与华为 USG6000V 防火墙建立 IPSec VPN
大约 11 分钟
与华为 USG6000V 防火墙建立 IPSec VPN
网络需求
如图所示,通过 IPsec VPN(接口模式)将 2 个局域网连接起来,实现 10.10.1.0/24 与 10.10.2.0/24 两个网段的通信。与华为 USG6000V 防火墙进行 IPsec VPN(IKE v1)对接。
华为 USG6000V 防火墙版本:
<USG6000V2>display version
2023-04-06 17:43:15.520 +08:00
Huawei Versatile Routing Platform Software
VRP (R) Software, Version 5.170 (USG6000V2 V500R005C00SPC100)
Copyright (C) 2014-2018 Huawei Technologies Co., Ltd.
USG6000V2 uptime is 0 week, 0 day, 2 hours, 40 minutes
IPS Signature Database Version : 2018070605
IPS Engine Version : V200R005C00SPC037
AV Signature Database Version :
SA Signature Database Version : 2018062700
C&C Domain Name Database Version :
FILE Reputation Database Version :
Location Database Version : 2014010414网络拓扑
配置要点
- 配置 FortiGate
- 基本上网配置
- 配置 IPsec VPN
- 配置华为 USG6000V 防火墙
- 基本上网配置
- 配置 IPsec VPN
- 说明:如果要删除 IPSEC VPN 第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。
配置步骤
FortiGate
基本上网配置。
配置 IPSec VPN,进入 VPN → IPSec 隧道,点击新建 → IPSec 隧道按钮。
选择 IPsec VPN 自定义模板进行配置,点击下一步。
如图配置网络、认证、第一阶段、第二阶段。
重要
不像和 Cisco/PA/Juniper/山石使用虚拟接口创建 IPSec,感兴趣流是全 0。华为防火墙通常都是使用物理口创建 IPSec,需要写明细的感兴趣流,所以 FortiGate 也要对应的写明细感兴趣数据流,不能写全 0。
config vpn ipsec phase1-interface edit "VPN-to-Remote" set interface "port2" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 202.103.23.2 set psksecret xxxxxxxx next end config vpn ipsec phase2-interface edit "VPN-to-Remote" set phase1name "VPN-to-Remote" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 10.10.1.0 255.255.255.0 set dst-subnet 10.10.2.0 255.255.255.0 next end配置 VPN 相关的网段地址对象和防火墙策略。
config firewall address edit "Local_10.10.1.0/24" set subnet 10.10.1.0 255.255.255.0 next edit "Remote_10.10.2.0/24" set subnet 10.10.2.0 255.255.255.0 next end config firewall policy edit 2 set name "VPN-Local-to-Remote" set srcintf "port3" set dstintf "VPN-to-Remote" set action accept set srcaddr "Local_10.10.1.0/24" set dstaddr "Remote_10.10.2.0/24" set schedule "always" set service "ALL" next edit 3 set name "VPN-Remote-to-Local" set srcintf "VPN-to-Remote" set dstintf "port3" set action accept set srcaddr "Remote_10.10.2.0/24" set dstaddr "LAN_10.10.1.0/24" set schedule "always" set service "ALL" next end配置 VPN 业务网段的静态路由。
重要
相关 VPN 的路由配置中“黑洞路由的意义:
你可能会遇到以下的 VPN 业务问题:通过 VPN 的 SIP 电话,时不时中断,无法向服务器成功注册 ?通过 VPN 的 Radius 认证无法经常会无法认证成功? 通过 VPN 的 AP 注册到总部时不时会中断?持续的 PRGT 监控 ping 总部的服务器,时不时会显示中断?
VPN 有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE 重新连接更换公网 IP 地址等,VPN tunnel 此时会出现短暂的 DOWN,而去往对方的 VPN 业务网段的路由也会短暂消失,此时 VPN 的业务流量(SIP 注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了 WAN(Internet),从而产生了错误的 UDP-NAT-Seesion,此时即便 VPN tunnel 再次 UP,VPN 业务网段的路由再次恢复,SIP 等 VPN 旧的业务流量依旧会走到错误的 Session 上去,从而引起该业务异常。
解决方法:
方法一:配置去往 VPN 业务网段的“黑洞路由”,管理距离为 254,VPN 正常的情况下此黑洞路由不生效,而当 VPN 中断的时候,黑洞路由浮起来并且生效,将 VPN 中断时候的 VPN 流量丢弃,避免将流量转发到互联网而产生错误的 session。配置 VPN 的备份黑洞路由的意义在此。
方法二:配置源接口:LAN,目的接口:WAN,源 IP:本地内网网段,目的 IP:对端内网网段,动作:丢包的策略。将此去往 Internet 的私网(无用的)流量丢弃掉,避免 FGT 产生这种错误的 session,从而避免了 UDP 业务时不时中断的问题。
方法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话 flag 置位为“Dirty”,清除路由缓存并重新查找目的 IP 的下一跳地址,这样 VPN 隧道恢复的时候,流量也会相应的切换到 VPN 隧道里面来。
FortiGate # config system global FortiGate (global) # set snat-route-change enable FortiGate (global) # end
三种方式任意选择一种即可。推荐使用黑洞路由方式。
config router static edit 1 set gateway 202.103.12.1 set device "port2" next edit 2 set dst 10.10.2.0 255.255.255.0 set device "VPN-to-Remote" next edit 3 set dst 10.10.2.0 255.255.255.0 set distance 254 set blackhole enable next end
华为 USG6000V
基本 IP 与路由配置。
interface GigabitEthernet1/0/0 undo shutdown ip address 202.103.23.2 255.255.255.0 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.2.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/0 # ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 202.103.23.1地址对象、策略、NAT 配置。
ip address-set Local_10.10.2.0/24 type object address 0 10.10.2.0 mask 24 # ip address-set Remote_10.10.1.0/24 type object address 0 10.10.1.0 mask 24 # security-policy default action permit rule name to_Internet source-zone trust destination-zone untrust source-address address-set Local_10.10.2.0/24 action permit # nat-policy rule name to_Internet source-zone trust destination-zone untrust source-address address-set Local_10.10.2.0/24 action source-nat easy-ip配置 IPSec,新建 IPSec VPN 策略。
如下图参数配置,注意与 FortiGate 端的安全提议要一致(注意加密数据流不要选择地址对象,需要手动输入,否则第二阶段可能无法建立),开启反向路由注入。
acl number 3000 rule 5 permit ip source 10.10.2.0 0.0.0.255 destination 10.10.1.0 0.0.0.255 # ike proposal 1 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer ike64165343931 pre-shared-key %^%#GFRw6k/f}&DP2(A}Sh*9",ym@xVr%!NO~3!N]5u!%^%# ike-proposal 1 remote-id-type none dpd type periodic remote-address 202.103.13.2 # ipsec policy ipsec6416534390 1 isakmp security acl 3000 pfs dh-group14 ike-peer ike64165343931 proposal prop64165343931 tunnel local applied-interface alias to_FortiGate sa trigger-mode auto sa duration traffic-based 10485760 sa duration time-based 43200 route inject dynamic配置 IPSec VPN 相关网段放通的安全策略,并将他们移动至上网策略之前。
security-policy default action permit rule name VPN_to_FortiGate source-zone trust destination-zone untrust source-address address-set Local_10.10.2.0/24 destination-address address-set Remote_10.10.1.0/24 action permit rule name VPN_from_FortiGate source-zone untrust destination-zone trust source-address address-set Remote_10.10.1.0/24 destination-address address-set Local_10.10.2.0/24 action permit rule name to_Internet source-zone trust destination-zone untrust source-address address-set Local_10.10.2.0/24 action permit华为防火墙的转发流程是先做 SNAT,再做 IPsec VPN,也就是说,如果按照我们之前配置的 SNAT 规则,VPN 的流量 10.10.2.2 去访问 10.10.1.2 的流量会被 SNAT 成公网 IP 202.103.23.2,然后再进入到 IPsec VPN 流程,这个时候是无法匹配到感兴趣流的,因此流量将无法成功被 IPSec 加密。所以需要再配置一个 VPN 流量 bypass 的 SNAT 规则,让 VPN 流量不做 SNAT 转换,然后将其放置到最前面,优先匹配即可。
nat-policy rule name VPN_to_FortiGate source-zone trust destination-zone untrust source-address address-set Local_10.10.2.0/24 destination-address address-set Remote_10.10.1.0/24 action no-nat rule name to_Internet source-zone trust destination-zone untrust source-address address-set Local_10.10.2.0/24 action source-nat easy-ip
结果验证
FortiGate 上查看 IPSec 隧道建立,在仪表盘新建 IPSec 监控,可以看到 IPSec 建立成功。
FortiGate # diagnose vpn ike gateway list vd: root/0 name: VPN-to-Remote version: 1 interface: port2 4 addr: 202.103.13.2:500 -> 202.103.23.2:500 tun_id: 202.103.23.2/::202.103.23.2 remote_location: 0.0.0.0 network-id: 0 created: 490s ago IKE SA: created 1/1 established 1/1 time 210/210/210 ms IPsec SA: created 1/2 established 1/1 time 390/390/390 ms id/spi: 257 05b470e04dc4363a/7f25ce9c15e94de3 direction: initiator status: established 490-490s ago = 210ms proposal: aes256-sha256 key: 9b5842bda3877c51-ebbc39ba4a960fde-f76d2defdebe67bd-de35bd7bc5720ec2 lifetime/rekey: 86400/85609 DPD sent/recv: 0000004d/135cb4c9 FortiGate # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=VPN-to-Remote ver=1 serial=1 202.103.13.2:0->202.103.23.2:0 tun_id=202.103.23.2 tun_id6=::202.103.23.2 dst_mtu=1500 dpd-link=1 bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=10 proxyid_num=1 child_num=0 refcnt=4 ilast=15 olast=15 ad=/0 stat: rxp=12 txp=12 rxb=1008 txb=1008 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=77 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=VPN-to-Remote proto=0 sa=1 ref=4 serial=1 auto-negotiate src: 0:10.10.1.0-10.10.1.255:0 dst: 0:10.10.2.0-10.10.2.255:0 SA: ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42436/0B replaywin=2048 seqno=d esn=0 replaywin_lastseq=0000000d qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=42929/43200 dec: spi=34dc8977 esp=aes key=32 947441e7c4d219ad7c0cb909942e17d2c8e25b42346ea53f301ba37161d2fdef ah=sha256 key=32 df58345781028ba4ac18cc037ce667e974941e4ff544b7368f523307c83d4ea4 enc: spi=0b11f21b esp=aes key=32 d5dcfee82b332abf9bb62c620c3e42ee42c0f6c990fa380204b02b83f0acdbff ah=sha256 key=32 16b2afbcec0b0feb10cf4dedba31d99e3c59ce020823a88b9b99122b02bedf65 dec:pkts/bytes=24/2016, enc:pkts/bytes=24/2880 npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.13.2 npu_selid=0 dec_npuid=0 enc_npuid=0 run_tally=0查看 FortiGate 的路由表。
FortiGate # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 202.103.13.1, port2, [1/0] C 10.10.1.0/24 is directly connected, port3 S 10.10.2.0/24 [10/0] via VPN-to-Remote tunnel 202.103.23.2, [1/0] C 192.168.100.0/24 is directly connected, port1 C 202.103.13.0/24 is directly connected, port2FortiGate 侧 PC1 业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.1.2/24 10.10.1.1 fe80::250:79ff:fe66:6804/64 VPCS> ping 10.10.2.2 84 bytes from 10.10.2.2 icmp_seq=1 ttl=62 time=5.413 ms 84 bytes from 10.10.2.2 icmp_seq=2 ttl=62 time=2.511 ms 84 bytes from 10.10.2.2 icmp_seq=3 ttl=62 time=2.242 ms 84 bytes from 10.10.2.2 icmp_seq=4 ttl=62 time=1.902 ms 84 bytes from 10.10.2.2 icmp_seq=5 ttl=62 time=2.080 ms华为防火墙查看 IPSec 连接状态。
<USG6000V2>display ike sa verbose remote 202.103.13.2 2023-04-06 17:27:29.590 +08:00 Ike sa verbose information : --------------------------------------------------------------- Ike Sa phase : 1 Establish Time : 2023-04-06 17:16:56 PortCfg Index : 0x6 IKE Peer Name : ike64165343931 Connection Id : 347 Version : v1 Exchange Mode : Main Flow VPN : Peer VPN : --------------------------------------------------------------- Intiator Cookie : 0x05b470e04dc4363a Responder Cookie : 0x7f25ce9c15e94de3 Local Address : 202.103.23.2 Remote Address : 202.103.13.2:500 Encryption Algorithm : AES-256 Authentication Algorithm : SHA2-256 Authentication Method : Pre-Shared key DPD Capability : Yes DPD Enable : Yes Remaining Duration : 85766 Reference Counter : 1 Flags : RD|A Remote Id Type : IP Remote Id : 202.103.13.2 DH Group : 14 NAT Traversal Version : RFC3947 ModeCfg IP : - --------------------------------------------------------------- Number of IKE SA : 1<USG6000V2> display ipsec sa remote 202.103.13.2 2023-04-06 17:28:30.260 +08:00 ipsec sa information: =============================== Interface: GigabitEthernet1/0/0 =============================== ----------------------------- IPSec policy name: "ipsec6416534390" Sequence number : 1 Acl group : 3000 Acl rule : 5 Mode : ISAKMP ----------------------------- Connection ID : 350 Encapsulation mode: Tunnel Holding time : 0d 0h 11m 32s Tunnel local : 202.103.23.2:500 Tunnel remote : 202.103.13.2:500 Flow source : 10.10.2.0/255.255.255.0 0/0-65535 Flow destination : 10.10.1.0/255.255.255.0 0/0-65535 [Outbound ESP SAs] SPI: 886868343 (0x34dc8977) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485759/42508 Max sent sequence-number: 18 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 17/1428 [Inbound ESP SAs] SPI: 185725467 (0xb11f21b) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485759/42508 Max received sequence-number: 1 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 17/1428 Anti-replay : Enable Anti-replay window size: 1024查看华为防火墙的路由表,可以看到自动添加了到 FortiGate 内网的路由。
[USG6000V2]display ip routing-table 2023-04-06 17:32:20.280 +08:00 Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 0.0.0.0/0 Static 60 0 D 202.103.23.1 GigabitEthernet1/0/0 10.10.1.0/24 Unr 70 0 D 202.103.13.2 GigabitEthernet1/0/0 10.10.2.0/24 Direct 0 0 D 10.10.2.1 GigabitEthernet1/0/1 10.10.2.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 202.103.23.0/24 Direct 0 0 D 202.103.23.2 GigabitEthernet1/0/0 202.103.23.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0华为防火墙侧 PC2 业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.2.2/24 10.10.2.1 fe80::250:79ff:fe66:6805/64 VPCS> ping 10.10.1.2 84 bytes from 10.10.1.2 icmp_seq=1 ttl=62 time=3.139 ms 84 bytes from 10.10.1.2 icmp_seq=2 ttl=62 time=2.126 ms 84 bytes from 10.10.1.2 icmp_seq=3 ttl=62 time=2.508 ms 84 bytes from 10.10.1.2 icmp_seq=4 ttl=62 time=2.257 ms 84 bytes from 10.10.1.2 icmp_seq=5 ttl=62 time=1.767 msFortiGate 侧抓包查看。
FortiGate # diagnose sniffer packet any 'host 10.10.2.2 and host 10.10.1.2 and icmp' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 10.10.2.2 and host 10.10.1.2 and icmp] 2023-04-06 17:30:20.440445 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-06 17:30:20.441055 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-06 17:30:20.441296 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-06 17:30:20.441308 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-06 17:30:21.444661 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-06 17:30:21.444753 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-06 17:30:21.444962 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-06 17:30:21.444969 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-06 17:30:22.447197 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-06 17:30:22.447332 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-06 17:30:22.447520 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-06 17:30:22.447527 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-06 17:30:23.451289 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-06 17:30:23.451454 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-06 17:30:23.451667 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-06 17:30:23.451676 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-06 17:30:24.453906 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-06 17:30:24.453939 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-06 17:30:24.454165 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-06 17:30:24.454176 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
说明
关于 sniffer 抓 VPN 业务和 ESP 的包:
抓取 IPsec VPN 的 IKE 协商包:
diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4抓取 IPsec VPN 的 ESP 加密数据包:
diagnose sniffer packet any "host 101.1.1.1 and esp" 4抓取 IPsec VPN 的明文业务数据包:
diagnose sniffer packet any "host 192.168.112.100 and icmp" 4注意:由于硬件设备存在 IPsec VPN 芯片加速,因此可能数据包会抓不完全,主要指“ESP 数据和明文业务数据”抓不全,因此有时候需要将 VPN 隧道的 NP 加速关闭:
FortiGate # config vpn ipsec phase1-interface FortiGate (phase1-interface) # edit BJ-OSPF-TO-SH FortiGate (BJ-OSPF-TO-SH) # set npu-offload disable FortiGate (BJ-OSPF-TO-SH) # end