1.gif



2.gif



在这个案例中,我们将深入了解FortiOS 5.4版本中引入的一个新的×××功能:AD×××

AD×××(自动发现×××)是基于IETF RFC草案的IPsec技术,具体可以参考以下链接

https://tools.ietf.org/html/draft-sathyanarayan-ipsecme-ad***-03

简单来说,AD×××允许传统的Hub和Spoke ×××彼此之间建立动态的按需的直连隧道以避免所有的路由流量都通过Hub转发。AD×××要求使用动态路由才能正常工作,FortiOS 5.4支持使用BGP和RIP。本文将重点介绍如何使用BGP及其路由反射机制作为AD×××使用的动态路由解决方案。

AD×××的主要优势在于为标准的Hub和Spoke拓扑提供了全面的网状化功能,大大减少了全网mesh所需的配置工作,降低了延迟可达性,并解决了与非常大的全网状×××网络相关的可扩展性问题。 

BGP(尤其是iBGP)非常适合AD×××,因为其路由反射机制驻留在××× Hub设备上,并将来自每个分支节点的路由信息镜像到彼此。 此外在拓扑中引入新Spoke时,动态组对等体会大大的减少Hub设备的配置过程。

如图所示,虽然我们静态配置了两台Spoke的FortiGate连接到我们的Hub FortiGate,但是一旦Spoke A下面的一台主机要去访问Spoke B下面的一台主机的时候,Spoke A能够快速的建立一个动态按需的IPsec隧道到Spoke B。

下面我们具体验证Spoke A(192.168.2.1)到Spoke B(192.168.3.1)通过动态按需建立IPsec ×××隧道的过程。一般通过命令行的形式进行BGP和AD×××的相关设置。基本IP地址及默认路由配置等信息我们假设是已经配置完成的。


1 配置Hub设备FortiGate

使用命令行配置阶段1:

config *** ipsec phase1-interface

edit "AD×××"

set type dynamic

set interface "wan1"

set proposal aes128-sha1

set add-route disable

set dhgrp 2

set auto-discovery-sender enable

set psksecret fortinet

next

end

启用自动发现命令(auto-discovery)用于接受发送到Spoke的消息(Hub设备主要负责让所有的Spoke设备知道哪些是他们需要建立的×××隧道)

注:aggressive模式暂时不支持AD×××


配置阶段2参数:

config *** ipsec phase2-interface

edit "AD×××-P2"

set phase1name "AD×××"

set proposal aes128-sha1

next

end


配置Tunnel隧道接口

config system interface

edit "AD×××"

set vdom "root"

set ip 10.10.10.1 255.255.255.255

set type tunnel

set remote-ip 10.10.10.254

set interface "wan1"

next

end

AD×××需要在每台连接的设备上配置Tunnel IP。每个对等体设备上的Tunnel IP都是独一无二的。Hub的设备需要配置一个虚拟的Remote IP地址(例子中我们设置为10.10.10.254,这个地址也是唯一的。它实际上不会被视为Hub配置中的一部分。)


配置iBGP。设置好对应的AS,RouterID和配置动态的拨号用户组等信息。

config router bgp

set as 65000

set router-id 10.10.10.1

config neighbor-group

edit "AD×××-PEERS"

set remote-as 65000

set route-reflector-client enable

next

end

config neighbor-range

edit 1

set prefix 10.10.10.0 255.255.255.0

set neighbor-group "AD×××-PEERS"

next

end

config network

edit 1

set prefix 192.168.1.0 255.255.255.0

next

end

end


配置安全策略。配置策略放通本地网络和AD×××网络之前的流量,必须记得配置Spoke到Spoke之间的通讯放通策略。

config firewall policy

edit 0

set name "OUT AD×××"

set srcintf "lan"

set dstintf "AD×××"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set status enable

next

edit 0

set name "IN AD×××"

set srcintf "AD×××"

set dstintf "lan"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set status enable

next

edit 0

set name "AD×××toAD×××"

set srcintf "AD×××"

set dstintf "AD×××"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set status enable

next

end


2 配置Spoke设备FortiGate

配置阶段1:

config *** ipsec phase1-interface

edit "AD×××"

set interface "wan1"

set proposal aes128-sha1

set add-route disable

set dhgrp 2

set auto-discovery-receiver enable

set remote-gw 10.1.1.1

set psksecret fortinet

next

end


配置阶段2:

config *** ipsec phase2-interface

edit "AD×××-P2"

set phase1name "AD×××"

set proposal aes128-sha1

set auto-negotiate enable

next

end


配置Tunnel接口IP

config system interface

edit "AD×××"

set vdom "root"

set ip 10.10.10.2 255.255.255.255

set type tunnel

set remote-ip 10.10.10.1

set interface "wan1"

next

end


配置iBGP。

config router bgp

set as 65000

set router-id 10.10.10.2

config neighbor

edit "10.10.10.1"

set soft-reconfiguration enable

set remote-as 65000

next

end

config network

edit 1

set prefix 192.168.2.0 255.255.255.0

next

end

end


为Tunnel IP段配置一条静态路由指向AD×××

config router static

edit 0

set dst 10.10.10.0 255.255.255.0

set device "AD×××"

next

end

注:这是非常重要的一步。Spoke设备需要汇总定义所有的Tunnel接口IP网段。


配置策略

config firewall policy

edit 0

set name "OUT AD×××"

set srcintf "lan"

set dstintf "AD×××"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set status enable

next

edit 0

set name "IN AD×××"

set srcintf "AD×××"

set dstintf "lan"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set status enable

next

end


我们在Spoke A(192.168.2.1)去ping Spoke B(192.168.3.1)

FG # exec ping-options source 192.168.2.1

FG # exec ping 192.168.3.1

PING 192.168.3.1 (192.168.3.1): 56 data bytes

64 bytes from 192.168.3.1: icmp_seq=0 ttl=254 time=38.3 ms

64 bytes from 192.168.3.1: icmp_seq=1 ttl=254 time=32.6 ms

64 bytes from 192.168.3.1: icmp_seq=2 ttl=255 time=43.0 ms

64 bytes from 192.168.3.1: icmp_seq=3 ttl=255 time=31.7 ms

64 bytes from 192.168.3.1: icmp_seq=4 ttl=255 time=31.2 ms

--- 192.168.3.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 31.2/35.3/43.0 ms

FG # get router info routing-table bgp

B 192.168.1.0/24 [200/0] via 10.0.0.1, AD×××, 22:34:13

B 192.168.3.0/24 [200/0] via 10.0.0.3, AD×××_0, 00:02:28


可以通过diagnose *** tunnel list查看所有的ipsec*** tunnel

FG # diag *** tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=AD×××_0 ver=1 serial=a 10.1.1.2:0->10.1.1.3:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/0

parent=AD××× index=0

proxyid_num=1 child_num=0 refcnt=19 ilast=3 olast=604 auto-discovery=2

stat: rxp=7 txp=7 rxb=1064 txb=588

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=AD×××-P2 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=2f type=00 soft=0 mtu=1438 expire=42680/0B

replaywin=2048 seqno=8 esn=0

life: type=01 bytes=0/0 timeout=43152/43200

dec: spi=9a487db3 esp=aes key=16 55e53d9fbc8dbeaa6df1032fbc80c4f6

ah=sha1 key=20 a1470452c6a444f26a070add087f0d970c18e3a7

enc: spi=3c37fea7 esp=aes key=16 8fd62a6745a9ba4fda062d4504b76851

ah=sha1 key=20 44c606f1ef1bf5739ba62f6572031aa956974d0a

dec:pkts/bytes=7/588, enc:pkts/bytes=7/1064

------------------------------------------------------

name=AD××× ver=1 serial=9 10.1.1.2:0->10.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0

proxyid_num=1 child_num=1 refcnt=22 ilast=8 olast=8 auto-discovery=2

stat: rxp=3120 txp=3120 rxb=399536 txb=191970

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=12

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=AD×××-P2 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=2f type=00 soft=0 mtu=1438 expire=4833/0B

replaywin=2048

seqno=5ba esn=0

life: type=01 bytes=0/0 timeout=43148/43200

dec: spi=9a487db2 esp=aes key=16 4f70d27edad656cfcacbae61b23d4b11

ah=sha1 key=20 b19ea87c90dd92d1cab58cbf24ae8fe12ee927cb

enc: spi=b3dde355 esp=aes key=16 efbb4440df75018610b4ba8f5756167d

ah=sha1 key=20 81cc9cee3bee1c2dba0eb1e7ac66e9d34b67bde9

dec:pkts/bytes=1465/90152, enc:pkts/bytes=1465/187560

------------------------------------------------------



如需连接AD×××技术,请点击AD×××