与 Openswan 建立 IPSec VPN
大约 14 分钟
与 Openswan 建立 IPSec VPN
网络需求
通过 IPsec VPN(接口模式)将 2 个局域网连接起来,实现 192.168.0.0/24 与 192.168.1.0/24 两个网段的通信。
网络拓扑
配置步骤
FortiGate IPSec 配置
1.基本配置
配置接口 IP 和路由。
2.配置 IPSEC
选择“VPN”-->“IPsec 隧道”,点击“新建”,选择“IPsec 隧道”。
根据“VPN 创建向导”进行 VPN 模板配置,输入名称,拓扑中没有 NAT,这里选择“站点之间没有 NAT”,并点击下一步。
输入对端设备的 IP 地址(流出接口会根据路由自动选择),以及预共享秘钥。
选择“本地接口”,即需要被 IPSEC 保护的内网的接口,这里是 port10 接口,本地子网会自动写为该接口的 IP 所在的 IP 网段(如果被保护的是其他网段,可以根据实际网络需求修改),输入“远端子网”,即远端需要被保护的网络。然后点击“下一步”。
VPN 创建向导提示即将创建的内容,然后点击完成。
VPN 创建成功。
3.设置 dpd 和自动连接
在第一阶段中开启 DPD 周期性检测,每隔 10s 检测一次 Peer 状态。
config vpn ipsec phase1-interface
edit "to-openswan"
set dpd on-idle
set dpd-retrycount 3
set dpd-retryinterval 10
next
end开启自动协商,主动让隧道 UP 起来,而非使用 VPN 业务的时候再去触发 VPN 的协商,这样可以减少业务的丢包。在 VPN 主动发起方开启即可。
IPSEC VPN 阶段一自动协商是默认开启的。
config vpn ipsec phase1-interface
edit "to-openswan"
set auto-negotiate enable
next
endIPSEC VPN 阶段二自动协商默认关闭,需要开启。
config vpn ipsec phase2-interface
edit "to-openswan"
set auto-negotiate enable
next
end###查看 IPSEC 向导所作的配置
1.地址对象配置
2.IPSEC 配置
config vpn ipsec phase1-interface
edit "to-openswan"
set interface "port9"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set comments "VPN: to-openswan (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 200.1.1.2
set psksecret ENC p62NOSnHRHf0H/FDMjbdenLf9XFZ8AWBxxp4ztydCj8wqSRTiYDcbEBov4ZKf/5xUwzXl3tE3mUPLyRP9h6gq1YJGR2kocyO1hqc/Iy3hQa+LYORLlznaMEKcxm6bKsNPeJHCe+FiOBatOW6pw9y8Vxwbp1yGvTkkKmyzfW3FWWzwbFHsa1AxigVRlZCsEKIzbW3dw==
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "to-openswan"
set phase1name "to-openswan"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
set comments "VPN: to-openswan (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "to-openswan_local"
set dst-name "to-openswan_remote"
next
end3.策略配置
4.路由配置
配置 openswan
1.接口及路由配置
# ifconfig
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 200.1.1.2 netmask 255.255.255.0 broadcast 200.1.1.255
inet6 fe80::2652:4dd7:5d0e:941d prefixlen 64 scopeid 0x20<link>
inet6 240e:604:109:39::216 prefixlen 64 scopeid 0x0<global>
ether 00:0c:29:37:f0:ac txqueuelen 1000 (Ethernet)
RX packets 10 bytes 2266 (2.2 KiB)
RX errors 0 dropped 500 overruns 0 frame 0
TX packets 18 bytes 2284 (2.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens256: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::227:594:d82:e098 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:37:f0:b6 txqueuelen 1000 (Ethernet)
RX packets 2519 bytes 389134 (380.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 150 bytes 10928 (10.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 200.1.1.1 0.0.0.0 UG 106 0 0 ens224
192.168.1.0 0.0.0.0 255.255.255.0 U 105 0 0 ens256
200.1.1.0 0.0.0.0 255.255.255.0 U 106 0 0 ens2242.安装 openswan
测试环境中 centos 版本
# rpm --query centos-release
centos-release-7-9.2009.1.el7.centos.x86_64
# uname -a
Linux centos7-3 3.10.0-1160.49.1.el7.x86_64 #1 SMP Tue Nov 30 15:51:32 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux安装 openswan
yum install -y openswan查看 openswan 安装的配置文件,libreswan 即 openswan。
# rpm -qc libreswan
/etc/ipsec.conf
/etc/ipsec.d/policies/block
/etc/ipsec.d/policies/clear
/etc/ipsec.d/policies/clear-or-private
/etc/ipsec.d/policies/portexcludes.conf
/etc/ipsec.d/policies/private
/etc/ipsec.d/policies/private-or-clear
/etc/ipsec.secrets
/etc/pam.d/pluto3.开启 ipv4 转发,关闭 ICMP 重定向
cat >> /etc/sysctl.conf << EOF
echo net.ipv4.ip_forward = 1
EOF
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}'
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf4.关闭 SELINUX
临时关闭:setenforce 0
永久关闭:
#vi /etc/selinux/config
SELINUX=disabled5.关闭防火墙或者开启 IPSEC 所需的端口 UDP 500,UDP4500,ESP
这里关闭防火墙
systemctl stop firewalld
systemctl disable firewalld6.配置 openswan
在/etc/ipsec.conf中默认包含如下配置,建议将IPsec连接作为单独的文件添加到/etc/ipsec.d/
include /etc/ipsec.d/*.conf在/etc/ipsec.secrets中默认包含如下配置,建议将IPsec共享密钥作为单独的文件添加到/etc/ipsec.d/
include /etc/ipsec.d/*.secrets配置 IPSEC 预共享密钥
vim /etc/ipsec.d/ipsec.secrets
100.1.1.2 : psk "ipsec-key"
格式:本地用于连接的IP+空格+远端网关IP+空格+英文冒号+空格+PSK+预共享密钥,冒号的两边都有空格,密钥用英文双引号。配置 IPSEC 连接
vim /etc/ipsec.d/ipsec.conf
#ipsec连接名称
conn ipsec1
#phase1
#共享密钥
authby=secret
#start表示ipsec服务启动后会主动发起IPSEC连接;add只表示添加,服务启动不会发起连接,使用ipsec auto --up ipsec名称发起连接
auto=start
#阶段1密钥集
ike=aes128-sha1;modp1536
#ike密钥交换方式
keyexchange=ike
#阶段1生命周期
ikelifetime=86400s
#默认为no主模式,野蛮模式为yes
aggrmode=no
#phase2
#段2传输格式
phase2=esp
#阶段2密钥集
phase2alg=aes128-sha1;modp1536
#关闭压缩
compress=no
#开启PFS
pfs=yes
#阶段2生命周期
salifetime=3600s
#隧道模式
type=tunnel
#本地IP
left=200.1.1.2
#本地子网
leftsubnet=192.168.1.0/24
#远端VPN网关IP
right=100.1.1.2
#远端子网
rightsubnet=192.168.0.0/24
#远端路由按缺省配置
rightnexthop=%defaultroute
#开启dpd检查,每10s发起一次dpd检查,30s没有收到dpd响应,则清楚该ipsec连接
dpddelay=10
dpdtimeout=30
dpdaction=clear启动 IPSEC 服务
systemctl start ipsec
systemctl enable ipsec通过 ipsec verify 进行配置项校验。如果回显信息全部为 OK 时,表示配置成功。
# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-1160.49.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]如果报如下错误:
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ens192/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ens224/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ens256/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]则通过如下命令解决:
关闭源路由检查
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/ens192/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/ens224/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/ens256/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/ip_vti0/rp_filter查看 IPSEC 状态
1.查看 FortiGate IPSEC 状态
# diagnose vpn ike gateway list
vd: root/0
name: to-openswan
version: 1
interface: port9 38
addr: 100.1.1.2:500 -> 200.1.1.2:500
tun_id: 200.1.1.2/::200.1.1.2
remote_location: 0.0.0.0
network-id: 0
created: 19s ago
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 1/1 established 1/1 time 50/50/50 ms
id/spi: 137 d69345dd761e35e1/0f7cdc8405b9cb8d
direction: responder
status: established 19-19s ago = 10ms
proposal: aes128-sha1
key: 82d396f4422ed9b5-2031250ed717f7f3
lifetime/rekey: 86400/86110
DPD sent/recv: 00000000/00003e85
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=to-openswan ver=1 serial=2 100.1.1.2:0->200.1.1.2:0 tun_id=200.1.1.2 tun_id6=::200.1.1.2 dst_mtu=1500 dpd-link=on weight=1
bound_if=38 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=4 ilast=7 olast=7 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=158
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-openswan proto=0 sa=1 ref=2 serial=3
src: 0:192.168.0.0-192.168.0.255:0
dst: 0:192.168.1.0-192.168.1.255:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1438 expire=3312/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3330/3600
dec: spi=dc629039 esp=aes key=16 257e01bac6998199e46bb81fcfea8ea7
ah=sha1 key=20 ae77b59ee36fc4412db7c998b00513655ce05e44
enc: spi=2d0f59d9 esp=aes key=16 3abe273778a50dd2e45708eaca1af809
ah=sha1 key=20 5710a515c5a7d1a4bb857e1b62bce8a7ed8f0622
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=200.1.1.2 npu_lgwy=100.1.1.2 npu_selid=3 dec_npuid=0 enc_npuid=0
run_tally=02.查看 openswan IPSEC 状态
# ipsec status
000 using kernel interface: netkey
000 interface lo/lo ::1@500
000 interface ens192/ens192 2022::231@500
000 interface ens224/ens224 240e:604:109:39::216@500
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface ens192/ens192 192.168.88.231@4500
000 interface ens192/ens192 192.168.88.231@500
000 interface ens224/ens224 200.1.1.2@4500
000 interface ens224/ens224 200.1.1.2@500
000 interface ens256/ens256 192.168.1.1@4500
000 interface ens256/ens256 192.168.1.1@500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.25, pluto_vendorid=OE-Libreswan-3.25
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 debug: control
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH22, bits=1024
000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,3,64} trans={0,3,6936} attrs={0,3,4624}
000
000 Connection list:
000
000 "ipsec1": 192.168.1.0/24===200.1.1.2<200.1.1.2>...100.1.1.2<100.1.1.2>===192.168.0.0/24; erouted; eroute owner: #3
000 "ipsec1": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "ipsec1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "ipsec1": our auth:secret, their auth:secret
000 "ipsec1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "ipsec1": labeled_ipsec:no;
000 "ipsec1": policy_label:unset;
000 "ipsec1": ike_life: 86400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "ipsec1": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ipsec1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "ipsec1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "ipsec1": conn_prio: 24,24; interface: ens224; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "ipsec1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "ipsec1": our idtype: ID_IPV4_ADDR; our id=200.1.1.2; their idtype: ID_IPV4_ADDR; their id=100.1.1.2
000 "ipsec1": dpd: action:clear; delay:10; timeout:30; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "ipsec1": newest ISAKMP SA: #2; newest IPsec SA: #3;
000 "ipsec1": IKE algorithms: AES_CBC_128-HMAC_SHA1-MODP1536
000 "ipsec1": IKE algorithm newest: AES_CBC_128-HMAC_SHA1-MODP1536
000 "ipsec1": ESP algorithms: AES_CBC_128-HMAC_SHA1_96-MODP1536
000 "ipsec1": ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=MODP1536
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "ipsec1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85343s; newest ISAKMP; lastdpd=3s(seq in:16011 out:0); idle; import:admin initiate
000 #3: "ipsec1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2784s; newest IPSEC; eroute owner; isakmp#2; idle; import:admin initiate
000 #3: "ipsec1" esp.dc629039@100.1.1.2 esp.2d0f59d9@200.1.1.2 tun.0@100.1.1.2 tun.0@200.1.1.2 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
000
000 Bare Shunt list:
000业务测试
1.从 FortiGate 端 PC ping OPENSWAN 端的 PC
PC1# ifconfig ens224
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.10 netmask 255.255.255.0 broadcast 192.168.0.255
ether 00:0c:29:0e:4e:c5 txqueuelen 1000 (Ethernet)
RX packets 58117456 bytes 4943397966 (4.6 GiB)
RX errors 0 dropped 183 overruns 0 frame 0
TX packets 3346784 bytes 205418084392 (191.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
PC1# ping 192.168.1.10 -c 4
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=62 time=1.13 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=62 time=0.852 ms
64 bytes from 192.168.1.10: icmp_seq=3 ttl=62 time=0.750 ms
64 bytes from 192.168.1.10: icmp_seq=4 ttl=62 time=0.775 ms
--- 192.168.1.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.750/0.877/1.132/0.153 ms2.从 OPENSWAN 端的 PC ping FortiGate 端 PC
PC2# ifconfig ens224
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::82c8:edfd:199d:70b0 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:e8:ad:a9 txqueuelen 1000 (Ethernet)
RX packets 6476393 bytes 1884675006 (1.7 GiB)
RX errors 0 dropped 3749817 overruns 0 frame 0
TX packets 184443 bytes 12303642 (11.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
PC2# ping 192.168.0.10 -c 4
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
64 bytes from 192.168.0.10: icmp_seq=1 ttl=62 time=0.681 ms
64 bytes from 192.168.0.10: icmp_seq=2 ttl=62 time=0.715 ms
64 bytes from 192.168.0.10: icmp_seq=3 ttl=62 time=0.801 ms
64 bytes from 192.168.0.10: icmp_seq=4 ttl=62 time=0.771 ms
--- 192.168.0.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.681/0.742/0.801/0.046 msOPENSWAN debug 查看
开启 openswan debug
# /etc/ipsec.conf - Libreswan IPsec configuration file
# see 'man ipsec.conf' and 'man pluto' for more information
# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
# Normally, pluto logs via syslog.
logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug="control parsing"
# plutodebug="all crypt"
plutodebug=control阶段 1 密钥机不匹配时,openswan debug 显示如下:
Feb 7 17:58:48.108027: | *received 332 bytes from 100.1.1.2:500 on ens224 (port=500) Feb 7 17:58:48.108082: | processing: start from 100.1.1.2:500 (in process_md() at demux.c:392) Feb 7 17:58:48.108103: | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) Feb 7 17:58:48.108119: | icookie table: hash icookie fc 65 ed f1 76 0e d2 08 to 15842219016969466431 slot 0x558680eded00 Feb 7 17:58:48.108126: | v1 state object not found Feb 7 17:58:48.108148: | received Vendor ID payload [RFC 3947] Feb 7 17:58:48.108160: | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] Feb 7 17:58:48.108171: | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] Feb 7 17:58:48.108179: | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Feb 7 17:58:48.108186: | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-01] Feb 7 17:58:48.108195: | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Feb 7 17:58:48.108205: | received Vendor ID payload [Dead Peer Detection] Feb 7 17:58:48.108213: | received Vendor ID payload [FRAGMENTATION] Feb 7 17:58:48.108224: | received Vendor ID payload [FRAGMENTATION c0000000] Feb 7 17:58:48.108237: packet from 100.1.1.2:500: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000] Feb 7 17:58:48.108251: | creating state object #2 at 0x558682efea98 Feb 7 17:58:48.108265: | processing: start state #2 connection "ipsec1" 100.1.1.2:500 (in main_inI1_outR1() at ikev1_main.c:757) Feb 7 17:58:48.108313: | inserting state object #2 Feb 7 17:58:48.108338: "ipsec1" #2: responding to Main Mode Feb 7 17:58:48.108372: | started looking for secret for 200.1.1.2->100.1.1.2 of kind PKK_PSK Feb 7 17:58:48.108384: | actually looking for secret for 200.1.1.2->100.1.1.2 of kind PKK_PSK Feb 7 17:58:48.108397: | 1: compared key 100.1.1.2 to 200.1.1.2 / 100.1.1.2 -> 4 Feb 7 17:58:48.108406: | 2: compared key 200.1.1.2 to 200.1.1.2 / 100.1.1.2 -> 12 Feb 7 17:58:48.108413: | line 1: match=12 Feb 7 17:58:48.108422: | best_match 0>12 best=0x558682efd7c8 (line=1) Feb 7 17:58:48.108430: | concluding with best_match=12 best=0x558682efd7c8 (lineno=1) Feb 7 17:58:48.108441: "ipsec1" #2: WARNING: connection ipsec1 PSK length of 8 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required) Feb 7 17:58:48.108461: "ipsec1" #2: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP2048] refused Feb 7 17:58:48.108471: | started looking for secret for 200.1.1.2->100.1.1.2 of kind PKK_PSK Feb 7 17:58:48.108478: | actually looking for secret for 200.1.1.2->100.1.1.2 of kind PKK_PSK Feb 7 17:58:48.108486: | 1: compared key 100.1.1.2 to 200.1.1.2 / 100.1.1.2 -> 4 Feb 7 17:58:48.108495: | 2: compared key 200.1.1.2 to 200.1.1.2 / 100.1.1.2 -> 12 Feb 7 17:58:48.108505: | line 1: match=12 Feb 7 17:58:48.108512: | best_match 0>12 best=0x558682efd7c8 (line=1) Feb 7 17:58:48.108522: | concluding with best_match=12 best=0x558682efd7c8 (lineno=1) Feb 7 17:58:48.108533: "ipsec1" #2: WARNING: connection ipsec1 PSK length of 8 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required) Feb 7 17:58:48.108541: "ipsec1" #2: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP1536] refused Feb 7 17:58:48.108548: "ipsec1" #2: no acceptable Oakley Transform Feb 7 17:58:48.108556: | complete v1 state transition with NO_PROPOSAL_CHOSEN当共享密钥错误时,openswan debug 显示如下:
Feb 7 17:57:28.726151: | *received 108 bytes from 100.1.1.2:500 on ens224 (port=500) Feb 7 17:57:28.726176: | processing: start from 100.1.1.2:500 (in process_md() at demux.c:392) Feb 7 17:57:28.726186: | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) Feb 7 17:57:28.726197: | cookies table: hash icookie 2b 08 9f f0 ed 75 b2 1a rcookie 2e fa 5e f5 8a 50 a4 93 to 10219631855637370284 slot 0x558680ed9da0 Feb 7 17:57:28.726217: | v1 peer and cookies match on #1, provided msgid 00000000 == 00000000 Feb 7 17:57:28.726224: | v1 state object #1 found, in STATE_MAIN_R2 Feb 7 17:57:28.726232: | processing: start state #1 connection "ipsec1" 100.1.1.2:500 (in process_v1_packet() at ikev1.c:1117) Feb 7 17:57:28.726270: "ipsec1" #1: byte 2 of ISAKMP Identification Payload should have been zero, but was not (ignored) Feb 7 17:57:28.726283: "ipsec1" #1: length of ISAKMP Identification Payload is larger than can fit Feb 7 17:57:28.726290: "ipsec1" #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Feb 7 17:57:28.726313: | processing: stop from 100.1.1.2:500 (BACKGROUND) (in process_md() at demux.c:394) Feb 7 17:57:28.726322: | processing: stop state #1 connection "ipsec1" 100.1.1.2:500 (in process_md() at demux.c:396)