Fortigate libreswan IPSEC VPN

剛好有機會Fortigate libreswan 建立IPSEC VPN ,做一下筆記避免自己忘記

IPSEC VPN 最重要的幾個點

1.確認自己的網路架構
2.兩邊Network 是否有重疊
3.不同廠牌設定 IPSEC 重點就是proposal 要一致,否則無法建立成功

libreswan (左)  Fortigate (右)

Site libreswan 
Site Fortigate
Local Network
Remote Network
Local Network
Remote Network
172.31.0.0/20
172.27.28.0/24
172.27.28.0/24 172.31.0.0/20

安裝libreswan

#yum -y install libreswan

設定ipsec 預設 ipsec.conf  已經包含了/etc/ipsec.d/*.conf  所以自定義一個設定檔案名稱既可

#vim /etc/ipsec.d/s2svpn.conf
# config setup
conn s2s-tp
        rekey=yes
        rightid=%any
        left=Y.Y.Y.Y    (這是CentOS 公網IP)                                                            
        leftsubnet=172.31.0.0/20 (這是CentOS 內網IP網段) 
        right=X.X.X.X   (這是Fortigate 公網IP)
        rightsubnet=172.27.28.0/24 (這是Fortigate 內網IP網段)
        ikelifetime=28800s
        authby=secret
        type=tunnel
        auto=start
        ike=aes_gcm256-sha2  (這是phase1 proposal )
        esp=aes256-sha1  (這是phase2 proposal )
        ikev2=insist
        fragmentation=yes
        #perfect forward secrecy (default yes)
        #pfs=no
        #optionally enable compression
        compress=yes

接著是設定pre shared key  pre shared key 的檔案名稱需要跟設定檔名稱相同 但最後結尾是secrets

#vim /etc/ipsec.d/s2svpn.secrets
X.X.X.X %any : PSK "987654321"

設定完成後,啟動服務

#systemctl start ipsec.service

查看IPSEC Tunnel 狀態

# ipsec auto --status

啟動IPSEC Tunnel

# ipsec auto --up s2s-tp

關閉IPSEC Tunnel

#ipsec auto --down s2s-tp

設定Fortigate IPSEC

設定phase1

#config vpn ipsec phase1-interface
edit "test"
set interface "wan1"
set ike-version 2
set keylife 28800
set peertype any
set proposal aes256gcm-prfsha256
set dhgrp 14
set remote-gw Y.Y.Y.Y
set psksecret 987654321
next
end

設定phase2

#config vpn ipsec phase1-interface
edit "test"
set phase1name "test"
set proposal aes256-sha1
set pfs disable
set auto-negotiate enable
set keylifeseconds 28800
set src-subnet 172.27.28.0 255.255.255.0
set dst-subnet 172.31.0.0 255.255.240.0
next
end

在Fortigate上除錯命令

#diag debug app ike -1
#diag debug enable

最後補上設定policy & 路由大功告成

ike=aes256-sha2;dh19
esp=aes256-sha1

另外要注意DH Group的部分
DH Group 1: 768-bit MODP Group
DH Group 2: 1024-bit MODP Group
DH Group 5: 1536-bit MODP Group
DH Group 14: 2048-bit MODP Group
DH Group 15: 3072-bit MODP Group
DH Group 16: 4096-bit MODP Group
DH Group 17: 6144-bit MODP Group
DH Group 18: 8192-bit MODP Group
DH Group 19: 256-bit random ECP Group
DH Group 20: 384-bit random ECP Group
DH Group 21: 521-bit random ECP Group

Facebook Comments