
cloud-mode: non-cloud
sw-version: 10.1.0
global-protect-client-package-version: 0.0.0
device-dictionary-version: 1-211
device-dictionary-release-date:

网络拓扑

image-20230412102512869

配置要点

  • 配置FortiGate
    • 基本上网配置
    • 配置IPsec VPN
  • 配置Palo Alto防火墙
    • 基本上网配置
    • 配置IPsec VPN
  • 说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

配置步骤

FortiGate

  1. 基本上网配置。

    image-20230406170902324

    image-20230406162053557

    image-20230406152810519

  2. 配置IPSec VPN,进入VPN→IPSec隧道,点击新建→IPSec隧道按钮。

    image-20230406151353826

  3. 选择IPsec VPN自定义模板进行配置,点击下一步。

    image-20230406151654592

  4. 如图配置网络、认证、第一阶段、第二阶段。

    注意:和山石/Palo Alto防火墙对接IPSec推荐使用全0的感兴趣流,这些厂商设备与FortiGate一致,创建IPSec时会创建虚拟的IPSec接口,通过路由对VPN流量进行引流,将需要加密的数据送到IPSec接口(当然写细化的感兴趣流也是可以的)。

    image-20230410154223579

    config vpn ipsec phase1-interface
        edit "VPN-to-Remote"
            set interface "port2"
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set dhgrp 14 5 2
            set remote-gw 202.103.23.2
            set psksecret xxxxxxxx
        next
    end
    
    config vpn ipsec phase2-interface
        edit "VPN-to-Remote"
            set phase1name "VPN-to-Remote"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set dhgrp 14 5 2
            set auto-negotiate enable
        next
    end
    
  5. 配置VPN相关的网段地址对象和防火墙策略。

    image-20230406152921211

    image-20230406153125073

    config firewall address
        edit "Local_10.10.1.0/24"
            set subnet 10.10.1.0 255.255.255.0
        next
        edit "Remote_10.10.2.0/24"
            set subnet 10.10.2.0 255.255.255.0
        next
    end
    
    config firewall policy
        edit 2
            set name "VPN-Local-to-Remote"
            set srcintf "port3"
            set dstintf "VPN-to-Remote"
            set action accept
            set srcaddr "Local_10.10.1.0/24"
            set dstaddr "Remote_10.10.2.0/24"
            set schedule "always"
            set service "ALL"
        next
        edit 3
            set name "VPN-Remote-to-Local"
            set srcintf "VPN-to-Remote"
            set dstintf "port3"
            set action accept
            set srcaddr "Remote_10.10.2.0/24"
            set dstaddr "LAN_10.10.1.0/24"
            set schedule "always"
            set service "ALL"
        next
    end
    
  6. 配置VPN业务网段的静态路由。

    相关VPN的路由配置中“黑洞路由的意义:

    你可能会遇到以下的VPN业务问题:通过VPN的SIP电话,时不时中断,无法向服务器成功注册 ?通过VPN的Radius认证无法经常会无法认证成功? 通过VPN的AP注册到总部时不时会中断?持续的PRGT监控ping总部的服务器,时不时会显示中断? VPN有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE重新连接更换公网IP地址等,VPN tunnel此时会出现短暂的DOWN,而去往对方的VPN业务网段的路由也会短暂消失,此时VPN的业务流量(SIP注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了WAN(Internet),从而产生了错误的UDP-NAT-Seesion,此时即便VPN tunnel再次UP,VPN业务网段的路由再次恢复,SIP等VPN旧的业务流量依旧会走到错误的Session上去,从而引起该业务异常。

    解决方法:

    • 方法一:配置去往VPN业务网段的“黑洞路由”,管理距离为254,VPN正常的情况下此黑洞路由不生效,而当VPN中断的时候,黑洞路由浮起来并且生效,将VPN中断时候的VPN流量丢弃,避免将流量转发到互联网而产生错误的session。配置VPN的备份黑洞路由的意义在此。
    • 方法二:配置源接口:LAN,目的接口:WAN,源IP:本地内网网段,目的IP:对端内网网段,动作:丢包的策略。将此去往Internet的私网(无用的)流量丢弃掉,避免FGT产生这种错误的session,从而避免了UDP业务时不时中断的问题。
    • 方法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话flag置位为“Dirty”,清除路由缓存并重新查找目的IP的下一跳地址,这样VPN隧道恢复的时候,流量也会相应的切换到VPN隧道里面来。
      FortiGate # config system global
      FortiGate (global) # set snat-route-change enable                             
      FortiGate (global) # end
      
    三种方式任意选择一种即可。推荐使用黑洞路由方式。

    image-20230406162206218

    config router static
        edit 1
            set gateway 202.103.12.1
            set device "port2"
        next
        edit 2
            set dst 10.10.2.0 255.255.255.0
            set device "VPN-to-Remote"
        next
        edit 3
            set dst 10.10.2.0 255.255.255.0
            set distance 254
            set blackhole enable
        next
    end
    

Palo Alto

  1. 基本IP与路由配置,请注意一定要将接口加入安全域和虚拟路由器,否则接口无法通信。

    image-20230412112639596

    image-20230412112741514

    image-20230412112859892

    network {
      interface {
        ethernet {
          ethernet1/1 {
            layer3 {
              ip {
                202.103.23.2/24;
              }
            }
          }
          ethernet1/2 {
            layer3 {
              ip {
                10.10.2.1/24;
              }
            }
          }
        }
      }
      virtual-router {
        default {
          routing-table {
            ip {
              static-route {
                Default_GW {
                  nexthop {
                    ip-address 202.103.23.1;
                  }
                  metric 10;
                  destination 0.0.0.0/0;
                  route-table {
                    unicast;
                  }
                }
              }
            }
          }
          interface [ ethernet1/1 ethernet1/2];
        }
      }
    }
    
  2. 地址对象、策略、NAT配置。

    image-20230412140545574

    image-20230412141204854

    image-20230412141120208

    address {
      Local_10.10.2.0 {
        ip-netmask 10.10.2.0/24;
      }
      Remote_10.10.1.0 {
        ip-netmask 10.10.1.0/24;
      }
    }
    
    rulebase {
      security {
        rules {
          to_Internet {
            to Untrust;
            from Trust;
            source Local_10.10.2.0;
            destination any;
            source-user any;
            category any;
            application any;
            service application-default;
            source-hip any;
            destination-hip any;
            action allow;
          }
        }
      }
      nat {
        rules {
          to_Internet {
            source-translation {
              dynamic-ip-and-port {
                interface-address {
                  interface ethernet1/1;
                }
              }
            }
            to Untrust;
            from Trust;
            source Local_10.10.2.0;
            destination any;
            service any;
            to-interface ethernet1/1;
          }
        }
      }
    }
    
  3. 创建IPSec隧道接口,并加入安全域和虚拟路由器。

    image-20230412145511534

    image-20230412145657216

    network {
      interface {
        tunnel {
          units {
            tunnel.1;
          }
        }
      }
      virtual-router {
        default {
          interface [ ethernet1/1 ethernet1/2 tunnel tunnel.1];
        }
      }
    }
    
    zone {
      Untrust {
        network {
          layer3 [ ethernet1/1 tunnel tunnel.1];
        }
      }
    }
    
  4. 在IPSec隧道页面点击添加按钮,输入隧道名称,隧道接口选择上步创建的“tunnel.1”。在“IKE网关”中选择“新IKE网关”。

    image-20230412145822329

  5. 在弹出的“IKE网关”页面中,填写名称,版本选择IKEv1,接口选择自身用于建立IPSec的接口,对端VPN网关地址,预共享密钥。在“高级选项”中,配置交换模式为main,可以修改默认的一阶段安全提议,注意要和FortiGate端保持一致,此例中FortiGate的安全算法已配置为和Palo Alto中“default”包含的算法一致,所以不再进行修改(自定义的一阶段安全提议可以到“NETWORK→网络配置文件→IKE加密”中创建)。随后下发“IKE网关”的配置。

    image-20230412143905314

    image-20230412144206781

  6. “IKE网关”配置下发后,返回“IPSec隧道”窗口,确认“IKE网关”选择为上步创建的IKE网关,IPSec加密配置文件(二阶段安全提议)选择“default”(注意要和FortiGate端保持一致,此例中FortiGate的安全算法已配置为和Palo Alto中“default”包含的算法一致,所以不再进行修改,自定义的二阶段安全提议可以到“NETWORK→网络配置文件→IPSec加密”中创建)。“代理ID”选项卡无需配置(默认为0.0.0.0/0↔0.0.0.0/0)。

    image-20230412144330778

    network {
      ike {
        crypto-profiles {
          ike-crypto-profiles {
            default {
              encryption [ aes-128-cbc 3des];
              hash sha1;
              dh-group group2;
              lifetime {
                hours 8;
              }
            }
          }
          ipsec-crypto-profiles {
            default {
              esp {
                encryption [ aes-128-cbc 3des];
                authentication sha1;
              }
              dh-group group2;
              lifetime {
                hours 1;
              }
            }
          }
        }
        gateway {
          to_FortiGate {
            authentication {
              pre-shared-key {
                key -AQ==pkKner19T1G/kibOr4kfy7Wymbg=sg4ErcrrUBiaoIjlTToVEA==;
              }
            }
            protocol {
              ikev1 {
                dpd {
                  enable yes;
                }
                exchange-mode main;
              }
            }
            local-address {
              ip 202.103.23.2/24;
              interface ethernet1/1;
            }
            protocol-common {
              nat-traversal {
                enable no;
              }
              fragmentation {
                enable no;
              }
            }
            peer-address {
              ip 202.103.13.2;
            }
          }
        }
      }
      tunnel {
        ipsec {
          to_FortiGate {
            auto-key {
              ike-gateway {
                to_FortiGate;
              }
            }
            tunnel-monitor {
              enable no;
            }
            tunnel-interface tunnel;
          }
        }
      }
    }
    
  7. 配置IPSec VPN相关网段放通的安全策略,并将他们移动至上网策略之前。

    image-20230412151531359

    rulebase {
      security {
        rules {
          VPN_to_FortiGate {
            to Untrust;
            from Trust;
            source Local_10.10.2.0;
            destination Remote_10.10.1.0;
            source-user any;
            category any;
            application any;
            service application-default;
            source-hip any;
            destination-hip any;
            action allow;
          }
          VPN_from_FortiGate {
            to Trust;
            from Untrust;
            source Remote_10.10.1.0;
            destination Local_10.10.2.0;
            source-user any;
            category any;
            application any;
            service application-default;
            source-hip any;
            destination-hip any;
            action allow;
          }
          to_Internet {
            to Untrust;
            from Trust;
            source Local_10.10.2.0;
            destination any;
            source-user any;
            category any;
            application any;
            service application-default;
            source-hip any;
            destination-hip any;
            action allow;
          }
        }
      }
    }
    
  8. 添加去往FortiGate内网VPN网段的静态路由,出接口为tunnel.1接口,下一跳配置为“None”即可。

    image-20230412152942108

    network {
      virtual-router {
        default {
          routing-table {
            ip {
              static-route {
                to_FortiGate_VPN {
                  path-monitor {
                    enable no;
                    failure-condition any;
                    hold-time 2;
                  }
                  interface tunnel.1;
                  metric 10;
                  destination Remote_10.10.1.0;
                  route-table {
                    unicast;
                  }
                }
              }
            }
          }
          interface [ ethernet1/1 ethernet1/2 tunnel tunnel.1];
        }
      }
    }
    
  9. 最后,点击右上角的commit按钮提交所有配置。

结果验证

  1. FortiGate上查看IPSec隧道建立,在仪表盘新建IPSec监控,可以看到IPSec建立成功。

    image-20230412153434501

    FortiGate # diagnose vpn ike gateway list 
    vd: root/0
    name: VPN-to-Remote
    version: 1
    interface: port2 4
    addr: 202.103.13.2:500 -> 202.103.23.2:500
    tun_id: 202.103.23.2/::202.103.23.2
    remote_location: 0.0.0.0
    network-id: 0
    created: 1403s ago
    IKE SA: created 1/1  established 1/1  time 120/120/120 ms
    IPsec SA: created 1/3  established 1/1  time 140/140/140 ms
      id/spi: 0 d73a6ee8d0baf991/db995f50650cc6b5
      direction: initiator
      status: established 1403-1403s ago = 120ms
      proposal: aes128-sha1
      key: fd7f588b849be1d4-d63993f074d6b8f8
      lifetime/rekey: 86400/84697
      DPD sent/recv: 0000003e/00000000
    
    FortiGate # diagnose vpn tunnel list 
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=VPN-to-Remote ver=1 serial=3 202.103.13.2:0->202.103.23.2:0 tun_id=202.103.23.2 tun_id6=::202.103.23.2 dst_mtu=1500 dpd-link=on weig1
    bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overla0
    proxyid_num=1 child_num=0 refcnt=4 ilast=2 olast=2 ad=/0
    stat: rxp=12 txp=17 rxb=1008 txb=1484
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=63
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=VPN-to-Remote proto=0 sa=1 ref=2 serial=2 auto-negotiate
      src: 0:0.0.0.0-255.255.255.255:0
      dst: 0:0.0.0.0-255.255.255.255:0
      SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=2205/0B replaywin=2048
           seqno=12 esn=0 replaywin_lastseq=0000000c qat=0 rekey=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=3300/3600
      dec: spi=35f11fb3 esp=aes key=16 2aba5fd6c7959ed2ee4dbd4653f2e42f
           ah=sha1 key=20 78b303176925e02007e758e1b4f3b2a43fcaab7e
      enc: spi=b5d1ae56 esp=aes key=16 a5d0f8ace26a19dd6c5e1089c0b4f755
           ah=sha1 key=20 c99af8e83adcd0b435fca71d0b25302ca84cc4f1
      dec:pkts/bytes=24/2016, enc:pkts/bytes=34/4132
      npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.13.2 npu_selid=3 dec_npuid=0 enc_npuid=0
    run_tally=0
    
  2. 查看FortiGate的路由表。

    FortiGate # get router info routing-table all
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    Routing table for VRF=0
    S*      0.0.0.0/0 [10/0] via 202.103.13.1, port2, [1/0]
    C       10.10.1.0/24 is directly connected, port3
    S       10.10.2.0/24 [10/0] via VPN-to-Remote tunnel 202.103.23.2, [1/0]
    C       192.168.100.0/24 is directly connected, port1
    C       202.103.13.0/24 is directly connected, port2
    
  3. FortiGate侧PC1业务测试。

    VPCS> show
    
    NAME   IP/MASK              GATEWAY                             GATEWAY
    VPCS1  10.10.1.2/24         10.10.1.1
           fe80::250:79ff:fe66:6804/64
    
    VPCS> ping 10.10.2.2
    
    84 bytes from 10.10.2.2 icmp_seq=1 ttl=62 time=4.250 ms
    84 bytes from 10.10.2.2 icmp_seq=2 ttl=62 time=2.122 ms
    84 bytes from 10.10.2.2 icmp_seq=3 ttl=62 time=2.039 ms
    84 bytes from 10.10.2.2 icmp_seq=4 ttl=62 time=1.824 ms
    84 bytes from 10.10.2.2 icmp_seq=5 ttl=62 time=2.243 ms
    
  4. Palo Alto防火墙查看IPSec连接状态。

    image-20230412153739083

    admin@PA-VM> show vpn ike-sa
    IKEv1 phase-1 SAs
    GwID/client IP  Peer-Address           Gateway Name                                                    Role Mode Algorithm             Established     Expiration      V  ST Xt Phase2
    --------------  ------------           ------------                                                    ---- ---- ---------             -----------     ----------      -  -- -- ------
    1               202.103.13.2           to_FortiGate                                                    Resp Main PSK/ DH2/A128/SHA1    Apr.12 00:11:29 Apr.12 08:11:29 v1 13 1  1      
    Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.
    IKEv1 phase-2 SAs
    Gateway Name                                                    TnID     Tunnel                 GwID/IP          Role Algorithm          SPI(in)  SPI(out) MsgID    ST Xt 
    ------------                                                    ----     ------                 -------          ---- ---------          -------  -------- -----    -- -- 
    to_FortiGate                                                    1        to_FortiGate           1                Resp ESP/ DH2/tunl/SHA1 B5D1AE56 35F11FB3 689E6AC0 9  1   
    Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.
    
    admin@PA-VM> show vpn ipsec-sa 
    GwID/client IP  TnID   Peer-Address           Tunnel(Gateway)                                                                                                                Algorithm          SPI(in)  SPI(out) life(Sec/KB)             remain-time(Sec)        
    --------------  ----   ------------           ---------------                                                                                                                ---------          -------  -------- ------------             ----------------        
    1               1      202.103.13.2           to_FortiGate(to_FortiGate)                                                                                                     ESP/A128/SHA1      B5D1AE56 35F11FB3 3600/Unlimited           2152                     
    Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.
    
    admin@PA-VM> show vpn flow
    total tunnels configured:                                     1
    filter - type IPSec, state any
    total IPSec tunnel configured:                                1
    total IPSec tunnel shown:                                     1
    id    name                                                            state   monitor local-ip                      peer-ip                       tunnel-i/f  
    --    --------------                                                  -----   ------- --------                      -------                       ----------  
    1     to_FortiGate                                                    active  off     202.103.23.2                  202.103.13.2                  tunnel.1
    
  5. 查看Palo Alto防火墙的路由表,可以看到包含了手动配置的到FortiGate内网的路由。

    admin@PA-VM> show routing route 
    
    flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, 
           Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
    VIRTUAL ROUTER: default (id 1)
      ==========
    destination                                 nexthop                                 metric flags      age   interface          next-AS    
    0.0.0.0/0                                   202.103.23.1                            10     A S              ethernet1/1                   
    10.10.1.0/24                                0.0.0.0                                 10     A S              tunnel.1                      
    10.10.2.0/24                                10.10.2.1                               0      A C              ethernet1/2                   
    10.10.2.1/32                                0.0.0.0                                 0      A H                                            
    202.103.23.0/24                             202.103.23.2                            0      A C              ethernet1/1                   
    202.103.23.2/32                             0.0.0.0                                 0      A H                                            
    total routes shown: 6
    
  6. Palo Alto防火墙侧PC2业务测试。

    VPCS> show          
    
    NAME   IP/MASK              GATEWAY                             GATEWAY
    VPCS1  10.10.2.2/24         10.10.2.1
           fe80::250:79ff:fe66:6805/64
    
    VPCS> ping 10.10.1.2
    
    84 bytes from 10.10.1.2 icmp_seq=1 ttl=62 time=2.099 ms
    84 bytes from 10.10.1.2 icmp_seq=2 ttl=62 time=2.617 ms
    84 bytes from 10.10.1.2 icmp_seq=3 ttl=62 time=2.074 ms
    84 bytes from 10.10.1.2 icmp_seq=4 ttl=62 time=2.024 ms
    84 bytes from 10.10.1.2 icmp_seq=5 ttl=62 time=1.944 ms
    
  7. FortiGate侧抓包查看。

    FortiGate # diagnose sniffer packet any 'host 10.10.2.2 and host 10.10.1.2 and icmp' 4 0 l
    Using Original Sniffing Mode
    interfaces=[any]
    filters=[host 10.10.2.2 and host 10.10.1.2 and icmp]
    2023-04-12 15:38:12.130447 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-12 15:38:12.130504 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-12 15:38:12.130732 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-12 15:38:12.130746 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-12 15:38:13.134398 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-12 15:38:13.134471 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-12 15:38:13.134728 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-12 15:38:13.134745 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-12 15:38:14.137358 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-12 15:38:14.137391 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-12 15:38:14.137592 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-12 15:38:14.137600 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-12 15:38:15.140135 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-12 15:38:15.140174 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-12 15:38:15.140321 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-12 15:38:15.140334 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-12 15:38:16.143326 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-12 15:38:16.143362 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request
    2023-04-12 15:38:16.143547 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    2023-04-12 15:38:16.143560 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
    

说明

  1. 关于sniffer抓VPN业务和ESP的包:

    • 抓取IPsec VPN的IKE协商包:

      diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4
      
    • 抓取IPsec VPN的ESP加密数据包:

      diagnose sniffer packet any "host 101.1.1.1 and esp" 4
      
    • 抓取IPsec VPN的明文业务数据包:

      diagnose sniffer packet any "host 192.168.112.100 and icmp" 4
      
    • 注意:由于硬件设备存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:

      FortiGate # config vpn ipsec phase1-interface
      FortiGate (phase1-interface) # edit BJ-OSPF-TO-SH
      FortiGate (BJ-OSPF-TO-SH) # set npu-offload disable
      FortiGate (BJ-OSPF-TO-SH) # end
      
  2. Palo Alto防火墙IPsec VPN Debug:

    debug ike global on debug
    less mp-log ikemgr.log
    debug ike pcap on
    view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap
    debug ike pcap off
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-09-12 15:24:01

results matching ""

    No results matching ""