与Palo Alto防火墙建立IPSec VPN
组网需求
如图所示,通过IPsec VPN(接口模式)将2个局域网连接起来,实现10.10.1.0/24与10.10.2.0/24两个网段的通信。与Palo Alto防火墙进行IPsec VPN(IKE v1)对接。
Palo Alto防火墙版本信息:
admin@PA-VM> show system info
hostname: PA-VM
ip-address: 192.168.100.3
public-ip-address: unknown
netmask: 255.255.255.0
default-gateway: 192.168.100.99
ip-assignment: dhcp
ipv6-address: unknown
ipv6-link-local-address: fe80::5200:ff:fe01:0/64
ipv6-default-gateway:
mac-address: 50:00:00:01:00:00
time: Tue Apr 11 19:13:23 2023
uptime: 0 days, 0:10:21
family: vm
model: PA-VM
serial: unknown
vm-mac-base: BA:DB:EE:FB:AD:00
vm-mac-count: 255
vm-uuid: A42F5C9E-B1D9-4A19-B229-D959AF933A2B
vm-cpuid: KVM:63060000FDFB8B07
vm-license: none
vm-cap-tier: unknown
vm-cpu-count: 2
vm-memory: 4031324
vm-mode: KVM
cloud-mode: non-cloud
sw-version: 10.1.0
global-protect-client-package-version: 0.0.0
device-dictionary-version: 1-211
device-dictionary-release-date:
网络拓扑
配置要点
- 配置FortiGate
- 基本上网配置
- 配置IPsec VPN
- 配置Palo Alto防火墙
- 基本上网配置
- 配置IPsec VPN
- 说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。
配置步骤
FortiGate
基本上网配置。
配置IPSec VPN,进入VPN→IPSec隧道,点击新建→IPSec隧道按钮。
选择IPsec VPN自定义模板进行配置,点击下一步。
如图配置网络、认证、第一阶段、第二阶段。
注意:和山石/Palo Alto防火墙对接IPSec推荐使用全0的感兴趣流,这些厂商设备与FortiGate一致,创建IPSec时会创建虚拟的IPSec接口,通过路由对VPN流量进行引流,将需要加密的数据送到IPSec接口(当然写细化的感兴趣流也是可以的)。
config vpn ipsec phase1-interface edit "VPN-to-Remote" set interface "port2" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set dhgrp 14 5 2 set remote-gw 202.103.23.2 set psksecret xxxxxxxx next end config vpn ipsec phase2-interface edit "VPN-to-Remote" set phase1name "VPN-to-Remote" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set dhgrp 14 5 2 set auto-negotiate enable next end配置VPN相关的网段地址对象和防火墙策略。
config firewall address edit "Local_10.10.1.0/24" set subnet 10.10.1.0 255.255.255.0 next edit "Remote_10.10.2.0/24" set subnet 10.10.2.0 255.255.255.0 next end config firewall policy edit 2 set name "VPN-Local-to-Remote" set srcintf "port3" set dstintf "VPN-to-Remote" set action accept set srcaddr "Local_10.10.1.0/24" set dstaddr "Remote_10.10.2.0/24" set schedule "always" set service "ALL" next edit 3 set name "VPN-Remote-to-Local" set srcintf "VPN-to-Remote" set dstintf "port3" set action accept set srcaddr "Remote_10.10.2.0/24" set dstaddr "LAN_10.10.1.0/24" set schedule "always" set service "ALL" next end配置VPN业务网段的静态路由。
相关VPN的路由配置中“黑洞路由的意义:
你可能会遇到以下的VPN业务问题:通过VPN的SIP电话,时不时中断,无法向服务器成功注册 ?通过VPN的Radius认证无法经常会无法认证成功? 通过VPN的AP注册到总部时不时会中断?持续的PRGT监控ping总部的服务器,时不时会显示中断? VPN有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE重新连接更换公网IP地址等,VPN tunnel此时会出现短暂的DOWN,而去往对方的VPN业务网段的路由也会短暂消失,此时VPN的业务流量(SIP注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了WAN(Internet),从而产生了错误的UDP-NAT-Seesion,此时即便VPN tunnel再次UP,VPN业务网段的路由再次恢复,SIP等VPN旧的业务流量依旧会走到错误的Session上去,从而引起该业务异常。解决方法:
- 方法一:配置去往VPN业务网段的“黑洞路由”,管理距离为254,VPN正常的情况下此黑洞路由不生效,而当VPN中断的时候,黑洞路由浮起来并且生效,将VPN中断时候的VPN流量丢弃,避免将流量转发到互联网而产生错误的session。配置VPN的备份黑洞路由的意义在此。
- 方法二:配置源接口:LAN,目的接口:WAN,源IP:本地内网网段,目的IP:对端内网网段,动作:丢包的策略。将此去往Internet的私网(无用的)流量丢弃掉,避免FGT产生这种错误的session,从而避免了UDP业务时不时中断的问题。
- 方法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话flag置位为“Dirty”,清除路由缓存并重新查找目的IP的下一跳地址,这样VPN隧道恢复的时候,流量也会相应的切换到VPN隧道里面来。
FortiGate # config system global FortiGate (global) # set snat-route-change enable FortiGate (global) # end
config router static edit 1 set gateway 202.103.12.1 set device "port2" next edit 2 set dst 10.10.2.0 255.255.255.0 set device "VPN-to-Remote" next edit 3 set dst 10.10.2.0 255.255.255.0 set distance 254 set blackhole enable next end
Palo Alto
基本IP与路由配置,请注意一定要将接口加入安全域和虚拟路由器,否则接口无法通信。
network { interface { ethernet { ethernet1/1 { layer3 { ip { 202.103.23.2/24; } } } ethernet1/2 { layer3 { ip { 10.10.2.1/24; } } } } } virtual-router { default { routing-table { ip { static-route { Default_GW { nexthop { ip-address 202.103.23.1; } metric 10; destination 0.0.0.0/0; route-table { unicast; } } } } } interface [ ethernet1/1 ethernet1/2]; } } }地址对象、策略、NAT配置。
address { Local_10.10.2.0 { ip-netmask 10.10.2.0/24; } Remote_10.10.1.0 { ip-netmask 10.10.1.0/24; } } rulebase { security { rules { to_Internet { to Untrust; from Trust; source Local_10.10.2.0; destination any; source-user any; category any; application any; service application-default; source-hip any; destination-hip any; action allow; } } } nat { rules { to_Internet { source-translation { dynamic-ip-and-port { interface-address { interface ethernet1/1; } } } to Untrust; from Trust; source Local_10.10.2.0; destination any; service any; to-interface ethernet1/1; } } } }创建IPSec隧道接口,并加入安全域和虚拟路由器。
network { interface { tunnel { units { tunnel.1; } } } virtual-router { default { interface [ ethernet1/1 ethernet1/2 tunnel tunnel.1]; } } } zone { Untrust { network { layer3 [ ethernet1/1 tunnel tunnel.1]; } } }在IPSec隧道页面点击添加按钮,输入隧道名称,隧道接口选择上步创建的“tunnel.1”。在“IKE网关”中选择“新IKE网关”。
在弹出的“IKE网关”页面中,填写名称,版本选择IKEv1,接口选择自身用于建立IPSec的接口,对端VPN网关地址,预共享密钥。在“高级选项”中,配置交换模式为main,可以修改默认的一阶段安全提议,注意要和FortiGate端保持一致,此例中FortiGate的安全算法已配置为和Palo Alto中“default”包含的算法一致,所以不再进行修改(自定义的一阶段安全提议可以到“NETWORK→网络配置文件→IKE加密”中创建)。随后下发“IKE网关”的配置。
“IKE网关”配置下发后,返回“IPSec隧道”窗口,确认“IKE网关”选择为上步创建的IKE网关,IPSec加密配置文件(二阶段安全提议)选择“default”(注意要和FortiGate端保持一致,此例中FortiGate的安全算法已配置为和Palo Alto中“default”包含的算法一致,所以不再进行修改,自定义的二阶段安全提议可以到“NETWORK→网络配置文件→IPSec加密”中创建)。“代理ID”选项卡无需配置(默认为0.0.0.0/0↔0.0.0.0/0)。
network { ike { crypto-profiles { ike-crypto-profiles { default { encryption [ aes-128-cbc 3des]; hash sha1; dh-group group2; lifetime { hours 8; } } } ipsec-crypto-profiles { default { esp { encryption [ aes-128-cbc 3des]; authentication sha1; } dh-group group2; lifetime { hours 1; } } } } gateway { to_FortiGate { authentication { pre-shared-key { key -AQ==pkKner19T1G/kibOr4kfy7Wymbg=sg4ErcrrUBiaoIjlTToVEA==; } } protocol { ikev1 { dpd { enable yes; } exchange-mode main; } } local-address { ip 202.103.23.2/24; interface ethernet1/1; } protocol-common { nat-traversal { enable no; } fragmentation { enable no; } } peer-address { ip 202.103.13.2; } } } } tunnel { ipsec { to_FortiGate { auto-key { ike-gateway { to_FortiGate; } } tunnel-monitor { enable no; } tunnel-interface tunnel; } } } }配置IPSec VPN相关网段放通的安全策略,并将他们移动至上网策略之前。
rulebase { security { rules { VPN_to_FortiGate { to Untrust; from Trust; source Local_10.10.2.0; destination Remote_10.10.1.0; source-user any; category any; application any; service application-default; source-hip any; destination-hip any; action allow; } VPN_from_FortiGate { to Trust; from Untrust; source Remote_10.10.1.0; destination Local_10.10.2.0; source-user any; category any; application any; service application-default; source-hip any; destination-hip any; action allow; } to_Internet { to Untrust; from Trust; source Local_10.10.2.0; destination any; source-user any; category any; application any; service application-default; source-hip any; destination-hip any; action allow; } } } }添加去往FortiGate内网VPN网段的静态路由,出接口为tunnel.1接口,下一跳配置为“None”即可。
network { virtual-router { default { routing-table { ip { static-route { to_FortiGate_VPN { path-monitor { enable no; failure-condition any; hold-time 2; } interface tunnel.1; metric 10; destination Remote_10.10.1.0; route-table { unicast; } } } } } interface [ ethernet1/1 ethernet1/2 tunnel tunnel.1]; } } }最后,点击右上角的commit按钮提交所有配置。
结果验证
FortiGate上查看IPSec隧道建立,在仪表盘新建IPSec监控,可以看到IPSec建立成功。
FortiGate # diagnose vpn ike gateway list vd: root/0 name: VPN-to-Remote version: 1 interface: port2 4 addr: 202.103.13.2:500 -> 202.103.23.2:500 tun_id: 202.103.23.2/::202.103.23.2 remote_location: 0.0.0.0 network-id: 0 created: 1403s ago IKE SA: created 1/1 established 1/1 time 120/120/120 ms IPsec SA: created 1/3 established 1/1 time 140/140/140 ms id/spi: 0 d73a6ee8d0baf991/db995f50650cc6b5 direction: initiator status: established 1403-1403s ago = 120ms proposal: aes128-sha1 key: fd7f588b849be1d4-d63993f074d6b8f8 lifetime/rekey: 86400/84697 DPD sent/recv: 0000003e/00000000 FortiGate # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=VPN-to-Remote ver=1 serial=3 202.103.13.2:0->202.103.23.2:0 tun_id=202.103.23.2 tun_id6=::202.103.23.2 dst_mtu=1500 dpd-link=on weig1 bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overla0 proxyid_num=1 child_num=0 refcnt=4 ilast=2 olast=2 ad=/0 stat: rxp=12 txp=17 rxb=1008 txb=1484 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=63 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=VPN-to-Remote proto=0 sa=1 ref=2 serial=2 auto-negotiate src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0 SA: ref=3 options=38203 type=00 soft=0 mtu=1438 expire=2205/0B replaywin=2048 seqno=12 esn=0 replaywin_lastseq=0000000c qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=3300/3600 dec: spi=35f11fb3 esp=aes key=16 2aba5fd6c7959ed2ee4dbd4653f2e42f ah=sha1 key=20 78b303176925e02007e758e1b4f3b2a43fcaab7e enc: spi=b5d1ae56 esp=aes key=16 a5d0f8ace26a19dd6c5e1089c0b4f755 ah=sha1 key=20 c99af8e83adcd0b435fca71d0b25302ca84cc4f1 dec:pkts/bytes=24/2016, enc:pkts/bytes=34/4132 npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.13.2 npu_selid=3 dec_npuid=0 enc_npuid=0 run_tally=0查看FortiGate的路由表。
FortiGate # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 202.103.13.1, port2, [1/0] C 10.10.1.0/24 is directly connected, port3 S 10.10.2.0/24 [10/0] via VPN-to-Remote tunnel 202.103.23.2, [1/0] C 192.168.100.0/24 is directly connected, port1 C 202.103.13.0/24 is directly connected, port2FortiGate侧PC1业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.1.2/24 10.10.1.1 fe80::250:79ff:fe66:6804/64 VPCS> ping 10.10.2.2 84 bytes from 10.10.2.2 icmp_seq=1 ttl=62 time=4.250 ms 84 bytes from 10.10.2.2 icmp_seq=2 ttl=62 time=2.122 ms 84 bytes from 10.10.2.2 icmp_seq=3 ttl=62 time=2.039 ms 84 bytes from 10.10.2.2 icmp_seq=4 ttl=62 time=1.824 ms 84 bytes from 10.10.2.2 icmp_seq=5 ttl=62 time=2.243 msPalo Alto防火墙查看IPSec连接状态。
admin@PA-VM> show vpn ike-sa IKEv1 phase-1 SAs GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 -------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ 1 202.103.13.2 to_FortiGate Resp Main PSK/ DH2/A128/SHA1 Apr.12 00:11:29 Apr.12 08:11:29 v1 13 1 1 Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found. IKEv1 phase-2 SAs Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt ------------ ---- ------ ------- ---- --------- ------- -------- ----- -- -- to_FortiGate 1 to_FortiGate 1 Resp ESP/ DH2/tunl/SHA1 B5D1AE56 35F11FB3 689E6AC0 9 1 Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found. admin@PA-VM> show vpn ipsec-sa GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) remain-time(Sec) -------------- ---- ------------ --------------- --------- ------- -------- ------------ ---------------- 1 1 202.103.13.2 to_FortiGate(to_FortiGate) ESP/A128/SHA1 B5D1AE56 35F11FB3 3600/Unlimited 2152 Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found. admin@PA-VM> show vpn flow total tunnels configured: 1 filter - type IPSec, state any total IPSec tunnel configured: 1 total IPSec tunnel shown: 1 id name state monitor local-ip peer-ip tunnel-i/f -- -------------- ----- ------- -------- ------- ---------- 1 to_FortiGate active off 202.103.23.2 202.103.13.2 tunnel.1查看Palo Alto防火墙的路由表,可以看到包含了手动配置的到FortiGate内网的路由。
admin@PA-VM> show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags age interface next-AS 0.0.0.0/0 202.103.23.1 10 A S ethernet1/1 10.10.1.0/24 0.0.0.0 10 A S tunnel.1 10.10.2.0/24 10.10.2.1 0 A C ethernet1/2 10.10.2.1/32 0.0.0.0 0 A H 202.103.23.0/24 202.103.23.2 0 A C ethernet1/1 202.103.23.2/32 0.0.0.0 0 A H total routes shown: 6Palo Alto防火墙侧PC2业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.2.2/24 10.10.2.1 fe80::250:79ff:fe66:6805/64 VPCS> ping 10.10.1.2 84 bytes from 10.10.1.2 icmp_seq=1 ttl=62 time=2.099 ms 84 bytes from 10.10.1.2 icmp_seq=2 ttl=62 time=2.617 ms 84 bytes from 10.10.1.2 icmp_seq=3 ttl=62 time=2.074 ms 84 bytes from 10.10.1.2 icmp_seq=4 ttl=62 time=2.024 ms 84 bytes from 10.10.1.2 icmp_seq=5 ttl=62 time=1.944 msFortiGate侧抓包查看。
FortiGate # diagnose sniffer packet any 'host 10.10.2.2 and host 10.10.1.2 and icmp' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 10.10.2.2 and host 10.10.1.2 and icmp] 2023-04-12 15:38:12.130447 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-12 15:38:12.130504 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-12 15:38:12.130732 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-12 15:38:12.130746 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-12 15:38:13.134398 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-12 15:38:13.134471 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-12 15:38:13.134728 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-12 15:38:13.134745 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-12 15:38:14.137358 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-12 15:38:14.137391 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-12 15:38:14.137592 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-12 15:38:14.137600 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-12 15:38:15.140135 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-12 15:38:15.140174 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-12 15:38:15.140321 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-12 15:38:15.140334 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-12 15:38:16.143326 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-12 15:38:16.143362 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-12 15:38:16.143547 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-12 15:38:16.143560 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
说明
关于sniffer抓VPN业务和ESP的包:
抓取IPsec VPN的IKE协商包:
diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4抓取IPsec VPN的ESP加密数据包:
diagnose sniffer packet any "host 101.1.1.1 and esp" 4抓取IPsec VPN的明文业务数据包:
diagnose sniffer packet any "host 192.168.112.100 and icmp" 4注意:由于硬件设备存在IPsec VPN芯片加速,因此可能数据包会抓不完全,主要指“ESP数据和明文业务数据”抓不全,因此有时候需要将VPN隧道的NP加速关闭:
FortiGate # config vpn ipsec phase1-interface FortiGate (phase1-interface) # edit BJ-OSPF-TO-SH FortiGate (BJ-OSPF-TO-SH) # set npu-offload disable FortiGate (BJ-OSPF-TO-SH) # end
Palo Alto防火墙IPsec VPN Debug:
debug ike global on debug less mp-log ikemgr.log debug ike pcap on view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap debug ike pcap off