与 H3C SecPath 防火墙建立 IPSec VPN
大约 12 分钟
与 H3C SecPath 防火墙建立 IPSec VPN
网络需求
如图所示,通过 IPsec VPN(接口模式)将 2 个局域网连接起来,实现 10.10.1.0/24 与 10.10.2.0/24 两个网段的通信。与 H3C SecPath 防火墙进行 IPsec VPN(IKE v1)对接。
H3C SecPath 防火墙版本:
<H3C>display version
H3C Comware Software, Version 7.1.064, ESS 1185P29
Copyright (c) 2004-2022 New H3C Technologies Co., Ltd. All rights reserved.
H3C SecPath vFW1000 uptime is 0 weeks, 0 days, 0 hours, 7 minutes
Last reboot reason : Power on
Boot image: flash:/vFW1000-CMW710-BOOT-E1185P29-X64.bin
Boot image version: 7.1.064, ESS 1185P29
Compiled Oct 31 2022 14:00:00
System image: flash:/vFW1000-CMW710-SYSTEM-E1185P29-X64.bin
System image version: 7.1.064, ESS 1185P29
Compiled Oct 31 2022 14:00:00网络拓扑
配置要点
- 配置 FortiGate
- 基本上网配置
- 配置 IPsec VPN
- 配置 H3C SecPath 防火墙
- 基本上网配置
- 配置 IPsec VPN
- 说明:如果要删除 IPSEC VPN 第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。
配置步骤
FortiGate
基本上网配置。
配置 IPSec VPN,进入 VPN → IPSec 隧道,点击新建 → IPSec 隧道按钮。
选择 IPsec VPN 自定义模板进行配置,点击下一步。
如图配置网络、认证、第一阶段、第二阶段。
重要
不像和 Cisco/PA/Juniper/山石使用虚拟接口创建 IPSec,感兴趣流是全 0。H3C 防火墙通常都是使用物理口创建 IPSec,需要写明细的感兴趣流,所以 FortiGate 也要对应的写明细感兴趣数据流,不能写全 0。
config vpn ipsec phase1-interface edit "VPN-to-Remote" set interface "port2" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 202.103.23.2 set psksecret xxxxxxxx next end config vpn ipsec phase2-interface edit "VPN-to-Remote" set phase1name "VPN-to-Remote" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 10.10.1.0 255.255.255.0 set dst-subnet 10.10.2.0 255.255.255.0 next end配置 VPN 相关的网段地址对象和防火墙策略。
config firewall address edit "Local_10.10.1.0/24" set subnet 10.10.1.0 255.255.255.0 next edit "Remote_10.10.2.0/24" set subnet 10.10.2.0 255.255.255.0 next end config firewall policy edit 2 set name "VPN-Local-to-Remote" set srcintf "port3" set dstintf "VPN-to-Remote" set action accept set srcaddr "Local_10.10.1.0/24" set dstaddr "Remote_10.10.2.0/24" set schedule "always" set service "ALL" next edit 3 set name "VPN-Remote-to-Local" set srcintf "VPN-to-Remote" set dstintf "port3" set action accept set srcaddr "Remote_10.10.2.0/24" set dstaddr "LAN_10.10.1.0/24" set schedule "always" set service "ALL" next end配置 VPN 业务网段的静态路由。
重要
相关 VPN 的路由配置中“黑洞路由的意义:
你可能会遇到以下的 VPN 业务问题:通过 VPN 的 SIP 电话,时不时中断,无法向服务器成功注册 ?通过 VPN 的 Radius 认证无法经常会无法认证成功? 通过 VPN 的 AP 注册到总部时不时会中断?持续的 PRGT 监控 ping 总部的服务器,时不时会显示中断?
VPN 有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE 重新连接更换公网 IP 地址等,VPN tunnel 此时会出现短暂的 DOWN,而去往对方的 VPN 业务网段的路由也会短暂消失,此时 VPN 的业务流量(SIP 注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了 WAN(Internet),从而产生了错误的 UDP-NAT-Seesion,此时即便 VPN tunnel 再次 UP,VPN 业务网段的路由再次恢复,SIP 等 VPN 旧的业务流量依旧会走到错误的 Session 上去,从而引起该业务异常。
解决方法:
方法一:配置去往 VPN 业务网段的“黑洞路由”,管理距离为 254,VPN 正常的情况下此黑洞路由不生效,而当 VPN 中断的时候,黑洞路由浮起来并且生效,将 VPN 中断时候的 VPN 流量丢弃,避免将流量转发到互联网而产生错误的 session。配置 VPN 的备份黑洞路由的意义在此。
方法二:配置源接口:LAN,目的接口:WAN,源 IP:本地内网网段,目的 IP:对端内网网段,动作:丢包的策略。将此去往 Internet 的私网(无用的)流量丢弃掉,避免 FGT 产生这种错误的 session,从而避免了 UDP 业务时不时中断的问题。
方法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话 flag 置位为“Dirty”,清除路由缓存并重新查找目的 IP 的下一跳地址,这样 VPN 隧道恢复的时候,流量也会相应的切换到 VPN 隧道里面来。
FortiGate # config system global FortiGate (global) # set snat-route-change enable FortiGate (global) # end
三种方式任意选择一种即可。推荐使用黑洞路由方式。
config router static edit 1 set gateway 202.103.12.1 set device "port2" next edit 2 set dst 10.10.2.0 255.255.255.0 set device "VPN-to-Remote" next edit 3 set dst 10.10.2.0 255.255.255.0 set distance 254 set blackhole enable next end
H3C SecPath
基本 IP 与路由配置。
interface GigabitEthernet2/0 port link-mode route ip address 202.103.23.2 255.255.255.0 manage ping inbound manage ping outbound # interface GigabitEthernet3/0 port link-mode route ip address 10.10.2.1 255.255.255.0 manage ping inbound manage ping outbound # security-zone name Trust import interface GigabitEthernet3/0 # security-zone name Untrust import interface GigabitEthernet2/0 # ip route-static 0.0.0.0 0 GigabitEthernet2/0 202.103.23.1地址对象、策略、NAT 配置。
object-group ip address Local_10.10.2.0/24 0 network subnet 10.10.2.0 255.255.255.0 # object-group ip address Remote_10.10.1.0/24 0 network subnet 10.10.1.0 255.255.255.0 # security-policy ip rule 2 name to_Internet action pass source-zone Trust destination-zone Untrust source-ip Local_10.10.2.0/24 # nat policy rule name to_Internet source-ip Local_10.10.2.0/24 outbound-interface GigabitEthernet2/0 action easy-ip配置 IPSec,新建 IKE 提议,按照如图安全提议配置,点击确定下发配置。
新建 IPSec 策略,如下图参数配置,注意与 FortiGate 端的安全提议要一致,注意对端 ID 选择“IPv4 地址”,内容填写为 FortiGate 的公网口 IP 地址,如果 FortiGate 的地址是动态的,可以选择 FQDN 形式的 ID,FortiGate 侧本地 ID 也要对应修改为 FQDN 形式,开启“自动触发”和“DPD”,勾选“自动生成安全策略”(这里自动创建的策略是允许 IPSec 协商的发起和接受)。
acl advanced name IPsec_to_FortiGate_IPv4_1 rule 0 permit ip source 10.10.2.0 0.0.0.255 destination 10.10.1.0 0.0.0.255 # ipsec transform-set to_FortiGate_IPv4_1 esp encryption-algorithm aes-cbc-256 esp authentication-algorithm sha256 pfs dh-group14 # ipsec policy to_FortiGate 1 isakmp transform-set to_FortiGate_IPv4_1 security acl name IPsec_to_FortiGate_IPv4_1 local-address 202.103.23.2 remote-address 202.103.13.2 ike-profile to_FortiGate_IPv4_1 sa trigger-mode auto sa duration time-based 43200 sa idle-time 60 # ike profile to_FortiGate_IPv4_1 keychain to_FortiGate_IPv4_1 dpd interval 20 on-demand match remote identity address 202.103.13.2 255.255.255.255 match local address GigabitEthernet2/0 # ike proposal 1 encryption-algorithm aes-cbc-256 dh group14 authentication-algorithm sha256 # ike keychain to_FortiGate_IPv4_1 match local address GigabitEthernet2/0 pre-shared-key address 202.103.13.2 255.255.255.255 key cipher $c$3$OAC3tjUo2G+AOc7w0iW8jeQvV2wpRj96iHSZ # interface GigabitEthernet2/0 ipsec apply policy to_FortiGate # security-policy ip rule 4 name IPsec_to_FortiGate_1_20230407151324_IN action pass destination-zone Local service ike service nat-t-ipsec service ipsec-ah service ipsec-esp rule 3 name IPsec_to_FortiGate_1_20230407151324_OUT action pass source-zone Local service ike service nat-t-ipsec service ipsec-ah service ipsec-esp配置 IPSec VPN 相关网段放通的安全策略,并将他们移动至上网策略之前。
security-policy ip rule 6 name VPN_from_FortiGate action pass source-zone Untrust destination-zone Trust source-ip Remote_10.10.1.0/24 destination-ip Local_10.10.2.0/24 rule 5 name VPN_to_FortiGate action pass source-zone Trust destination-zone Untrust source-ip Local_10.10.2.0/24 destination-ip Remote_10.10.1.0/24 rule 4 name IPsec_to_FortiGate_1_20230407151324_IN action pass destination-zone Local service ike service nat-t-ipsec service ipsec-ah service ipsec-esp rule 3 name IPsec_to_FortiGate_1_20230407151324_OUT action pass source-zone Local service ike service nat-t-ipsec service ipsec-ah service ipsec-esp rule 2 name to_Internet action pass source-zone Trust destination-zone Untrust source-ip Local_10.10.2.0/24H3C 防火墙的转发流程是先做 SNAT,再做 IPsec VPN,也就是说,如果按照我们之前配置的 SNAT 规则,VPN 的流量 10.10.2.2 去访问 10.10.1.2 的流量会被 SNAT 成公网 IP 202.103.23.2,然后再进入到 IPsec VPN 流程,这个时候是无法匹配到感兴趣流的,因此流量将无法成功被 IPSec 加密。所以需要再配置一个 VPN 流量 bypass 的 SNAT 规则,让 VPN 流量不做 SNAT 转换,然后将其放置到最前面,优先匹配即可。
nat policy rule name VPN_to_FortiGate source-ip Local_10.10.2.0/24 destination-ip Remote_10.10.1.0/24 outbound-interface GigabitEthernet2/0 action no-nat rule name to_Internet source-ip Local_10.10.2.0/24 outbound-interface GigabitEthernet2/0 action easy-ip添加去往 FortiGate 内网 VPN 网段的静态路由(由于已经配置了默认路由从 IPSec 绑定的物理口出去,其实这里不需要配置,但如果没有默认路由或默认路由是其他接口,可以参考此配置)。
ip route-static 10.10.1.0 24 GigabitEthernet2/0 202.103.23.1
结果验证
FortiGate 上查看 IPSec 隧道建立,在仪表盘新建 IPSec 监控,可以看到 IPSec 建立成功。
FortiGate # diagnose vpn ike gateway list vd: root/0 name: VPN-to-Remote version: 1 interface: port2 4 addr: 202.103.13.2:500 -> 202.103.23.2:500 tun_id: 202.103.23.2/::202.103.23.2 remote_location: 0.0.0.0 network-id: 0 created: 2435s ago IKE SA: created 1/1 established 1/1 time 20/20/20 ms IPsec SA: created 1/38 established 1/38 time 20/75/2030 ms id/spi: 365 3f178bf07066db5b/4bc6621ed12c3030 direction: initiator status: established 2435-2435s ago = 20ms proposal: aes256-sha256 key: 2f13f4b81d3eb4c1-575e1272457cc854-d37978c764f9a778-cd5724cdc244f07a lifetime/rekey: 86400/83664 DPD sent/recv: 00000a61/000030dd FortiGate # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=VPN-to-Remote ver=1 serial=1 202.103.13.2:0->202.103.23.2:0 tun_id=202.103.23.2 tun_id6=::202.103.23.2 dst_mtu=1500 dpd-link=on weight=1 bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0 proxyid_num=1 child_num=0 refcnt=4 ilast=13 olast=13 ad=/0 stat: rxp=10 txp=15 rxb=840 txb=1260 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=2658 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=VPN-to-Remote proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:10.10.1.0-10.10.1.255:0 dst: 0:10.10.2.0-10.10.2.255:0 SA: ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42881/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=42901/43200 dec: spi=34dc89a0 esp=aes key=32 9ebf3ec4affd4b4a57b18fe15c1c505184622c2cdcba87d788887f569cfaa23e ah=sha256 key=32 c3efca48ffbcd7fb0e8013fef745576010a71ec3c9a02a32f333c380de01e2a6 enc: spi=bc07e7b7 esp=aes key=32 660dedaa1a6d145b94073c031a3e9f1587dcb44d3b50b9683382b27ecd5562ce ah=sha256 key=32 308adc9899b8775255c59053ed4a5edc3df8231135007d2a26614097619361de dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.13.2 npu_selid=0 dec_npuid=0 enc_npuid=0 run_tally=0查看 FortiGate 的路由表。
FortiGate # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 202.103.13.1, port2, [1/0] C 10.10.1.0/24 is directly connected, port3 S 10.10.2.0/24 [10/0] via VPN-to-Remote tunnel 202.103.23.2, [1/0] C 192.168.100.0/24 is directly connected, port1 C 202.103.13.0/24 is directly connected, port2FortiGate 侧 PC1 业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.1.2/24 10.10.1.1 fe80::250:79ff:fe66:6804/64 VPCS> ping 10.10.2.2 84 bytes from 10.10.2.2 icmp_seq=1 ttl=62 time=4.769 ms 84 bytes from 10.10.2.2 icmp_seq=2 ttl=62 time=2.769 ms 84 bytes from 10.10.2.2 icmp_seq=3 ttl=62 time=2.194 ms 84 bytes from 10.10.2.2 icmp_seq=4 ttl=62 time=3.881 ms 84 bytes from 10.10.2.2 icmp_seq=5 ttl=62 time=2.335 msH3C 防火墙查看 IPSec 连接状态。
<H3C>display ike sa verbose remote 202.103.13.2 ----------------------------------------------- Connection ID: 2 Outside VPN: Inside VPN: Profile: to_FortiGate_IPv4_1 Transmitting entity: Responder Initiator cookie: 3f178bf07066db5b Responder cookie: 4bc6621ed12c3030 ----------------------------------------------- Local IP/port: 202.103.23.2/500 Local ID type: IPV4_ADDR Local ID: 202.103.23.2 Remote IP/port: 202.103.13.2/500 Remote ID type: IPV4_ADDR Remote ID: 202.103.13.2 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: SHA256 Encryption-algorithm: AES-CBC-256 Life duration(sec): 86400 Remaining key duration(sec): 83791 Exchange-mode: Main Diffie-Hellman group: Group 14 NAT traversal: Not detected Extend authentication: Disabled Assigned IP address: Vendor ID index:0xffffffff Vendor ID sequence number:0x0<H3C> display ipsec sa remote 202.103.13.2 ------------------------------- Interface: GigabitEthernet2/0 ------------------------------- ----------------------------- IPsec policy: to_FortiGate Sequence number: 1 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: dh-group14 Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Transmitting entity: Responder Path MTU: 1424 Tunnel: local address: 202.103.23.2 remote address: 202.103.13.2 Flow: sour addr: 10.10.2.0/255.255.255.0 port: 0 protocol: ip dest addr: 10.10.1.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 1271313254 (0x4bc6b366) Connection ID: 347892350977 Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA256 SA idle time: 60 SA duration (kilobytes/sec): 1843200/43200 SA remaining duration (kilobytes/sec): 1843200/43177 Max received sequence-number: 0 Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 886868385 (0x34dc89a1) Connection ID: 347892350976 Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA256 SA idle time: 60 SA duration (kilobytes/sec): 1843200/43200 SA remaining duration (kilobytes/sec): 1843200/43177 Max sent sequence-number: 0 UDP encapsulation used for NAT traversal: N Status: Active查看 H3C 防火墙的路由表,可以看到包含了手动配置的到 FortiGate 内网的路由。
<H3C>display ip routing-table Destinations : 18 Routes : 18 Destination/Mask Proto Pre Cost NextHop Interface 0.0.0.0/0 Static 60 0 202.103.23.1 GE2/0 0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0 10.10.1.0/24 Static 60 0 202.103.23.1 GE2/0 10.10.2.0/24 Direct 0 0 10.10.2.1 GE3/0 10.10.2.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.2.255/32 Direct 0 0 10.10.2.1 GE3/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0 192.168.100.0/24 Direct 0 0 192.168.100.6 GE1/0 192.168.100.6/32 Direct 0 0 127.0.0.1 InLoop0 192.168.100.255/32 Direct 0 0 192.168.100.6 GE1/0 202.103.23.0/24 Direct 0 0 202.103.23.2 GE2/0 202.103.23.2/32 Direct 0 0 127.0.0.1 InLoop0 202.103.23.255/32 Direct 0 0 202.103.23.2 GE2/0 224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0 224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0 255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0H3C 防火墙侧 PC2 业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.2.2/24 10.10.2.1 fe80::250:79ff:fe66:6805/64 VPCS> ping 10.10.1.2 84 bytes from 10.10.1.2 icmp_seq=1 ttl=62 time=3.529 ms 84 bytes from 10.10.1.2 icmp_seq=2 ttl=62 time=2.741 ms 84 bytes from 10.10.1.2 icmp_seq=3 ttl=62 time=2.472 ms 84 bytes from 10.10.1.2 icmp_seq=4 ttl=62 time=2.250 ms 84 bytes from 10.10.1.2 icmp_seq=5 ttl=62 time=2.193 msFortiGate 侧抓包查看。
FortiGate # diagnose sniffer packet any 'host 10.10.2.2 and host 10.10.1.2 and icmp' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 10.10.2.2 and host 10.10.1.2 and icmp] 2023-04-07 16:07:08.123477 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:08.123667 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:08.123902 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:08.123914 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:09.127191 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:09.127380 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:09.127691 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:09.127700 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:10.131278 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:10.131445 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:10.131618 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:10.131624 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:11.134468 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:11.134502 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:11.134737 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:11.134744 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:12.137190 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:12.137220 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-07 16:07:12.137409 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-07 16:07:12.137416 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
说明
关于 sniffer 抓 VPN 业务和 ESP 的包:
抓取 IPsec VPN 的 IKE 协商包:
diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4抓取 IPsec VPN 的 ESP 加密数据包:
diagnose sniffer packet any "host 101.1.1.1 and esp" 4抓取 IPsec VPN 的明文业务数据包:
diagnose sniffer packet any "host 192.168.112.100 and icmp" 4注意:由于硬件设备存在 IPsec VPN 芯片加速,因此可能数据包会抓不完全,主要指“ESP 数据和明文业务数据”抓不全,因此有时候需要将 VPN 隧道的 NP 加速关闭:
FortiGate # config vpn ipsec phase1-interface FortiGate (phase1-interface) # edit BJ-OSPF-TO-SH FortiGate (BJ-OSPF-TO-SH) # set npu-offload disable FortiGate (BJ-OSPF-TO-SH) # end