FORTINET FW IPSEC VPN(STATCI IP) 飞塔防火墙IPSEC VPN 固定IP

adminPosted in 未分类

需求场景企业总部与企业分支通过互联网建立VPN，两机构均有公网固定IP。

现状：

1、企业总部与企业分支A办公环境均已使用飞塔防火墙做为出口网关接入互联网；可访问互联网资源；

2、内部服务器101.1.1 3389已对公网映射为 20.0.0.10 8389；

新增需求：

1、分支机构与总部建立IPSEC VPN，实现机构间数据共享；

2、IPSEC VPN的配置不对用户访问互联网产生影响。

现网设备已配置源地址转换及安全策略，两机构均可访问互联网，同时总部内部服务器已对公网进行映射

现网FWA配置如下：

fwa # show
config system global
    set hostname “fwa”
end
config system interface
    edit “port1”
        set ip 10.1.1.254 255.255.255.0
        set allowaccess ping
    next
    edit “port2”
        set ip 20.0.0.1 255.255.255.0
        set allowaccess ping
    next
end
config firewall address
    edit “inuser”
        set subnet 10.1.1.0 255.255.255.0
    next

end
config firewall ippool
    edit “snat_pool”
        set startip 20.0.0.2
        set endip 20.0.0.2
    next
end
config firewall vip
    edit “rdp8389”
        set extip 20.0.0.10
        set extintf “port2”
        set portforward enable
        set mappedip 10.1.1.1
        set extport 8389
        set mappedport 3389
    next
end     
config firewall policy
    edit 10
        set srcintf “port1”
        set dstintf “port2”
        set srcaddr “inuser”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
        set ippool enable
        set poolname “snat_pool”
    next
    edit 11
        set srcintf “port2”
        set dstintf “port1”
        set srcaddr “all”
        set dstaddr “rdp8389”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
    next
end
config router static
    edit 10
        set device “port2”
        set gateway 20.0.0.100
    next
end

现网FWB配置如下：

fwb #show
config system global
    set hostname “fwb”
end
config system interface
    edit “port1”
        set ip 172.16.0.254 255.255.255.0
        set allowaccess ping
    next
    edit “port2”
        set ip 20.1.1.1 255.255.255.0
        set allowaccess ping
    next
end
config firewall policy

    edit 10
        set srcintf “port1”
        set dstintf “port2”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
    next
end
config router static
    edit 10
        set device “port2”
        set gateway 20.1.1.100
    next
end

fwa #新增IPSEC  VPN配置
config firewall address
    edit “localvpn“
        set subnet 10.1.1.0 255.255.255.0
    next
    edit “remotevpn“
        set subnet 172.16.0.0 255.255.255.0
    next
end
config vpn ipsec phase1
    edit “tofwb“
        set interface “port2”
        set ike-version 2
        set proposal des-md5
        set remote-gw 20.1.1.1
        set psksecret 123456
    next
end
config vpn ipsec phase2
    edit “tofwb“
        set phase1name “tofwb“
        set proposal des-md5
        set keepalive enable
        set auto-negotiate enable
        set encapsulation tunnel-mode
        set src-subnet 10.1.1.0 255.255.255.0
        set dst-subnet 172.16.0.0 255.255.255.0
    next
end
config firewall policy
    edit 1
        set srcintf “port1”
        set dstintf “port2”
        set srcaddr “localvpn“
        set dstaddr “remotevpn“
        set action ipsec
        set schedule “always”
        set service “ALL”
        set inbound enable
        set outbound enable
        set vpntunnel “tofwb“
    next
   move 1 before 10
end

fwB #新增IPSEC  VPN配置
config firewall address
    edit “localvpn“
        set subnet 172.16.0.0 255.255.255.0
    next
    edit “remotevpn“
        set subnet 10.1.1.0 255.255.255.0
    next
end
config vpn ipsec phase1
    edit “tofwa“
        set interface “port2”
        set ike-version 2
        set proposal des-md5
        set remote-gw 20.0.0.1
        set psksecret 123456
    next
end
config vpn ipsec phase2
    edit “tofwa“
        set phase1name “tofwa“
        set proposal des-md5
        set keepalive enable
        set auto-negotiate enable
        set encapsulation tunnel-mode
        set src-subnet 172.16.0.0 255.255.255.0
        set dst-subnet 10.1.1.0 255.255.255.0
    next
end
config firewall policy
    edit 1
        set srcintf “port1”
        set dstintf “port2”
        set srcaddr “localvpn“
        set dstaddr “remotevpn“
        set action ipsec
        set schedule “always”
        set service “ALL”
        set inbound enable
        set outbound enable
        set vpntunnel “tofwa“
    next
   move 1 before 10
end

验证测试IPSEC VPN 连通性

在分支机构用户终端 ping 10.1.1.1 ，确认总部服务器可达

在总部及分支机构防火墙上使用 get vpn ipsec tunnel details 命令验证IPSEC VPN 隧道状态和加解密数据包情况

防火墙FWA最终配置如下:

fwa # show
config system global
    set hostname “fwa”
end
config system interface
    edit “port1”
        set ip 10.1.1.254 255.255.255.0
        set allowaccess ping
    next
    edit “port2”
        set ip 20.0.0.1 255.255.255.0
        set allowaccess ping
    next
end
config firewall address
    edit “inuser”
        set subnet 10.1.1.0 255.255.255.0
    next
    edit “localvpn”
        set subnet 10.1.1.0 255.255.255.0
    next
    edit “remotevpn”
        set subnet 172.16.0.0 255.255.255.0
    next
end
config vpn ipsec phase1
    edit “tofwb”
        set interface “port2”
        set ike-version 2
        set proposal des-md5
        set remote-gw 20.1.1.1
        set psksecret 123456
    next
end
config vpn ipsec phase2
    edit “tofwb”
        set phase1name “tofwb”
        set proposal des-md5
        set keepalive enable
        set auto-negotiate enable
        set encapsulation tunnel-mode
        set src-subnet 10.1.1.0 255.255.255.0
        set dst-subnet 172.16.0.0 255.255.255.0
    next
end
config firewall ippool
    edit “snat_pool”
        set startip 20.0.0.2
        set endip 20.0.0.2
    next
end
config firewall vip
    edit “rdp8389”
        set extip 20.0.0.10
        set extintf “port2”
        set portforward enable
        set mappedip 10.1.1.1
        set extport 8389
        set mappedport 3389
    next
end     
config firewall policy
    edit 1
        set srcintf “port1”
        set dstintf “port2”
        set srcaddr “localvpn”
        set dstaddr “remotevpn”
        set action ipsec
        set schedule “always”
        set service “ALL”
        set inbound enable
        set outbound enable
        set vpntunnel “tofwb”
    next
    edit 10
        set srcintf “port1”
        set dstintf “port2”
        set srcaddr “inuser”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
        set ippool enable
        set poolname “snat_pool”
    next
    edit 11
        set srcintf “port2”
        set dstintf “port1”
        set srcaddr “all”
        set dstaddr “rdp8389”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
    next
end
config router static
    edit 10
        set device “port2”
        set gateway 20.0.0.100
    next
end

防火墙FWB最终配置如下:

fwb #show
config system global
    set hostname “fwb”
end
config system interface
    edit “port1”
        set ip 172.16.0.254 255.255.255.0
        set allowaccess ping
    next
    edit “port2”
        set ip 20.1.1.1 255.255.255.0
        set allowaccess ping
    next
end
config firewall address
    edit “localvpn”
        set subnet 172.16.0.0 255.255.255.0
    next
    edit “remotevpn”
        set subnet 10.1.1.0 255.255.255.0
    next
end
config vpn ipsec phase1
    edit “tofwa”
        set interface “port2”
        set ike-version 2
        set proposal des-md5
        set remote-gw 20.0.0.1
        set psksecret 123456
    next
end
config vpn ipsec phase2
    edit “tofwa”
        set phase1name “tofwa”
        set proposal des-md5
        set keepalive enable
        set auto-negotiate enable
        set encapsulation tunnel-mode
        set src-subnet 10.1.1.0 255.255.255.0
        set dst-subnet 172.16.0.0 255.255.255.0
    next
end
config firewall policy
    edit 1
        set srcintf “port1”
        set dstintf “port2”
        set srcaddr “localvpn”
        set dstaddr “remotevpn”
        set action ipsec
        set schedule “always”
        set service “ALL”
        set inbound enable
        set outbound enable
        set vpntunnel “tofwa”
    next
    edit 10
        set srcintf “port1”
        set dstintf “port2”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
    next
end
config router static
    edit 10
        set device “port2”
        set gateway 20.1.1.100
    next
end