概要
トポロジ
(PC).1---------.2[FW1].2--------.1[INTERNET].1--------.2[FW2].2---------.1(PC)
|<----------->| |<---------->| |<---------->| |<----------->|
NW1 WAN1 WAN2 NW2
192.168.10.0/24 10.0.10.0/24 10.0.20.0/24 192.168.20.0/24
構成
- Internet (CiscoRT)
- I/F 0/0: WAN1
- I/F 0/1: WAN2
- FW1 (Fortigate)
- I/F
- wan: WAN1
- internal: Local側のI/F
- FW2 (Fortigate)
- I/F
- wan: WAN2
- internal: Local側のI/F
- IP情報
- WAN1: 10.0.10.0/24
- WAN2: 10.0.20.0/24
- NW1: 192.168.10.0/24
- NW2: 192.168.20.0/24
- VPN(IPSec)
- type: 事前共有鍵
- IKE-Phase1 (ISAKMP SA)
- IKE Phase1 Mode: main
- 暗号化アルゴリズム: DES
- ハッシュアルゴリズム: SHA1
- DHグループ: 14
- ISAKMP-SA LifeTime: 86400
- Pre-shared Key: "fortigate"
- IKE-Phase2 (IPsec SA)
前提設定
Internet (CiscoRT)
interface GigabitEthernet0/0
ip address 10.0.10.1 255.255.255.0
interface GigabitEthernet0/1
ip address 10.0.20.1 255.255.255.0
FW1
config system interface
edit "wan"
set vdom "root"
set ip 10.0.10.2 255.255.255.0
set allowaccess ping
next
edit "internal"
set vdom "root"
set ip 192.168.10.2 255.255.255.0
set allowaccess ping
next
end
config router static
edit 1
set dst 10.0.20.0 255.255.255.0
set gateway 10.0.20.1
set device "wan"
next
end
FW2
config system interface
edit "wan"
set ip 10.0.20.2 255.255.255.0
set allowaccess ping
next
edit "internal"
set vdom "root"
set ip 192.168.20.2 255.255.255.0
set allowaccess ping
next
end
config router static
edit 1
set dst 10.0.10.0 255.255.255.0
set gateway 10.0.10.1
set device "wan"
next
end
IPSec通信の対象指定用のアドレスオブジェクトを作成 (FW1)
config firewall address
edit "OBJ-ADDR_VPN-TARGET_LOCAL"
set subnet 192.168.10.0 255.255.255.0
next
edit "OBJ-ADDR_VPN-TARGET_REMOTE"
set subnet 192.168.20.0 255.255.255.0
next
end
IPSec Phase1設定 (FW1)
設定
config vpn ipsec phase1-interface
edit "SiteToSite"
set interface "wan"
set nattraversal disable
set proposal des-sha1
set dpd enable
set dhgrp 14
set remote-gw 10.0.20.2
set mode main
set psksecret fortigate
next
end
詳細
edit [NAME] :管理名
set ike-version [No] :IKEバージョンを選択
set interface [I/F] :VPNを待ち受けるI/F指定
set nattraversal [FLG] :NATトラバーサルの有効/無効を指定
set proposal [PRO] :暗号化・ハッシュアルゴリズムの組み合わせを指定
set authmethod [AUTH] :認証方式を指定
set keylife [SEC] :IKE-SAライフタイムの指定
set dpd [FLG] :有効/無効を指定
set dpd-retrycount [NO] :DPDが施行される回数を指定 (intervalの間隔*回数失敗すると切断される)
set dpd-retryinterval [SEC] :DPDによるデッドピア検知(切断検知)が実施される間隔を秒で指定
set auto-negotiate [FLG] :自動的にVPN接続を開始するか指定 (無効にすると対向からアクションがあるまで接続されない)
set negotiate-timeout [SEC] :IKE-SAのネゴシエーションタイムアウト期間を指定
set dhgrp [DH] :DHグループの指定
set remote-gw [IP] :VPN接続先の受付IPを指定
set mode [MODE] :IKE Phase1のモードを選択
set psksecret [KEY] :事前共有鍵の指定
IPSec Phase2設定 (FW1)
設定
config vpn ipsec phase2-interface
edit "SiteToSite"
set phase1name "SiteToSite"
set proposal des-sha1
set dhgrp 14
set replay enable
set keylifeseconds 3600
set src-addr-type name
set dst-addr-type name
set src-name "OBJ-ADDR_VPN-TARGET_LOCAL"
set dst-name "OBJ-ADDR_VPN-TARGET_REMOTE"
next
end
詳細
edit [NAME] :管理名
set phase1name [P1-NAME] :Phase1の管理名を指定
set proposal [PRO] :暗号化・ハッシュアルゴリズムの組み合わせを指定
set dhgrp [DH] :DHグループの指定
set replay [FLG] :IPSecのリプレイ攻撃検知を有効化する
set keepalive [FLG] :トラフィックが無い状態でもTunnel(Connection)を維持するか指定
set auto-negotiate [FLG] :Tunnelのダウン時自動的に再接続を実施するか指定
set keylife-type [TYPE] :ライフタイム期間基準の指定
set keylifeseconds [SEC] :ライフタイム期間を秒で指定
set src-addr-type [TYPE] :暗号化の対象通信の指定方法の選択
set dst-addr-type [TYPE] :暗号化の対象通信の指定方法の選択
set src-name [OBJ] :暗号化の対象通信の送信元セグメントを指定
set dst-name [OBJ] :暗号化の対象通信の宛先セグメントを指定
拠点間通信を許可するPolicyの作成 (FW1)
config firewall policy
edit 1
set srcintf "internal"
set dstintf "SiteToSite"
set srcaddr "OBJ-ADDR_VPN-TARGET_LOCAL"
set dstaddr "OBJ-ADDR_VPN-TARGET_REMOTE"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "SiteToSite"
set dstintf "internal"
set srcaddr "OBJ-ADDR_VPN-TARGET_REMOTE"
set dstaddr "OBJ-ADDR_VPN-TARGET_LOCAL"
set action accept
set schedule "always"
set service "ALL"
next
end
対向拠点向けのIPSecTunnelを通る経路を追加
config router static
edit 2
set dst 192.168.20.0 255.255.255.0
set device "SiteToSite"
next
end
[自動生成]IPSecの設定を行うと自動的にI/Fが作成される
config system interface
edit "SiteToSite"
set vdom "root"
set type tunnel
set interface "wan"
next
end
対向のFW2の設定
config firewall address
edit "OBJ-ADDR_VPN-TARGET_LOCAL"
set subnet 192.168.20.0 255.255.255.0
next
edit "OBJ-ADDR_VPN-TARGET_REMOTE"
set subnet 192.168.10.0 255.255.255.0
next
end
config vpn ipsec phase1-interface
edit "SiteToSite"
set interface "wan"
set nattraversal disable
set proposal des-sha1
set dpd enable
set dhgrp 14
set remote-gw 10.0.10.2
set psksecret fortigate
next
end
config vpn ipsec phase2-interface
edit "SiteToSite"
set phase1name "SiteToSite"
set proposal des-sha1
set dhgrp 14
set replay enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "OBJ-ADDR_VPN-TARGET_LOCAL"
set dst-name "OBJ-ADDR_VPN-TARGET_REMOTE"
next
end
config firewall policy
edit 1
set srcintf "internal"
set dstintf "SiteToSite"
set srcaddr "OBJ-ADDR_VPN-TARGET_LOCAL"
set dstaddr "OBJ-ADDR_VPN-TARGET_REMOTE"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "SiteToSite"
set dstintf "internal"
set srcaddr "OBJ-ADDR_VPN-TARGET_REMOTE"
set dstaddr "OBJ-ADDR_VPN-TARGET_LOCAL"
set action accept
set schedule "always"
set service "ALL"
next
end
config router static
edit 2
set dst 192.168.10.0 255.255.255.0
set device "SiteToSite"
next
end
接続状態の確認 (成功時)
FW1 # get vpn ike gateway
vd: root/0
name: SiteToSite
version: 1
interface: wan 3
addr: 10.0.10.2:500 -> 10.0.20.2:500
created: 140s ago
IKE SA created: 2/2 established: 2/2 time: 40/50/60 ms
IPsec SA created: 0/0
id/spi: 2 013fb7d3e6b2f6b8/c95ad89d181c091c
direction: responder
status: established 140-140s ago = 40ms
proposal: des-sha1
key: 6813f7845c0e66bf
lifetime/rekey: 86400/85989
DPD sent/recv: 00000000/00001849
id/spi: 1 06afa332941652e8/984300df3ecc0f8e
direction: initiator
status: established 140-140s ago = 60ms
proposal: des-sha1
key: 132e60dd86338e95
lifetime/rekey: 86400/85959
DPD sent/recv: 00001717/00000000
FW1 # get vpn ipsec tunnel summary
'SiteToSite' 10.0.20.2:0 selectors(total,up): 1/0 rx(pkt,err): 14/0 tx(pkt,err): 14/1
FW1 # get vpn ipsec tunnel details
gateway
name: 'SiteToSite'
type: route-based
local-gateway: 10.0.10.2:0 (static)
remote-gateway: 10.0.20.2:0 (static)
mode: ike-v1
interface: 'wan' (3)
rx packets: 23 bytes: 3496 errors: 0
tx packets: 23 bytes: 2300 errors: 2
dpd: enabled/negotiated idle: 5000ms retry: 3 count: 0
selectors
name: 'SiteToSite'
auto-negotiate: disable
mode: tunnel
src: 0:192.168.10.0/255.255.255.0:0
dst: 0:192.168.20.0/255.255.255.0:0
SA
lifetime/rekey: 3600/3538
mtu: 1446
tx-esp-seq: a
replay: enabled
inbound
spi: 9c6a36dd
enc: des eaeba79415ef6d46
auth: sha1 1a6f2c86bc8466fabdb8cfaacf1edbb82ba07f51
outbound
spi: c1804d7c
enc: des 347f8fd145c40977
auth: sha1 fc7a02c952531eec77665e8fb5218b1f7ad5bdd5
その他コマンド
##### debugログの有効化
diag vpn ike log
diag debug app ike -1
diag debug enable
##### vpn debugログの無効化
diagnose debug reset
diagnose debug disable
diagnose vpn ike restart
diagnose vpn ike gateway clear