ICT Diary

Network(主にCisco系)、Server(RedHat系)、Program(適当)を気まぐれにUPしていく。

Fortigate SiteToSite IPSec VPN ~Route Based IPSec VPN~

概要

トポロジ

(PC).1---------.2[FW1].2--------.1[INTERNET].1--------.2[FW2].2---------.1(PC)
   |<----------->|   |<---------->|        |<---------->|   |<----------->|
         NW1              WAN1                  WAN2               NW2
   192.168.10.0/24    10.0.10.0/24          10.0.20.0/24    192.168.20.0/24

構成

  • Internet (CiscoRT)
    • I/F 0/0: WAN1
    • I/F 0/1: WAN2
  • FW1 (Fortigate)
    • I/F
      • wan: WAN1
      • internal: Local側のI/F
  • FW2 (Fortigate)
    • I/F
      • wan: WAN2
      • internal: Local側のI/F
  • IP情報
    • WAN1: 10.0.10.0/24
    • WAN2: 10.0.20.0/24
    • NW1: 192.168.10.0/24
    • NW2: 192.168.20.0/24
  • VPN(IPSec)

前提設定

Internet (CiscoRT)

interface GigabitEthernet0/0
 ip address 10.0.10.1 255.255.255.0

interface GigabitEthernet0/1
 ip address 10.0.20.1 255.255.255.0

FW1

config system interface
    edit "wan"
        set vdom "root"
        set ip 10.0.10.2 255.255.255.0
        set allowaccess ping
    next
    edit "internal"
        set vdom "root"
        set ip 192.168.10.2 255.255.255.0
        set allowaccess ping
    next
end

config router static
    edit 1
        set dst 10.0.20.0 255.255.255.0
        set gateway 10.0.20.1
        set device "wan"
    next
end

FW2

config system interface
    edit "wan"
        set ip 10.0.20.2 255.255.255.0
        set allowaccess ping
    next
    edit "internal"
        set vdom "root"
        set ip 192.168.20.2 255.255.255.0
        set allowaccess ping
    next
end

config router static
    edit 1
        set dst 10.0.10.0 255.255.255.0
        set gateway 10.0.10.1
        set device "wan"
    next
end

IPSec通信の対象指定用のアドレスオブジェクトを作成 (FW1)

config firewall address
    edit "OBJ-ADDR_VPN-TARGET_LOCAL"
        set subnet 192.168.10.0 255.255.255.0
    next
    edit "OBJ-ADDR_VPN-TARGET_REMOTE"
        set subnet 192.168.20.0 255.255.255.0
    next
end

IPSec Phase1設定 (FW1)

設定

config vpn ipsec phase1-interface
    edit "SiteToSite"
        set interface "wan"
        set nattraversal disable
        set proposal des-sha1
        set dpd enable
        set dhgrp 14
        set remote-gw 10.0.20.2
        set mode main
        set psksecret fortigate
    next
end

詳細

edit [NAME]                 :管理名
set ike-version [No]        :IKEバージョンを選択
set interface [I/F]         :VPNを待ち受けるI/F指定
set nattraversal [FLG]      :NATトラバーサルの有効/無効を指定
set proposal [PRO]          :暗号化・ハッシュアルゴリズムの組み合わせを指定
set authmethod [AUTH]       :認証方式を指定
set keylife [SEC]           :IKE-SAライフタイムの指定
set dpd [FLG]               :有効/無効を指定
set dpd-retrycount [NO]     :DPDが施行される回数を指定 (intervalの間隔*回数失敗すると切断される)
set dpd-retryinterval [SEC] :DPDによるデッドピア検知(切断検知)が実施される間隔を秒で指定
set auto-negotiate [FLG]    :自動的にVPN接続を開始するか指定 (無効にすると対向からアクションがあるまで接続されない)
set negotiate-timeout [SEC] :IKE-SAのネゴシエーションタイムアウト期間を指定
set dhgrp [DH]              :DHグループの指定
set remote-gw [IP]          :VPN接続先の受付IPを指定
set mode [MODE]             :IKE Phase1のモードを選択
set psksecret [KEY]         :事前共有鍵の指定

IPSec Phase2設定 (FW1)

設定

config vpn ipsec phase2-interface
    edit "SiteToSite"
        set phase1name "SiteToSite"
        set proposal des-sha1
        set dhgrp 14
        set replay enable
        set keylifeseconds 3600
        set src-addr-type name
        set dst-addr-type name
        set src-name "OBJ-ADDR_VPN-TARGET_LOCAL"
        set dst-name "OBJ-ADDR_VPN-TARGET_REMOTE"
    next
end

詳細

edit [NAME]                 :管理名
set phase1name [P1-NAME]    :Phase1の管理名を指定
set proposal [PRO]          :暗号化・ハッシュアルゴリズムの組み合わせを指定
set dhgrp [DH]              :DHグループの指定
set replay [FLG]            :IPSecのリプレイ攻撃検知を有効化する
set keepalive [FLG]         :トラフィックが無い状態でもTunnel(Connection)を維持するか指定
set auto-negotiate [FLG]    :Tunnelのダウン時自動的に再接続を実施するか指定
set keylife-type [TYPE]     :ライフタイム期間基準の指定
set keylifeseconds [SEC]    :ライフタイム期間を秒で指定
set src-addr-type [TYPE]    :暗号化の対象通信の指定方法の選択
set dst-addr-type [TYPE]    :暗号化の対象通信の指定方法の選択
set src-name [OBJ]          :暗号化の対象通信の送信元セグメントを指定
set dst-name [OBJ]          :暗号化の対象通信の宛先セグメントを指定

拠点間通信を許可するPolicyの作成 (FW1)

config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "SiteToSite"
        set srcaddr "OBJ-ADDR_VPN-TARGET_LOCAL"
        set dstaddr "OBJ-ADDR_VPN-TARGET_REMOTE"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "SiteToSite"
        set dstintf "internal"
        set srcaddr "OBJ-ADDR_VPN-TARGET_REMOTE"
        set dstaddr "OBJ-ADDR_VPN-TARGET_LOCAL"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

対向拠点向けのIPSecTunnelを通る経路を追加

config router static
    edit 2
        set dst 192.168.20.0 255.255.255.0
        set device "SiteToSite"
    next
end

[自動生成]IPSecの設定を行うと自動的にI/Fが作成される

config system interface
    edit "SiteToSite"
        set vdom "root"
        set type tunnel
        set interface "wan"
    next
end

対向のFW2の設定

config firewall address
    edit "OBJ-ADDR_VPN-TARGET_LOCAL"
        set subnet 192.168.20.0 255.255.255.0
    next
    edit "OBJ-ADDR_VPN-TARGET_REMOTE"
        set subnet 192.168.10.0 255.255.255.0
    next
end
config vpn ipsec phase1-interface
    edit "SiteToSite"
        set interface "wan"
        set nattraversal disable
        set proposal des-sha1
        set dpd enable
        set dhgrp 14
        set remote-gw 10.0.10.2
        set psksecret fortigate
    next
end
config vpn ipsec phase2-interface
    edit "SiteToSite"
        set phase1name "SiteToSite"
        set proposal des-sha1
        set dhgrp 14
        set replay enable
        set src-addr-type name
        set dst-addr-type name
        set keylifeseconds 3600
        set src-name "OBJ-ADDR_VPN-TARGET_LOCAL"
        set dst-name "OBJ-ADDR_VPN-TARGET_REMOTE"
    next
end
config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "SiteToSite"
        set srcaddr "OBJ-ADDR_VPN-TARGET_LOCAL"
        set dstaddr "OBJ-ADDR_VPN-TARGET_REMOTE"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "SiteToSite"
        set dstintf "internal"
        set srcaddr "OBJ-ADDR_VPN-TARGET_REMOTE"
        set dstaddr "OBJ-ADDR_VPN-TARGET_LOCAL"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
config router static
    edit 2
        set dst 192.168.10.0 255.255.255.0
        set device "SiteToSite"
    next
end

接続状態の確認 (成功時)

FW1 # get vpn ike gateway

vd: root/0
name: SiteToSite
version: 1
interface: wan 3
addr: 10.0.10.2:500 -> 10.0.20.2:500
created: 140s ago
IKE SA  created: 2/2  established: 2/2  time: 40/50/60 ms
IPsec SA  created: 0/0

  id/spi: 2 013fb7d3e6b2f6b8/c95ad89d181c091c
  direction: responder
  status: established 140-140s ago = 40ms
  proposal: des-sha1
  key: 6813f7845c0e66bf
  lifetime/rekey: 86400/85989
  DPD sent/recv: 00000000/00001849

  id/spi: 1 06afa332941652e8/984300df3ecc0f8e
  direction: initiator
  status: established 140-140s ago = 60ms
  proposal: des-sha1
  key: 132e60dd86338e95
  lifetime/rekey: 86400/85959
  DPD sent/recv: 00001717/00000000

FW1 # get vpn ipsec tunnel  summary
'SiteToSite' 10.0.20.2:0  selectors(total,up): 1/0  rx(pkt,err): 14/0  tx(pkt,err): 14/1

FW1 # get vpn ipsec tunnel details

gateway
  name: 'SiteToSite'
  type: route-based
  local-gateway: 10.0.10.2:0 (static)
  remote-gateway: 10.0.20.2:0 (static)
  mode: ike-v1
  interface: 'wan' (3)
  rx  packets: 23  bytes: 3496  errors: 0
  tx  packets: 23  bytes: 2300  errors: 2
  dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0
  selectors
    name: 'SiteToSite'
    auto-negotiate: disable
    mode: tunnel
    src: 0:192.168.10.0/255.255.255.0:0
    dst: 0:192.168.20.0/255.255.255.0:0
    SA
      lifetime/rekey: 3600/3538
      mtu: 1446
      tx-esp-seq: a
      replay: enabled
      inbound
        spi: 9c6a36dd
        enc:     des  eaeba79415ef6d46
        auth:   sha1  1a6f2c86bc8466fabdb8cfaacf1edbb82ba07f51
      outbound
        spi: c1804d7c
        enc:     des  347f8fd145c40977
        auth:   sha1  fc7a02c952531eec77665e8fb5218b1f7ad5bdd5

その他コマンド

デバッグログ

##### debugログの有効化
diag vpn ike log 
diag debug app ike -1
diag debug enable

##### vpn debugログの無効化
diagnose debug reset
diagnose debug disable

VPNのクリア

diagnose vpn ike restart
diagnose vpn ike gateway clear