剛好有機會Fortigate libreswan 建立IPSEC VPN ,做一下筆記避免自己忘記
IPSEC VPN 最重要的幾個點
1.確認自己的網路架構
2.兩邊Network 是否有重疊
3.不同廠牌設定 IPSEC 重點就是proposal 要一致,否則無法建立成功
libreswan (左) Fortigate (右)
|
Site libreswan
|
Site Fortigate
|
||
|
Local Network
|
Remote Network
|
Local Network
|
Remote Network
|
|
172.31.0.0/20
|
172.27.28.0/24
|
172.27.28.0/24 | 172.31.0.0/20 |
安裝libreswan
#yum -y install libreswan
設定ipsec 預設 ipsec.conf 已經包含了/etc/ipsec.d/*.conf 所以自定義一個設定檔案名稱既可
#vim /etc/ipsec.d/s2svpn.conf
# config setup (使用Policy-based) conn s2s-tp rekey=yes rightid=%any left=Y.Y.Y.Y (這是CentOS 公網IP) leftsubnet=172.31.0.0/20 (這是CentOS 內網IP網段) right=X.X.X.X (這是Fortigate 公網IP) rightsubnet=172.27.28.0/24 (這是Fortigate 內網IP網段) ikelifetime=28800s authby=secret type=tunnel auto=start ike=aes256-sha2;dh19 (這是phase1 proposal ) esp=aes256-sha2 (這是phase2 proposal ) ikev2=insist fragmentation=yes #perfect forward secrecy (default yes) #pfs=no #optionally enable compression compress=yes
#vim /etc/ipsec.d/s2svpn.conf
# config setup (使用Route-based) conn s2s-tp rekey=yes rightid=%any left=Y.Y.Y.Y (這是CentOS 公網IP) leftsubnet=0.0.0.0/0 right=X.X.X.X (這是Fortigate 公網IP) rightsubnet=0.0.0.0/0 ikelifetime=28800s authby=secret type=tunnel auto=start ike=aes256-sha2;dh19 (這是phase1 proposal ) esp=aes256-sha2 (這是phase2 proposal ) ikev2=insist fragmentation=yes mark=5/0xffffffff (Route-based 所使用的標記) vti-interface=vti01 (Route-based 所使用的interface) vti-routing=no ( 不在設定檔上控制路由 ) #perfect forward secrecy (default yes) #pfs=no #optionally enable compression compress=yes
接著是設定pre shared key pre shared key 的檔案名稱需要跟設定檔名稱相同 但最後結尾是secrets
#vim /etc/ipsec.d/s2svpn.secrets
X.X.X.X %any : PSK "123456789"
設定完成後,啟動服務
#systemctl start ipsec.service
查看IPSEC Tunnel 狀態
# ipsec auto --status
啟動IPSEC Tunnel
# ipsec auto --up s2s-tp
關閉IPSEC Tunnel
#ipsec auto --down s2s-tp
若使用Route-based,則必須要在CentOS設定靜態路由
#ip route add 172.27.28.0/24 dev vti01
設定Fortigate IPSEC
設定phase1
#config vpn ipsec phase1-interface
edit "test" set interface "wan1" set ike-version 2 set keylife 28800 set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 19 set remote-gw Y.Y.Y.Y set psksecret 123456789 next end
設定phase2
#config vpn ipsec phase2-interface
edit "test" set phase1name "test" set proposal aes256-sha2 set pfs disable set auto-negotiate enable set keylifeseconds 28800 set src-subnet 172.27.28.0 255.255.255.0 set dst-subnet 172.31.0.0 255.255.240.0 next end
在Fortigate上除錯命令
#diag debug app ike -1
#diag debug enable
最後補上設定policy & 路由大功告成
ike=aes256-sha2;dh19
esp=aes256-sha1
另外要注意DH Group的部分
DH Group 1: 768-bit MODP Group
DH Group 2: 1024-bit MODP Group
DH Group 5: 1536-bit MODP Group
DH Group 14: 2048-bit MODP Group
DH Group 15: 3072-bit MODP Group
DH Group 16: 4096-bit MODP Group
DH Group 17: 6144-bit MODP Group
DH Group 18: 8192-bit MODP Group
DH Group 19: 256-bit random ECP Group
DH Group 20: 384-bit random ECP Group
DH Group 21: 521-bit random ECP Group