设置如下:
我在企业网络上有一台 FortiGate 设备,该设备已设置 FortiGate VPN。远程网络上可以运行 FortiClient 的计算机(Windows 和 Mac 计算机)可以毫无问题地连接到此 VPN。我负责让 Linux 计算机连接到 VPN,但 Fortigate 不支持该 VPN。
为了尝试弄清楚如何操作,我在远程网络上设置了一台 Ubuntu 16.04 机器,并运行 OpenSwan 尝试连接到我在 FortiGate 上为其设置的特定隧道。
不过,到目前为止我能得到的最接近的连接是这样的:
002 "icms" #1: initiating Aggressive Mode #1, connection "icms"
113 "icms" #1: STATE_AGGR_I1: initiate
003 "icms" #1: received Vendor ID payload [RFC 3947] method set to=115
003 "icms" #1: received Vendor ID payload [Dead Peer Detection]
003 "icms" #1: received Vendor ID payload [XAUTH]
003 "icms" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de0005024d]
002 "icms" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'a.b.c.d'
003 "icms" #1: no suitable connection for peer 'a.b.c.d'
003 "icms" #1: initial Aggressive Mode packet claiming to be from a.b.c.d on a.b.c.d but no connection has been authorized
218 "icms" #1: STATE_AGGR_I1: INVALID_ID_INFORMATION
002 "icms" #1: sending notification INVALID_ID_INFORMATION to a.b.c.d:500
其中“icms”是连接的名称,“abcd”代表 FortiGate 的公共 IP。
我的 /etc/ipsec.d/icms.conf 配置:
conn icms
type=tunnel
authby=secret
pfs=no
ike=aes128-sha1;modp1536
phase2alg=aes128-sha1
aggrmode=yes
keylife=28800s
ikelifetime=1800s
right=a.b.c.d
rightnexthop=%defaultroute
rightsubnet=172.16.1.0/16
left=e.f.g.h
leftnexthop=%defaultroute
auto=add
'efgh' 是 Ubuntu 机器的 IP。
我的 /etc/ipsec.d/icms.secrets:
a.b.c.d : PSK "presharedsecret"
任何帮助或建议都将不胜感激,如果我可以提供更多信息,请告诉我。我尝试了多种 OpenSwan 和 FortiGate 隧道配置,但到目前为止都无济于事。
编辑 1:FortiGate 配置信息!
config vpn ipsec phase1-interface
edit "icms"
set type static
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 86400
set authmethod psk
set mode aggressive
set peertype any
set mode-cfg disable
set proposal aes128-sha1 aes192-sha256
set localid "icms"
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd enable
set forticlient-enforcement disable
set comments "Phase1 to Remote Linux"
set npu-offload enable
set dhgrp 14 5
set wizard-type custom
--More-- set xauthtype disable
set mesh-selector-type disable
set remote-gw '<IP of Ubuntu Machine>'
set monitor ''
set add-gw-route disable
set psksecret ENC <encrypted string>
set keepalive 10
set auto-negotiate enable
set dpd-retrycount 3
set dpd-retryinterval 5
next
end
第二阶段强化配置:
config vpn ipsec phase2-interface
edit "@icms"
set phase1name "icms"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set pfs disable
set replay enable
set keepalive disable
set auto-negotiate enable
set keylife-type seconds
set encapsulation tunnel-mode
set comments ''
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type ip
set dst-port 0
set keylifeseconds 43200
set src-subnet 172.16.1.0 255.255.255.248
set dst-start-ip '<IP of Ubuntu Machine>'
next
end
答案1
如果你没有使用 OpenSwan,这是讨论如何使用 IPsec VPN 隧道连接到 FortiGate坚强的天鹅客户端(但没有 DNS)。
身份验证是使用预共享密钥和 XAuth 完成的。
相关配置来自/etc/ipsec.conf:
# Introduction to IPsec: http://www.ipsec-howto.org/x202.html
config setup
charondebug = "dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, lib 1"
conn myConn
keyexchange = ikev1
# Cipher used for the key exchange
# modp3072 is Diffie Hellman group 15. Refer to this for other groups:
# http://www.omnisecu.com/tcpip/what-is-diffie-hellman-group.php
ike = aes128-sha256-modp3072
esp = aes128-sha256-modp3072
# You'll have to find out whether your FortiGate uses aggressive mode for
# authentication. If it does, you must set "aggressive = yes" here to
# connect successfully
aggressive = yes
right = 83.xxx.xxx.xx
#right = vpn.the-vpn-server.com
rightsubnet = 10.7.0.0/24
rightid = %any
rightauth = psk
left = %defaultroute
leftauth = psk
leftauth2 = xauth
# The user name used for authentication
xauth_identity = "theuser"
auto = start
/etc/ipsec.secrets:
# ipsec.secrets - strongSwan IPsec secrets file
: PSK "secret_preshared_key"
: XAUTH "secret_xauth_password"
使用 创建隧道sudo ipsec start --nofork。
关于 strongSwan 的资源:
答案2
如果您有有效的支持合同,您还可以从他们的支持站点下载适用于 Linux 的 SSL VPN 客户端,这可能会更简单。我已经使用了几年,使用过不同的版本,没有出现任何问题。
https://support.fortinet.com/Download/FirmwareImages.aspx
/ FortiGate / v5.00 / 5.2 / 5.2.7 / VPN / SSLVPNTools /
答案3
我花了大约三天时间处理这个问题。当 IKEv1 开启时,openswan 和 fortigate 之间存在一些重大问题。如果您将 openswan 切换到 IKEv2(使用 ikev2=insist)并且 fortigate 启用 IKEv2,那么一切正常。
ikev2=insist
keyexchange=ike
ike=aes256-sha1;modp1024
phase2=esp
phase2alg=aes256-sha1;modp1024
pfs=no
forceencaps=yes
aggrmode=yes
salifetime=3600s
ikelifetime=10800s