|
HUB Configuration:
- Configure IPsec VPN at a HUB:
config vpn ipsec phase1
edit "Hub-to-Branch_1"
set interface "port2"
set peertype any
set proposal des-sha1
set comments "Policy-Based-VPN"
set remote-gw 192.168.10.1
set psksecret ENC x82RQZ5nplgmIefRXW0U0pS8HLWnYDNE/US9Opl1VZ3VnR0vttxeZnKVjY6lHW3Yu5WN1eD6BK2mFr2Y4K3FAWWN5zRV3Mrdp7znrLqYUmgCcmtzc81tpUq2T+lgY447gAWVTIO+ge4VPdyXz9VNPaUqj4vCfQIqadfN+5fikiRxLMlzGJv1nrwqA6L5V0PdHULwKw==
next
edit "Hub-to-Branch_2"
set interface "port2"
set peertype any
set proposal des-sha1
set comments "Policy-Based-VPN"
set remote-gw 192.168.20.1
set psksecret ENC ZsbarvRygHh+d0IZ0dwBtUDwnmtWwLDN3uwpnI8HgqDZlqOER6xCQQJyYIph9emyXnBr8SaEuXBjmvR8yD1TAmPcT6VSBD6JUaUTWOvx20m0LB3m5WIEMzdeTZ84hX1VgkZpkJ+3P9Q04OYiZct8sKjL0bACCI04sHNZ9xvGdbgxDFyJ84zcMpNY0lIuM9OnSqWhkw==
next
end
config vpn ipsec phase2
edit "Hub-to-Branch_1"
set phase1name "Hub-to-Branch_1"
set proposal des-md5 des-sha1
next
edit "Hub-to-Branch_2"
set phase1name "Hub-to-Branch_2"
set proposal des-md5 des-sha1
next
end
- Configure an IPsec concentrator at the Hub:
config vpn ipsec concentrator
edit 1
set name "Branch-1_Branch-2"
set member "Hub-to-Branch_1" "Hub-to-Branch_2"
next
end
- Configure Firewall Policy at the HUB:
config firewall policy
edit 1
set name "Hub-to-Branch_1"
set uuid 4dd90902-57e4-51ef-8497-b8d8c189952e
set srcintf "port3"
set dstintf "port2"
set action ipsec
set srcaddr "Local_Subnet"
set dstaddr "Branch-1_Subnet"
set schedule "always"
set service "ALL"
set inbound enable
set vpntunnel "Hub-to-Branch_1"
next
edit 2
set name "Hub-to-Branch_2"
set uuid 79e315d8-57e4-51ef-f92c-dadebfc7a2c5
set srcintf "port3"
set dstintf "port2"
set action ipsec
set srcaddr "Local_Subnet"
set dstaddr "Branch-2_Subnet"
set schedule "always"
set service "ALL"
set vpntunnel "Hub-to-Branch_2"
next
end
Branch-1 Configuration:
- Configure IPsec VPN at Branch-1:
config vpn ipsec phase1
edit "Branch_1-to-Hub"
set interface "port2"
set peertype any
set proposal des-sha1
set remote-gw 192.168.50.1
set psksecret ENC I+18UNZY3Niqo3fG3AqETRRJ1KAn7wxclE4qh+dMTbPjHgJj41NTn5ucz6mnRhfgIGVy1BYNzd/TmsvInk4/WixeaH2qJocip1A7xz9Aygn5iSVHB4egN9nDVDLGJdtzVgVXkxRcILyQZin3yDow5doA9XjJARwJpVYOKCURwcXPGoAh531eJR8tzZhb6WMQe/0VIQ==
next
end
config vpn ipsec phase2
edit "Branch_1-to-Hub"
set phase1name "Branch_1-to-Hub"
set proposal des-md5 des-sha1
next
end
- Configure the Firewall Policy at Branch-1:
config firewall policy
edit 1
set name "Branch_1-to-Hub"
set uuid f0054e02-57e4-51ef-4cbf-7b407377efb5
set srcintf "port3"
set dstintf "port2"
set action ipsec
set srcaddr "Local_Subnet"
set dstaddr "Hub_Subnet"
set schedule "always"
set service "ALL"
set inbound enable
set vpntunnel "Branch_1-to-Hub"
next
end
Branch-2 Configuration:
- Create an ISAKMP policy for Phase-1:
Global IKE policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
- Specify the pre-shared key and the remote peer address:
Keyring Hostname/Address Preshared Key
default 192.168.50.1 fortinet
- Create an ACL for the traffic to be encrypted:
Extended IP access list 100
10 permit ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255
- Create the Phase 2 policy:
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set tset: { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },
- Create the crypto map:
Interfaces using crypto map NiStTeSt1:Crypto Map IPv4 "mymap" 10 ipsec-isakmp
Peer = 192.168.50.1
Extended IP access list 100
access-list 100 permit ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255
Current peer: 192.168.50.1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
tset: { esp-des esp-sha-hmac }
}
Interfaces using crypto map mymap:
Ethernet0/1
- Apply the crypto map on the interface:
interfaces e0/1
ip address 192.168.20.1 255.255.255.0
crypto map mymap
Hub to Branch-1 Flow Debug:
diagnose debug flow filter clear
diagnose debug flow filter addr 10.10.50.2
diagnose debug flow show function-name enable
show function name
diagnose debug flow show iprope enable
show trace messages about iprope
diagnose debug flow trace start 255
diagnose debug enable
id=65308 trace_id=33 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.10.50.2:505->10.10.10.2:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=505, seq=1."
id=65308 trace_id=33 func=init_ip_session_common line=6076 msg="allocate a new session-0000095a, tun_id=0.0.0.0"
id=65308 trace_id=33 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
id=65308 trace_id=33 func=iprope_dnat_tree_check line=823 msg="len=0"
id=65308 trace_id=33 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=33 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-192.168.50.2 via port2"
id=65308 trace_id=33 func=iprope_fwd_check line=789 msg="in-[port3], out-[port2], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=33 func=__iprope_check line=2292 msg="gnum-100004, check-ffffffffa002c2a7"
id=65308 trace_id=33 func=__iprope_check_one_policy line=2044 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
id=65308 trace_id=33 func=__iprope_user_identity_check line=1819 msg="ret-matched"
id=65308 trace_id=33 func=__iprope_check_one_policy line=2262 msg="policy-1 is matched, act-accept"
id=65308 trace_id=33 func=__iprope_check line=2309 msg="gnum-100004 check result: ret-matched, act-accept, flag-08010840, flag2-00004000"
id=65308 trace_id=33 func=iprope_fwd_check line=826 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
id=65308 trace_id=33 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
id=65308 trace_id=33 func=fw_forward_handler line=903 msg="Allowed by Policy-1: encrypt"
id=65308 trace_id=33 func=ipsec_tunnel_output4 line=1195 msg="enter IPsec tunnel-Hub-to-Branch_1"
id=65308 trace_id=33 func=esp_output4 line=885 msg="IPsec encrypt/auth"
id=65308 trace_id=33 func=ipsec_output_finish line=599 msg="send to 192.168.50.2 via intf-port2"
id=65308 trace_id=34 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.10.10.2:505->10.10.50.2:0) tun_id=192.168.10.1 from port2. type=0, code=0, id=505, seq=1."
id=65308 trace_id=34 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0000095a, reply direction"
Hub to Branch-2 Flow Debug:
id=65308 trace_id=43 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.10.50.2:36345->10.10.20.2:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=36345, seq=1."
id=65308 trace_id=43 func=init_ip_session_common line=6076 msg="allocate a new session-000009ab, tun_id=0.0.0.0"
id=65308 trace_id=43 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
id=65308 trace_id=43 func=iprope_dnat_tree_check line=823 msg="len=0"
id=65308 trace_id=43 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=43 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-192.168.50.2 via port2"
id=65308 trace_id=43 func=iprope_fwd_check line=789 msg="in-[port3], out-[port2], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=43 func=__iprope_check line=2292 msg="gnum-100004, check-ffffffffa002c2a7"
id=65308 trace_id=43 func=__iprope_check_one_policy line=2044 msg="checked gnum-100004 policy-1, ret-no-match, act-accept"
id=65308 trace_id=43 func=__iprope_check_one_policy line=2044 msg="checked gnum-100004 policy-2, ret-matched, act-accept"
id=65308 trace_id=43 func=__iprope_user_identity_check line=1819 msg="ret-matched"
id=65308 trace_id=43 func=__iprope_check_one_policy line=2262 msg="policy-2 is matched, act-accept"
id=65308 trace_id=43 func=__iprope_check line=2309 msg="gnum-100004 check result: ret-matched, act-accept, flag-08010840, flag2-00004000"
id=65308 trace_id=43 func=iprope_fwd_check line=826 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-2"
id=65308 trace_id=43 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-2"
id=65308 trace_id=43 func=fw_forward_handler line=903 msg="Allowed by Policy-2: encrypt"
id=65308 trace_id=43 func=ipsec_tunnel_output4 line=1195 msg="enter IPsec tunnel-Hub-to-Branch_2"
id=65308 trace_id=43 func=esp_output4 line=885 msg="IPsec encrypt/auth"
id=65308 trace_id=43 func=ipsec_output_finish line=599 msg="send to 192.168.50.2 via intf-port2"
id=65308 trace_id=44 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.10.20.2:36345->10.10.50.2:0) tun_id=192.168.20.1 from port2. type=0, code=0, id=36345, seq=1."
id=65308 trace_id=44 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-000009ab, reply direction"
Internet Connectivity:
id=65308 trace_id=53 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.10.50.2:59130->8.8.8.8:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=59130, seq=1."
id=65308 trace_id=53 func=init_ip_session_common line=6076 msg="allocate a new session-00000b68, tun_id=0.0.0.0"
id=65308 trace_id=53 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
id=65308 trace_id=53 func=iprope_dnat_tree_check line=823 msg="len=0"
id=65308 trace_id=53 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=53 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-192.168.86.2 via port1"
id=65308 trace_id=53 func=iprope_fwd_check line=789 msg="in-[port3], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=53 func=__iprope_check line=2292 msg="gnum-100004, check-ffffffffa002c2a7"
id=65308 trace_id=53 func=__iprope_check_one_policy line=2044 msg="checked gnum-100004 policy-3, ret-matched, act-accept"
id=65308 trace_id=53 func=__iprope_user_identity_check line=1819 msg="ret-matched"
id=65308 trace_id=53 func=get_new_addr line=1228 msg="find SNAT: IP-192.168.86.132(from IPPOOL), port-59130"
id=65308 trace_id=53 func=__iprope_check_one_policy line=2262 msg="policy-3 is matched, act-accept"
id=65308 trace_id=53 func=__iprope_check line=2309 msg="gnum-100004 check result: ret-matched, act-accept, flag-08050100, flag2-00004000"
id=65308 trace_id=53 func=iprope_fwd_check line=826 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-3"
id=65308 trace_id=53 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-3"
id=65308 trace_id=53 func=iprope_reverse_dnat_check line=1307 msg="in-[port3], out-[port1], skb_flags-02000000, vid-0"
id=65308 trace_id=53 func=iprope_reverse_dnat_tree_check line=915 msg="len=0"
id=65308 trace_id=53 func=fw_forward_handler line=903 msg="Allowed by Policy-3: SNAT"
id=65308 trace_id=53 func=__ip_session_run_tuple line=3502 msg="SNAT 10.10.50.2->192.168.86.132:59130"
id=65308 trace_id=54 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 8.8.8.8:59130->192.168.86.132:0) tun_id=0.0.0.0 from port1. type=0, code=0, id=59130, seq=1."
id=65308 trace_id=54 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-00000b68, reply direction"
|
