简介
本文主要讨论在总部使用静态 IP 而多个分部使用动态 IP 的场景下的部署
Hub-and-Spoke 模式的 GRE over IPsec,从而实现总部和分部之间的全互联。
GRE over IPsec 有一定的复杂性,在使用过程中很容易出现理解偏差或配置错误,
此篇文档介绍了 FGT 与 FGT 以及 FGT 与 Cisco 设备之间建立 GRE over IPsec 的具体过
程,其中穿插着一些配置的分析,可对其原理理解及具体配置有一定的帮助。
Key word:IPsec VPN、GRE、GRE over IPsec、ESP、Hub and Spoke、DPD、NAT-T、OSPF
FGT Firmware Version: v5.2.4,build688 (GA)
Cisco Router IOS Version: C3640-JK903S0-M,Version 12.4(16a)
拓扑(总部静态IP分部动态 IP建立GRE over IPsec VPN)
逻辑拓扑结构:
Center FGT HUB
Side-1 FGT SPOKE-1
Side-2 Cisco Router SPOKE-2
loopback 1
loopback 1
Center-VPN
Side-1
Side-2 首先:IPsec Tunnel UP 然后:GRE Tunnel UP 业务处理: 业务数据查询路由进入GRE Tunnel,GRE Tunnel封装 外层IP,再次查询路由后进入IPsec Tunnel,加密传输 到对端,回复报文亦遵循相同的处理机制,业务访问的 全部过程被GRE over IPsec隧道安全验证加密处理。
IPsec tunnel interface
GRE overIPsec Tunnel GRE over IPsec Tunnel
实际测试环境拓扑:
Center FGT HUB
Side-1 FGT SPOKE-1
Side-2 Cisco Router SPOKE-2
loopback 1 1.1.1.1/32
loopback 1 1.1.1.3/32
Center-VPN
Side-1
Side-2
Port15 IP:202.106.1.1 Port15 202.106.2.1
分部内网 IP 192.168.112.100 网关:112.1
F0/0 202.106.3.1
分部电脑 IP 192.168.113.100 F1/0网关:113.1
总部服务器 IP 192.168.111.100 网关:111.1
gre1 ip 10.10.10.1/32 gre2 ip 20.20.20.1/32
gre1 ip 10.10.10.2/32
gre2 ip 20.20.20.2/24
IPsec tunnel interface 1.1.1.2/32
GRE Tunnel 的规划:
Center loopback 1
1.1.1.1/32
Side-1
FGT IPsec 隧道接口
1.1.1.2/32
Cisco Router loopback 1
1.1.1.3/32
Center loopback 1
1.1.1.1/32
gre1
gre2
10.10.10.1 10.10.10.2
20.20.20.1 20.20.20.2
IPsec VPN 配置注意事项:
响应方(Center)IPsec配置建议: 1.不指定对端IP地址(拨号用户) 2.IKE Aggressive Mode 3.NAT-T && DPD 4.统一预共享密钥 5.隧道模式 6.感兴趣流由对方指定 IPsec Phase 2 Selectors: 0.0.0.0/0.0.0.0-->0.0.0.0/0.0.0.0 路由配置: dst 192.168.112.0/24 via gre1 dst 192.168.113.0/24 via gre2
发起方(Side-2)IPsec配置建议: 1.指定对端IP地址(静态IP地址) 2.IKE Aggressive Mode 3.NAT-T && DPD 4.统一预共享密钥 5.隧道模式 6.感兴趣流 1.1.1.3-->1.1.1.1 7.与总部相匹配的Phase 1/2 Proposal IPsec Phase 2 Selectors: 1.1.1.3-->1.1.1.1 路由配置: dst 192.168.0.0/16 via gre2
发起方(Side-1)IPsec配置建议: 发起方IPsec配置建议: 1.指定对端IP地址(静态IP地址) 2.IKE Aggressive Mode 3.NAT-T && DPD 4.统一预共享密钥 5.隧道模式 6.感兴趣流 1.1.1.2--> 1.1.1.1 7.Auto-negotiate enable IPsec Phase 2 Selectors: 1.1.1.2-->1.1.1.1 路由配置: dst 192.168.0.0/16 via gre1
拓扑场景分析
总部使用静态固定 IP,分部采用 PPPOE 动态 IP 或静态固定 IP,此时 IPsec 发起方公网地址
不固定情况下需要进行 GRE over IPSec VPN 部署:
1、响应方(总部 Center)地址固定,如 202.106.1.1,多个发起方(分支 Side)使用动态
接入互联网方式,如 PPPoE 拨号,这种方式中,发起方每次拨号地址有可能不一致,所以
在响应方中无法使用指定对端 IP 地址方式限制对端身份;
2.GRE VPN 的建立由于无法指定准确的对端公网 IP,因此需要借用 loopback 地址来建立
GRE Tunnel。针对 FGT 建立 GRE 的原则是这样:
a )如果 FGT(如总部 Center)建立了动态拨号 IPsec VPN,则必须使用 loopback 地址
(1.1.1.1)来建立 GRE。
b )如果 FGT(如分部 Side-1)建立了静态 IP 方式的 IPsec VPN,则可借用 IPsec Tunnel
接口,直接配置上 IP(1.1.1.2)用于建立 GRE 隧道。
c )对于分部是非 FGT 设备,且是动态 IP 的情况,比如 Cisco 设备,则必须使用 loopback
地址(1.1.1.3)来对接 GRE 隧道。
简单的可以理解为:在这类组网中,总部 FGT 需要使用 loopback 接口建立 GRE 隧道,分
部 FGT 直接使用 IPsec tunnel 接口建立 GRE 隧道,非 FGT 设备请选择 loopback 地址来建
立 GRE 隧道。
3、发起方则必须要指定响应方 IP,否则无法发起协商,双方可以使用预共享密钥方式对身
份进行确认及保护;
4、兴趣流的指定是比较有意思的事情,发起方(分支 Side)是必须要配置兴趣流的,那么
响应方呢?响应方(总部 Center)没有配置,而是采用由发起方指定的方式,即在协商
过程中,响应方得知发起方的兴趣流是 1.1.1.2/32 到 1.1.1.1/32(GRE 隧道封装后的流
量),会自动为该响应方生成反向兴趣流 1.1.1.1/32 到 1.1.1.2/32(GRE 隧道封装后的
流量),并自动下发去往 1.1.1.2/24 的路由下一跳为 IPsec Tunnel_x,那么为什么要这
么指定呢?原因是IPsec发起方地址是动态的,响应方无法及时提前获知发起方IP地址,
同时也无法获知对应的感兴趣数据流;
详细配置过程
总部(Center)FGT 设备的 Gre over IPsec 详细配置
总部(Center) 网络基础配置
首先需配置上述拓扑所示的内外网接口 IP 地址以及缺省路由等基础配置,具体信息请参照
拓扑图,以下只列出 loopback 地址创建过程,其余基础配置的具体步骤忽略。
接口 IP 以及缺省路由配置结果:
配置 Loopback 地址
config system interface
edit "loopback1"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set allowaccess ping
set type loopback
next
end
总部(Center) GRE Tunnel 的配置
GRE1 配置:
config system gre-tunnel
edit "gre1"
set interface "loopback1" ---指定接口loopback1
set remote-gw 1.1.1.2 ---Dst IP
set local-gw 1.1.1.1 ---Src IP
next
end
config system interface
edit "gre1"
set ip 10.10.10.1 255.255.255.255 ---本地gre1隧道接口IP
set allowaccess ping ---放通gre1接口ping,以便测试
set remote-ip 10.10.10.2 ---gre1隧道对端IP(Side-1 gre1IP)
set interface "loopback1"
next
end
GRE2 配置:
config system gre-tunnel
edit "gre2"
set interface "loopback1" ---指定接口loopback1
set remote-gw 1.1.1.3 ---Dst IP
set local-gw 1.1.1.1 ---Src IP
next
end
config system interface
edit "gre2"
set ip 20.20.20.1 255.255.255.255 ---本地gre1隧道接口IP
set allowaccess ping ---放通gre1接口ping,以便测试
set remote-ip 20.20.20.2 ---gre1隧道对端IP(Cisco Router gre2 IP)
set interface "loopback1"
next
end
注意:GRE 的配置只支持命令。
总部(Center) IPsec VPN 的配置
a ) IPsec 第一阶段配置
选择非模板的IPsec VPN配置,VPN-->IPsec-->Tunnels---->VPN Setup-->Custom
VPN Tunnel(No Template)
第一阶段配置对的应命令行:
config vpn ipsec phase1-interface
edit "Center-VPN"
set type dynamic (指定动态拨号VPN方式)
set interface "port15" (指定公网接口)
set mode aggressive (野蛮模式)
set psksecret xxxxxx(Encryption) (配置PSK)
注意:总部响应端的IPsec 阶段1 name 不能超过16个字符,动态生成的IPSec接口为:phase1name_0
phase1name_1,2...,_10..._100,比如生成第 100 个动态接口,其名字 phase1name_100,这样
多出来 4 个字符,容易超过接口名称 16 个字符的限制。
b ) IPsec 第二阶段配置
第二阶段配置对的应命令行:
config vpn ipsec phase2-interface
edit "Center-VPN"
set phase1name "Center-VPN" (调用第一阶段即可,感兴趣数据流不用填写)
next
end
总部(Center) 路由配置
a ) 需要配置分部的业务网段去往相应的gre隧道接口。
Side-1业务网段192.168.112.0/24下一跳指向gre1
Side-2业务网段192.168.113.0/24下一跳指向gre2
路由对应命令行配置:
config router static
edit 2
set dst 192.168.112.0 255.255.255.0
set device "gre1" ---去往Side-1业务网段的路由
next
edit 3
set dst 192.168.113.0 255.255.255.0
set device "gre2" ---去往Side-2业务网段的路由
next
end
b ) Center-VPN与分部Side-1将会自动协商并生成反向兴趣流1.1.1.1/32到1.1.1.2/32,
同时自动下发去往1.1.1.2/32的路由下一跳为IPsec Tunnel_x。同理总部
Center-VPN还会与分部Side-2自动协商并生成反向感兴趣流1.1.1.1/32 到
1.1.1.3/32,同时自动下发去往1.1.1.3/32的路由下一跳为IPsec Tunnel_x。因此
针对感兴趣数据流的路由其实并需要填写,总部FGT会自动生成。
总部(Center) 策略配置
策略配置的原则是放通总部业务数据到分部业务数据之间的访问,数据的走向依次将经过
内部接口(Port16_Internal_Port)、gre 隧道接口(GRE-Zone)、IPsec VPN隧道接
口(Center-VPN),因此策略需要依次进行配置并放通。
a ) 在配置策略之前,先创建一个GRE Tunnel的区域,名叫"GRE-Zone",将与分部所建
立的gre接口全部加入到GRE-Zone里,同时不屏蔽区域内的流量,这样可简化策略的配置,
避免策略配置过于复杂:
b ) 放通内部网络Port16(Internal_Port)到GRE-Zone到的流量:
c )放通GRE-Zone到内部网络Port16(Internal_Port)的流量:
d ) 放通GRE-Zone到IPsec 隧道Center-VPN的流量:
e ) 放通IPsec 隧道Center-VPN到GRE-Zone的流量:
f ) 放通Center-VPN_X之间,即Side-1和Side-2分部之间的互访流量:
策略对应命令行:
config firewall policy
edit 1
set srcintf "Center-VPN"
set dstintf "GRE-Zone"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "GRE-Zone"
set dstintf "Center-VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set srcintf "GRE-Zone"
set dstintf "port16"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set srcintf "port16"
set dstintf "GRE-Zone"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 5
set srcintf "Center-VPN"
set dstintf "Center-VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
至此总部(Center)Gre over IPsec VPN的配置全部配置完成。
分部(Side-1)FGT 设备的 Gre over IPsec 详细配置
分部(Side-1) 网络基础配置
配置上述拓扑所示的 Side-1 内外网 IP 地址以及缺省路由等基础配置,具体请参照拓扑图,具
体配置过程忽略。
外网接口可启用 DHCP/PPPOE 模拟动态接口,具体配置步骤忽略,基础配置结果如下,:
分部(Side-1) IPsec VPN 的配置
a ) IPsec 第一阶段配置
选择非模板的IPsec VPN配置,VPN-->IPsec-->Tunnels---->VPN Setup-->Custom
VPN Tunnel(No Template)
第一阶段配置对的应命令行(Side-1的Proposal配置与Center的Proposal配置需一致):
config vpn ipsec phase1-interface
edit "Side-1"
set remote-gw 202.106.1.1 (指定静态IP VPN方式)
set interface "port15" (指定公网接口)
set mode aggressive (野蛮模式)
set psksecret xxxxxx (ENC) (配置PSK)
b ) IPsec 第二阶段配置
第二阶段的感兴趣数据流,分部的IPsec VPN第二阶段必须填写,总部自动协商并下发反
向的感兴趣数据流,在Gre over IPsec的组网中,感兴趣数据流为Gre隧道封装之后的数据
流,即gre隧道公网IP地址对,也就是从分部的gre 公网IP 1.1.1.2到总部的gre 公网IP
1.1.1.1。通过上述分析得出,Phase 2 Selectors : 1.1.1.2/32 ----- > 1.1.1.1/32。
第二阶段配置具体对应的配置如下
第二阶段配置对的命令行:
config vpn ipsec phase2-interface
edit "Side-1"
set phase1name "Side-1"
set keepalive enable
set auto-negotiate enable (开启自动协商)
set src-subnet 1.1.1.2 255.255.255.255 (感兴趣数据流gre Src ip)
set dst-subnet 1.1.1.1 255.255.255.255 (感兴趣数据流gre Dst ip)
next
end
分部(Side-1) GRE Tunnel 的配置
a ) 给用于建立gre tunnel的IPsec vpn隧道接口配置上IP,分部的FG可不使用loopback
接口来建立gre 隧道,直接使用IPsec tunnel接口即可,配置更加简单。
对应命令行配置:
config system interface
edit "Side-1"
set ip 1.1.1.2 255.255.255.255
set allowaccess ping
set remote-ip 1.1.1.1
next
end
b )gre 隧道配置
config system gre-tunnel
edit "gre1"
set interface "Side-1" ---指定接口IPsec 隧道接口Side-1
set remote-gw 1.1.1.1 ---Dst IP
set local-gw 1.1.1.2 ---Src IP
next
end
config system interface
edit "gre1"
set ip 10.10.10.2 255.255.255.255 ---本地gre1隧道接口IP
set allowaccess ping ---放通gre1接口ping,以便测试
set remote-ip 10.10.10.1 ---gre1隧道对端IP(Center gre1IP)
set interface "Side-1"
next
end
注意:GRE 的配置只支持命令。
分部(Side-1) 路由配置
a ) 需要配置Center已经Side-2的业务网段去往gre隧道接口,可将路由进行汇总处理。
Center/Side-1业务网段192.168.0.0/16下一跳指向gre1
路由对应命令行配置:
config router static
edit 5
set dst 192.168.0.0 255.255.0.0
set device "gre1" ---去往Center和Side-2业务网段的汇总路由
next
end
分部(Side-1) 策略配置
策略配置的原则是放通分部(Side-1)业务数据到总部(Center)以及其他分部(如Side-2)
业务数据之间的访问,数据的走向依次将经过内部接口(Port16 Internal_Port)、gre1 隧
道接口、IPsec VPN隧道接口(Side-1),因此策略需要依次进行配置并放通。
a ) 放通内部网络Port16(Internal_Port)到 gre1的流量:
b )放通gre1到内部网络Port16(Internal_Port)的流量:
c )放通gre1到IPsec隧道 Side-1的流量:
d )放通IPsec隧道 Side-1到gre1的流量:
策略对应命令行:
config firewall policy
edit 1
set srcintf "Side-1"
set dstintf "gre1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "gre1"
set dstintf "Side-1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set srcintf "gre1"
set dstintf "port16"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set srcintf "port16"
set dstintf "gre1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
至此分部(Side-1)Gre over IPsec VPN的配置全部配置完成。
分部(Side-2)Cisco_RT 设备的 Gre over IPsec 详细配置
分部(Side-2) 网络基础配置
a ) Side-2(Cisco Router Spoke-2)配置接口IP以及路由:
interface FastEthernet0/0
ip address 202.106.3.1 255.255.255.0 ---Internet Port
ip nat outside
!
interface FastEthernet1/0
ip address 192.168.113.1 255.255.255.0 ---Internal Port
ip nat inside
ip route 0.0.0.0 0.0.0.0 202.106.3.2 ---上Inernet的默认路由
!
b )配置IPsec VPN感兴趣数据流的 ACL:
access-list 101 permit ip host 1.1.1.3 host 1.1.1.1
---IPsec VPN 感兴趣数据流 ACL
access-list 102 deny ip host 1.1.1.3 host 1.1.1.1
access-list 102 permit ip any any
---Snat ACL 需要排除掉 IPsec VPN 的数据,Cisco 先 NAT 再 IPsec
NAT 配置:ip nat inside source list 102 interface FastEthernet0/0 overload
分部(Side-2) GRE Tunnel 的配置
interface Loopback1
ip address 1.1.1.3 255.255.255.255 ---用于建立Gre的loopback
!
interface Tunnel2
ip address 20.20.20.2 255.255.255.0 ---gre隧道IP
tunnel source Loopback1 ---gre外层Src IP
tunnel destination 1.1.1.1 ---gre外层Dst IP
分部(Side-2) IPsec VPN 的配置
a )配置IPSEC第一阶段:
crypto isakmp policy 10 ---Phase 1 Proposal
encr 3des
hash sha
authentication pre-share
group 5
crypto isakmp nat keepalive 10 ---DPD
!
crypto isakmp peer address 202.106.1.1 ---配置IPsec VPN第一阶段为野蛮模式
set aggressive-mode password xxxxxx ---Pre-share Key
set aggressive-mode client-endpoint ipv4-address 0.0.0.0 ---发送IP ID
b )配置 IPSEC 第二阶段:
crypto ipsec transform-set Side-2-transform esp-3des esp-sha-hmac
! ---Phase 2 Proposal
crypto map Side-2 10 ipsec-isakmp
set peer 202.106.1.1
set security-association lifetime seconds 43200 ---Phase 2 lifetime
set transform-set Side-2-transform
set pfs group5 ---PFS DH 5
match address 101 ---调用感兴趣数据流
c )接口下调用 IPsec crypto map:
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
crypto map Side-2 ---调用 IPsec Crypto Map
分部(Side-2) 路由配置
ip route 192.168.0.0 255.255.0.0 Tunnel2
---配置去往 Center 与其他 Side 的业务网段路由下一跳指向 GRE Tunnel 接口,这样业务数据就会被
GRE 隧道封装,然后查询缺省路由送到 FastEthernet0/0 的时候再匹配 IPsec crypto map,于是进
行 IPsec VPN ESP 验证并加密处理,将数据发送到总部的 Center-VPN,从而实现 Gre over IPsec。
注意:gre 的外层 Dst IP 是 1.1.1.1,因此一定要保证去往 1.1.1.1 的路由会被送到 FastEthernet0/0,否
则 IPsec VPN 无法匹配到 GRE 的流量,此处为缺省路由查询到 via F0/0 202.106.3.2,有时候为了避免不
必要的问题可以添加明细的静态路由 dst 1.1.1.1 via F0/0。比如在使用 GRE Tunnel 运行 OSFP 等劢态路
由协议的时候,切记不要把 loopback 地址发布出去,这样会导致学习到 1.1.1.1 的 ospf 路由 via 指向了
gre tunnel,而非缺省路由指向 FastEthernet0/0,如此结果会引起 GRE 中断,随之 OSPF 中断,路由消
失,然后 GRE UP,然后 OSPF UP,然后 GRE 再次中断,OSPF 中断...如此循环中断/UP,业务会异常。而
添加明细的 1.1.1.1/32 Via F0/0 静态路由可以避免以上问题,因为静态路由的管理距离比 OSPF 要小,静
态路由会被优选。以上情况针对使用 Cisco/HUAWEI/H3C 等设备的时,而飞塔防火墙由于会固定的存在
去往 GRE Dst IP 的静态路由,因此不存在以上风险。
至此分部(Side-2)Gre over IPsec VPN的配置全部配置完成。
Hub-and-Spoke 的 GRE over IPsec 状态检查及业务测试
总部(Center-VPN FGT)GRE over IPsec 状态检查
总部(Center-VPN)IPsec VPN 状态:
FGT1KC3912800033 # diagnose vpn ike status
connection: 2/21
IKE SA: created 2/26 established 2/23 times 0/95/300 ms
IPsec SA: created 2/45 established 2/44 times 0/98/1330 ms
总部(Center-VPN)路由表:
FGT1KC3912800033 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 -IS-IS level-2, ia - IS-IS inter area
-
- candidate default
S* 0.0.0.0/0 [10/0] via 202.106.1.2, port15
C 1.1.1.1/32 is directly connected, loopback1
S 1.1.1.2/32 [15/0] is directly connected, Center-VPN_0
S 1.1.1.3/32 [15/0] is directly connected, Center-VPN_1
C 10.10.10.1/32 is directly connected, gre1
C 10.10.10.2/32 is directly connected, gre1
C 20.20.20.1/32 is directly connected, gre2
C 20.20.20.2/32 is directly connected, gre2
C 192.168.90.0/24 is directly connected, mgmt1
C 192.168.111.0/24 is directly connected, port16
S 192.168.112.0/24 [10/0] via 10.10.10.2, gre1
S 192.168.113.0/24 [10/0] via 20.20.20.2, gre2
C 202.106.1.0/24 is directly connected, port15
分部(Side-1 FGT)GRE over IPsec 状态检查
分部(Side-1)IPsec VPN 状态:
FG200B3909601296 # diagnose vpn ike status
connection: 1/1850
IKE SA: created 1/1852 established 1/14 times 0/2572/18000 ms
IPsec SA: created 635/1862 established 1/25 times 0/1321/18000 ms
- candidate default
分部(Side-1)路由表:
FG200B3909601296 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2-IS-IS level-2, ia - IS-IS inter area
-
- candidate default
S* 0.0.0.0/0 [10/0] via 202.106.2.2, port15
C 1.1.1.1/32 is directly connected, Side-1
C 1.1.1.2/32 is directly connected, Side-1
C 10.10.10.1/32 is directly connected, gre1
C 10.10.10.2/32 is directly connected, gre1
S 192.168.0.0/16 [10/0] via 10.10.10.1, gre1
C 192.168.90.0/24 is directly connected, switch
C 192.168.112.0/24 is directly connected, port16
C 202.106.2.0/24 is directly connected, port15
分部(Side-2 Cisco Router)GRE over IPsec 状态检查
分部(Side-2)IPsec VPN 状态:
R1#show crypto isakmp sa
dst src state conn-id slot status
202.106.1.1 202.106.3.1 QM_IDLE 1 0 ACTIVE
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: Side-2, local addr 202.106.3.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
- candidate default
current_peer 202.106.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7958, #pkts encrypt: 7958, #pkts digest: 7958
#pkts decaps: 7927, #pkts decrypt: 7927, #pkts verify: 7927
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 2
local crypto endpt.: 202.106.3.1, remote crypto endpt.: 202.106.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x3B9AE699(1000007321)
inbound esp sas:
spi: 0x76FD4FBC(1996312508)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: Side-2
sa timing: remaining key lifetime (k/sec): (4528665/40605)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3B9AE699(1000007321)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: Side-2
sa timing: remaining key lifetime (k/sec): (4528655/40605)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
分部(Side-2)路由表:
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.3 is directly connected, Loopback1
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, Tunnel2
C 202.106.3.0/24 is directly connected, FastEthernet0/0
C 192.168.113.0/24 is directly connected, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 202.106.3.2
S 192.168.0.0/16 is directly connected, Tunnel2
Hub-and-Spoke 业务测试
业务测试情况:
总部(Center-VPN FGT)业务测试:
分部(Side-1 FGT)业务测试:
分部(Side-2 Cisco Router)业务测试(通过 GNS3 模拟思科 Router 与 VPCS):
在总部debug flow业务流量数据,观察IPsec VPN在总部(Center-VPN)访问分部(Side-1)的业
务数据在FGT上的处理过程:
FGT1KC3912800033 # diagnose debug flow filter addr 192.168.112.100
FGT1KC3912800033 # diagnose debug flow filter proto 1
FGT1KC3912800033 # diagnose debug flow show console enable
FGT1KC3912800033 # diagnose debug flow show function-name enable
FGT1KC3912800033 # diagnose debug flow trace start 5
FGT1KC3912800033 # diagnose debug enable
总部(Center-VPN) 192.168.111.100 ping 分部 1(Side-1)192.168.112.100
ICMP request过程:
FGT1KC3912800033 # id=20085 trace_id=77 func=print_pkt_detail line=4420 msg="vd-root received
a packet(proto=1, 192.168.111.100:512->192.168.112.100:8) from port16. code=8, type=0, id=512,
seq=35218."
id=20085 trace_id=77 func=init_ip_session_common line=4569 msg="allocate a new
session-0022f5ba"
id=20085 trace_id=77 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000
gw-10.10.10.2 via gre1" ---总部FGT查询路由下一跳为gre1
id=20085 trace_id=77 func=fw_forward_handler line=671 msg="Allowed by Policy-4:"
id=20085 trace_id=77 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec
interface-Center-VPN_0" ---封装GRE后,数据进入Center-VPN_0
id=20085 trace_id=77 func=ipsec_output_finish line=232 msg="send to 202.106.1.2 via intf-port15"
id=20085 trace_id=77 func=esp_output4 line=897 msg="encrypting, and send to 202.106.2.1 with
source 202.106.1.1" ---加密并送port15转发出去
ICMP replay过程:
id=20085 trace_id=78 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1,
192.168.112.100:512->192.168.111.100:0) from gre1. code=0, type=0, id=512, seq=35218."
id=20085 trace_id=78 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session,
id-0022f5ba, reply direction"
id=20085 trace_id=78 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000
gw-192.168.111.100 via port16"
在总部debug flow业务流量数据,观察IPsec VPN在分部(Side-1)访问分部(Side-2)的业务数
据在FGT上的处理过程:
FGT1KC3912800033 # diagnose debug flow filter addr 192.168.113.100
FGT1KC3912800033 # diagnose debug flow filter proto 1
FGT1KC3912800033 # diagnose debug flow show console enable
FGT1KC3912800033 # diagnose debug flow show function-name enable
FGT1KC3912800033 # diagnose debug flow trace start 5
FGT1KC3912800033 # diagnose debug enable
分部 1(Side-1) 192.168.112.100 ping 分部 2(Side-2)192.168.113.100
ICMP request过程:
FGT1KC3912800033 # id=20085 trace_id=81 func=print_pkt_detail line=4420 msg="vd-root received
a packet(proto=1, 192.168.112.100:512->192.168.113.100:8) from gre1. code=8, type=0, id=512,
seq=27350."
id=20085 trace_id=81 func=init_ip_session_common line=4569 msg="allocate a new
session-0022f927"
id=20085 trace_id=81 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000
gw-20.20.20.2 via gre2" ---总部FGT查询路由下一跳为gre2
id=20085 trace_id=81 func=fw_forward_handler line=671 msg="Allowed by Policy-0:"
id=20085 trace_id=81 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec
interface-Center-VPN_1" ---封装GRE后,数据进入Center-VPN_1
id=20085 trace_id=81 func=ipsec_output_finish line=232 msg="send to 202.106.1.2 via intf-port15"
id=20085 trace_id=81 func=esp_output4 line=897 msg="encrypting, and send to 202.106.3.1 with
source 202.106.1.1" ---加密并送port15转发出去
ICMP replay过程:
id=20085 trace_id=82 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1,
192.168.113.100:512->192.168.112.100:0) from gre2. code=0, type=0, id=512, seq=27350."
id=20085 trace_id=82 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session,
id-0022f927, reply direction"
id=20085 trace_id=82 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000
gw-10.10.10.2 via gre1" ---总部FGT查询回程路由下一跳为gre1
id=20085 trace_id=82 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec
interface-Center-VPN_0" ---封装GRE后,数据进入Center-VPN_0
id=20085 trace_id=82 func=ipsec_output_finish line=232 msg="send to 202.106.1.2 via intf-port15"
id=20085 trace_id=82 func=esp_output4 line=897 msg="encrypting, and send to 202.106.2.1 with
source 202.106.1.1" ---加密并送port15转发出去
附:Hub-and-Spoke 上运行 OSPF 的配置
GRE over IPsec 运行 OSPF 打通全网的路由,此时去往业务网段的路由不需要再手动填写静
态路由,直接可通过 OSPF 动态学习,OSPF 使能 GRE Tunnel 接口用于建立 OSPF 邻接关系,
同时只发布所需的业务网段路由,其余的路由不要引入 OSPF。
总部(Center-FGT)OSPF配置:
config router ospf
set router-id 1.1.1.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "gre1"
set interface "gre1"
set ip 10.10.10.1
next
edit "gre2"
set interface "gre2"
set ip 20.20.20.1
next
edit "port16"
set interface "port16"
set ip 192.168.111.1
next
end
config network
edit 1
set prefix 192.168.111.0 255.255.255.0
next
edit 2
set prefix 10.10.10.1 255.255.255.255
next
edit 3
set prefix 20.20.20.1 255.255.255.255
next
end
分部(Side-1 FGT)OSPF配置:
config router ospf
set router-id 1.1.1.2
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "gre1"
set interface "gre1"
set ip 10.10.10.2
next
edit "port16"
set interface "port16"
set ip 192.168.112.1
next
end
config network
edit 1
set prefix 192.168.112.0 255.255.255.0
next
edit 2
set prefix 10.10.10.2 255.255.255.255
next
end
分部(Side-2 Cisco Router)OSPF配置:
router ospf 10
router-id 1.1.1.3
network 20.20.20.0 0.0.0.255 area 0
network 192.168.113.0 0.0.0.255 area 0
总部(Center-FGT)路由表:
FGT1KC3912800033 # get router info routing-table ospf
O 20.20.20.0/24 [110/11211] via 20.20.20.2, gre2, 00:08:24
O 192.168.112.0/24 [110/110] via 10.10.10.2, gre1, 00:10:26
O 192.168.113.0/24 [110/101] via 20.20.20.2, gre2, 00:08:24
FGT1KC3912800033 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
-
- candidate default
S* 0.0.0.0/0 [10/0] via 202.106.1.2, port15
C 1.1.1.1/32 is directly connected, loopback1
S 1.1.1.2/32 [15/0] is directly connected, Center-VPN_0
S 1.1.1.3/32 [15/0] is directly connected, Center-VPN_1
C 10.10.10.1/32 is directly connected, gre1
C 10.10.10.2/32 is directly connected, gre1
O 20.20.20.0/24 [110/11211] via 20.20.20.2, gre2, 00:09:59
C 20.20.20.1/32 is directly connected, gre2
C 20.20.20.2/32 is directly connected, gre2
C 192.168.90.0/24 is directly connected, mgmt1
C 192.168.111.0/24 is directly connected, port16
O 192.168.112.0/24 [110/110] via 10.10.10.2, gre1, 00:12:01
O 192.168.113.0/24 [110/101] via 20.20.20.2, gre2, 00:09:59
C 202.106.1.0/24 is directly connected, port15
分部(Side-1 FGT)路由表:
FG200B3909601296 # get router info routing-table ospf
O 20.20.20.0/24 [110/11311] via 10.10.10.1, gre1, 00:09:00
O 20.20.20.1/32 [110/100] via 10.10.10.1, gre1, 00:10:52
O 20.20.20.2/32 [110/200] via 10.10.10.1, gre1, 00:10:52
O 192.168.111.0/24 [110/110] via 10.10.10.1, gre1, 00:10:52
O 192.168.113.0/24 [110/201] via 10.10.10.1, gre1, 00:09:00
FG200B3909601296 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
- candidate default
-
- candidate default
S* 0.0.0.0/0 [10/0] via 202.106.2.2, port15
C 1.1.1.1/32 is directly connected, Side-1
C 1.1.1.2/32 is directly connected, Side-1
C 10.10.10.1/32 is directly connected, gre1
C 10.10.10.2/32 is directly connected, gre1
O 20.20.20.0/24 [110/11311] via 10.10.10.1, gre1, 00:10:04
O 20.20.20.1/32 [110/100] via 10.10.10.1, gre1, 00:11:56
O 20.20.20.2/32 [110/200] via 10.10.10.1, gre1, 00:11:56
C 192.168.90.0/24 is directly connected, switch
O 192.168.111.0/24 [110/110] via 10.10.10.1, gre1, 00:11:56
C 192.168.112.0/24 is directly connected, port16
O 192.168.113.0/24 [110/201] via 10.10.10.1, gre1, 00:10:04
C 202.106.2.0/24 is directly connected, port15
分部(Side-1 Cisco Router)路由表:
R1#show ip route ospf
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 20.20.20.1/32 [110/11111] via 20.20.20.1, 00:48:28, Tunnel1
O 192.168.111.0/24 [110/11121] via 20.20.20.1, 00:48:28, Tunnel1
10.0.0.0/32 is subnetted, 2 subnets
O 10.10.10.2 [110/11211] via 20.20.20.1, 00:48:28, Tunnel1
O 10.10.10.1 [110/11111] via 20.20.20.1, 00:48:28, Tunnel1
O 192.168.112.0/24 [110/11221] via 20.20.20.1, 00:48:28, Tunnel1
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 202.106.3.2 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.3 is directly connected, Loopback1
C 192.168.90.0/24 is directly connected, FastEthernet0/0
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.20.20.0/24 is directly connected, Tunnel1
O 20.20.20.1/32 [110/11111] via 20.20.20.1, 00:46:11, Tunnel1
O 192.168.111.0/24 [110/11121] via 20.20.20.1, 00:46:11, Tunnel1
C 202.106.3.0/24 is directly connected, FastEthernet0/0
10.0.0.0/32 is subnetted, 2 subnets
O 10.10.10.2 [110/11211] via 20.20.20.1, 00:46:11, Tunnel1
O 10.10.10.1 [110/11111] via 20.20.20.1, 00:46:11, Tunnel1
C 192.168.113.0/24 is directly connected, FastEthernet1/0
O 192.168.112.0/24 [110/11221] via 20.20.20.1, 00:46:11, Tunnel1
S* 0.0.0.0/0 [1/0] via 202.106.3.2
参考文档资料:
FortiOS Handbook - IPsec VPN for FortiOS 5.2
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC\&docType=kc\&externalId=fortigate-ipsec-52pdf\&sliceId=\&docT
ypeID=DT_PRODUCTDOCUMENTATION_1_1&dialogID=10040767&stateId=0%200%2074714807
- candidate default