跳至主要內容

透明模式下的 IPSec VPN

2025/10/29大约 6 分钟

透明模式下的 IPSec VPN

网络需求

在 FortiGate 透明模式下,通过 IPsec VPN(策略模式)将 2 个局域网连接起来,实现 192.168.0.0/24 与 192.168.1.0/24 两个网段的通信。

网络拓扑

image-20240102153632017
  • FGT - BJ 是透明模式,PC1 的网关指向 Router。
  • FGT - SH 是 NAT/路由模式。

配置步骤

FGT - BJ 配置

1.基本配置

为了便于测试,单独建立一个透明模式的 vdom,将 port3 和 port4 划入 tp1 vdom。

image-20230106191952073

image-20230106192100667

将设备修改为透明模式

重要

IPSec 将使用透明模式配置的管理 IP(manageip)作为 IPSec 的本地网关对 IKE 或 ESP 进行封装。

在此例中,FGT - BJ 的 IPSec 本地网关地址为透明模式的管理 IP 192.168.0.5,需要确保透明模式的管理 IP 与 Router(NAT)之间的连通性。

config system settings
    set opmode transparent
    set manageip 192.168.0.5/255.255.255.0
    set gateway 192.168.0.2
end

2.打开基于策略的 IPSEC

image-20230106191640282

3.配置 IPSEC

“选择 VPN”-->"IPSEC 隧道",点击“创建”

image-20230106191850937

配置 IPSEC VPN 阶段一

image-20230106192241300

配置 IPSEC VPN 阶段二

image-20230106192450155

配置完成。

image-20230106192518602

4.配置策略

新建策略时,动作要选择 IPSEC,指定 IPSEC 隧道,入向表示允许对端发起 IPSEC 流量,如果不勾选,对端发起的 IPSEC 流量将被拒绝。

image-20230106201354020

image-20230106201519357

  1. IPSEC 配置对应的命令行

    config vpn ipsec phase1
    edit "VPN-to-SH"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 200.1.1.2
        set psksecret ENC 51lISs3KQ4m+sXPI9G+hwY8ysQEZUNApjT3dLeudcNwE3/ESIDyHJMeUAIBaMZ6aL6lrBiwleBYoEKnP+8gUusyE2nKqVwGYSdzsKHbycQyezu8a9zESIu3CoVZA+FUiM+iUSDN0GHwZh6nMkl4g1rXYcLle5qzF0ybsKyYOIwmwovD0v9hBsw5HWMl06WcYnA5hVA==
        set dpd-retryinterval 10
    next
end

# show vpn ipsec phase2
config vpn ipsec phase2
    edit "VPN-to-SH"
        set phase1name "VPN-to-SH"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 192.168.1.0 255.255.255.0
    next
end

FGT - SH 配置

1.基本配置

配置接口 ip 和路由。

image-20230106193344476

image-20230106193358019

2.配置 IPSEC

选择“VPN”-->“IPSEC 隧道”,点击“创建”。

image-20230106193541423

输入对端 FortiGate 的公网 IP(在本文拓扑中为 Router NAT 后的公网地址 100.1.1.2)及预共享秘钥。

image-20230106193619826

输入需要保护的网段和接口。

image-20230106193720781

即将创建的内容。

image-20230106193734987

IPSEC 模板创建 IPSEC VPN 隧道,策略,路由成功。

image-20230106193851920

image-20230106193916975

image-20230106194012179

  1. 针对向导配置的优化建议

    image-20230106194155625

  2. IPSEC 配置对应的命令行

    # show vpn ipsec phase1-interface 
config vpn ipsec phase1-interface
    edit "VPN-to-BJ"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set comments "VPN: VPN-to-BJ (Created by VPN wizard)"
        set remote-gw 100.1.1.2
        set psksecret ENC y6uhBx2lgYaxVJ4mkMu+Jf1M4a0a3XnIHULRXDaRBcvy6SVVyFksSsqg6ZdfXAp7okjT3btI8WATWijaxbM1T/1YHfU9gtI0vXFuBoc6Jij41ztBkohof+OwhJnb+WILWrNIGrgThqN/Su3RtyNk/ruiiW4hs3INa5ku0ZlT7StMlJBRoZ4zQ2XjMXETmOgdZnQR9Q==
        set dpd-retryinterval 10
    next
end

wangxiang-used2 # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
    edit "VPN-to-BJ"
        set phase1name "VPN-to-BJ"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type name
        set dst-addr-type name
        set src-name "VPN-to-BJ_local"
        set dst-name "VPN-to-BJ_remote"
    next
end

查看 IPSEC 状态

FGT - BJ IPSEC 状态

GUI 查看 IPSEC 状态。

image-20230106195240379

CLI 查看 IPSEC 状态

# diagnose vpn ike gateway list 
vd: tp1/3
name: VPN-to-SH
version: 1
interface:  0
addr: 192.168.0.5:4500 -> 200.1.1.2:4500
tun_id: 200.1.1.2/::200.1.1.2
remote_location: 0.0.0.0
network-id: 0
created: 522s ago
nat: me
IKE SA: created 1/1  established 1/1  time 9000/9000/9000 ms
IPsec SA: created 1/1  established 1/1  time 9000/9000/9000 ms

  id/spi: 88 df473084a6cd160a/fd52b18f1451abed
  direction: initiator
  status: established 522-513s ago = 9000ms
  proposal: aes128-sha256
  key: dbd02be2254a30c4-383ba553458819b3
  lifetime/rekey: 86400/85586
  DPD sent/recv: 00000009/0000002c

# diagnose vpn tunnel list 
list all ipsec tunnel in vd 3
------------------------------------------------------
name=VPN-to-SH ver=1 serial=1 192.168.0.5:4500->200.1.1.2:4500 tun_id=200.1.1.2 tun_id6=::200.1.1.2 dst_mtu=1500 dpd-link=on weight=0
bound_if=0 lgwy=static/1 tun=tunnel mode=auto/1 encap=none/8 options[0008]=npu  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=7 ilast=4 olast=4 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=9
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=VPN-to-SH proto=0 sa=1 ref=2 serial=1 auto-negotiate
  src: 0:192.168.0.0-192.168.0.255:0
  dst: 0:192.168.1.0-192.168.1.255:0
  SA:  ref=3 options=18227 type=00 soft=0 mtu=1422 expire=42386/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42902/43200
  dec: spi=f77af5f3 esp=aes key=16 51994a2f09e97e1d834fba1454afce40
       ah=sha1 key=20 f75607ee1dde5d6a97d79d125fa2fbe77033e9d7
  enc: spi=e9cb7b26 esp=aes key=16 4c3df88982eb657c0ac2e851e26727b2
       ah=sha1 key=20 24392681766e619bcee614fb6e3b8318ae37d40e
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
  npu_flag=00 npu_rgwy=200.1.1.2 npu_lgwy=192.168.0.5 npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0

FGT - SH IPSEC 状态

GUI 查看 IPSEC 状态。

image-20230106195258240

CLI 查看 IPSEC 状态。

# diagnose vpn ike gateway list 

vd: root/0
name: VPN-to-BJ
version: 1
interface: port2 10
addr: 200.1.1.2:4500 -> 100.1.1.2:64916
tun_id: 100.1.1.2/::100.1.1.2
remote_location: 0.0.0.0
network-id: 0
created: 563s ago
nat: peer
IKE SA: created 1/2  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 14 df473084a6cd160a/fd52b18f1451abed
  direction: responder
  status: established 544-544s ago = 0ms
  proposal: aes128-sha256
  key: dbd02be2254a30c4-383ba553458819b3
  lifetime/rekey: 86400/85585
  DPD sent/recv: 0000002f/00000009

# diagnose vpn  tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN-to-BJ ver=1 serial=3 200.1.1.2:4500->100.1.1.2:64916 tun_id=100.1.1.2 tun_id6=::100.1.1.2 dst_mtu=1500 dpd-link=on weight=1
bound_if=10 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=4 olast=4 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=47
natt: mode=silent draft=32 interval=10 remote_port=64916
proxyid=VPN-to-BJ proto=0 sa=1 ref=2 serial=1
  src: 0:192.168.1.0-192.168.1.255:0
  dst: 0:192.168.0.0-192.168.0.255:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=1422 expire=42386/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42933/43200
  dec: spi=e9cb7b26 esp=aes key=16 4c3df88982eb657c0ac2e851e26727b2
       ah=sha1 key=20 24392681766e619bcee614fb6e3b8318ae37d40e
  enc: spi=f77af5f3 esp=aes key=16 51994a2f09e97e1d834fba1454afce40
       ah=sha1 key=20 f75607ee1dde5d6a97d79d125fa2fbe77033e9d7
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
  npu_flag=00 npu_rgwy=100.1.1.2 npu_lgwy=200.1.1.2 npu_selid=2 dec_npuid=0 enc_npuid=0
run_tally=0

业务测试

1.从 FGT - BJ 端 ping FGT - SH 端

# ifconfig ens224
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.10  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::82c8:edfd:199d:70b0  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:e8:ad:a9  txqueuelen 1000  (Ethernet)
        RX packets 6352519  bytes 1854154972 (1.7 GiB)
        RX errors 0  dropped 3749690  overruns 0  frame 0
        TX packets 130448  bytes 8786148 (8.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

PC1# ping 192.168.1.10 -c 4
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=63 time=0.717 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=63 time=0.853 ms
64 bytes from 192.168.1.10: icmp_seq=3 ttl=63 time=0.720 ms
64 bytes from 192.168.1.10: icmp_seq=4 ttl=63 time=0.752 ms

--- 192.168.1.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.717/0.760/0.853/0.061 ms

2.从 FGT - SH 端 ping FGT - BJ 端

# ifconfig ens224
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.10  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::1a6c:e61:d2b9:a415  prefixlen 64  scopeid 0x20<link>
        inet6 2001::2  prefixlen 64  scopeid 0x0<global>
        ether 00:0c:29:0e:4e:c5  txqueuelen 1000  (Ethernet)
        RX packets 6040640  bytes 490806558 (468.0 MiB)
        RX errors 0  dropped 145  overruns 0  frame 0
        TX packets 3246663  bytes 205412788614 (191.3 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# ping 192.168.0.10 -c 4
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=0.790 ms
64 bytes from 192.168.0.10: icmp_seq=2 ttl=63 time=0.879 ms
64 bytes from 192.168.0.10: icmp_seq=3 ttl=63 time=0.686 ms
64 bytes from 192.168.0.10: icmp_seq=4 ttl=63 time=0.855 ms

--- 192.168.0.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.686/0.802/0.879/0.079 ms
最近更新:
统计数据加载中…
Copyright © 2025 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.