Há mais de 6 anos (!) publiquei um tutorial sobre como configurar um túnel VPN IPsec entre um firewall FortiGate e um Cisco ASA. Com o passar do tempo, o ASA agora é capaz de encerrar túneis VPN baseados em rotas (o que é ótimo!), temos o IKEv2 em execução em todos os lugares e propostas de segurança aprimoradas. Portanto, é hora de uma atualização:
Este é um dos muitos tutoriais de VPN no meu blog. -> Dê uma olhada nesta lista completa. <–
Minha configuração
Esta é minha configuração para este tutorial: (Sim, endereços IPv4 públicos por trás do Forti.)
Estou usando um Fortinet FortiWiFi FWF-61E com FortiOS v6.2.5 build1142 (GA) e um Cisco ASA 5515 com versão 9.12(3)12 e ASDM 7.14(1). Estes são os parâmetros de VPN:
VPN baseada em rota, ou seja: interface de túnel numerada e entradas de rota reais para a(s) rede(s) para o outro lado. Mas sem IDs de proxy, também conhecidos como seleção de tráfego, também conhecidos como mapa criptográfico. Graças a Deus por isso.
A interface de túnel no Forti é adicionada durante a configuração da VPN automaticamente. No entanto, você precisa definir o endereço IP na interface de túnel manualmente depois disso. A rota estática no ASA precisa de um endereço IP como gateway.
IKEv2 (não há mais distinção entre modo principal ou agressivo como com IKEv1)
PSK: 30 caracteres alfanuméricos, gerados com um gerador de senha! (ref)
Criptografia/políticas IKE:
Grupo Diffie-Hellman 21
AES-256-GCM
SHA-512 (você pode usar SHA-256 se quiser)
8 horas
Criptografia/propostas/conjuntos de transformação IPsec:
AES-256-GCMSHA-512 (novamente, você pode usar SHA-256 também) Grupo Diffie-Hellman 21 1 hora Sem NAT entre as redes internas (claro que não ;))!
FortiGate
ou através da CLI: (incl. os comandos de zona <- podem ser omitidos se você não estiver usando zonas)
config system interface
edit "asa"
set vdom "root"
set ip 10.1.37.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.1.37.2 255.255.255.252
set interface "wan1"
next
end
config system zone
edit "s2s-vpns"
set interface "asa"
next
end
config vpn ipsec phase1-interface
edit "asa"
set interface "wan1"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set proposal aes256gcm-prfsha512
set dhgrp 21
set nattraversal disable
set remote-gw 185.23.77.7
set psksecret ThisIsThePreSharedKey
next
end
config vpn ipsec phase2-interface
edit "asa"
set phase1name "asa"
set proposal aes256gcm
set dhgrp 21
set keylifeseconds 3600
next
end
config router static
edit 5
set dst 172.16.37.0 255.255.255.0
set device "asa"
next
end
Cisco ASA
O mesmo no ASA, seja via “GUI”:
ou por meio de comandos CLI clássicos: (A ACL é omitida.)
interface Tunnel1
nameif fg2
ip address 10.1.37.2 255.255.255.252
tunnel source interface outside
tunnel destination 194.247.4.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile aes256gcm-sha512-dh21-3600s
!
route fg2 194.247.5.0 255.255.255.224 10.1.37.1 1
!
crypto ipsec ikev2 ipsec-proposal aes256gcm-sha512
protocol esp encryption aes-gcm-256
protocol esp integrity sha-512
crypto ipsec profile aes256gcm-sha512-dh21-3600s
set ikev2 ipsec-proposal aes256gcm-sha512
set pfs group21
set security-association lifetime seconds 3600
crypto ikev2 policy 1
encryption aes-gcm-256
integrity null
group 21
prf sha512
lifetime seconds 28800
!
group-policy 194.247.4.10 internal
group-policy 194.247.4.10 attributes
vpn-tunnel-protocol ikev2
tunnel-group 194.247.4.10 type ipsec-l2l
tunnel-group 194.247.4.10 general-attributes
default-group-policy 194.247.4.10
tunnel-group 194.247.4.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key ThisIsThePreSharedKey
ikev2 local-authentication pre-shared-key ThisIsThePreSharedKey
Monitoring
Algumas capturas de tela do FortiGate:
bem como saídas CLI:
fg2 # get vpn ike gateway asa
vd: root/0
name: asa
version: 2
interface: wan1 6
addr: 194.247.4.10:500 -> 185.23.77.7:500
created: 3158587s ago
IKE SA created: 1/111 established: 1/111 time: 0/3/100 ms
IPsec SA created: 1/973 established: 1/973 time: 0/0/100 ms
id/spi: 2040 7be16624b6a980a3/b107958ab150a4fb
direction: initiator
status: established 23585-23585s ago = 10ms
proposal: unknown-256-unknown
SK_ei: c301af190feb89e7-e89076489227f77e-73a80ecd3692c0c7-925c73a84a30c063-618eb9af
SK_er: 5362b4bc6103b45f-776a3e817a61026f-75b7cd0220fb8d70-05f32a71240799e6-f1441bb6
SK_ai:
SK_ar:
lifetime/rekey: 28800/4914
DPD sent/recv: 00000000/00000000
fg2 #
fg2 #
fg2 # get vpn ipsec tunnel name asa
gateway
name: 'asa'
type: route-based
local-gateway: 194.247.4.10:0 (static)
remote-gateway: 185.23.77.7:0 (static)
mode: ike-v2
interface: 'wan1' (6)
rx packets: 110976 bytes: 145943836 errors: 0
tx packets: 64092 bytes: 3004962 errors: 0
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'asa'
auto-negotiate: disable
mode: tunnel
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA
lifetime/rekey: 3600/2171
mtu: 1446
tx-esp-seq: 27
replay: enabled
qat: 0
inbound
spi: 15ad154f
enc: aes-gc e1831416107c6ca5c1d6da624269ba4e21b7d45c95d5a16da8c0f9200b598ebbab76f5b9
auth: null
outbound
spi: 9573f1de
enc: aes-gc 3d6e5ab8c1ac1de02a230095d76778dd5b88aeeff7dfae8b25df26c265bdec56710d040e
auth: null
NPU acceleration: none
fg2 #
fg2 #
fg2 # diagnose vpn tunnel list name asa
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=asa ver=2 serial=3 194.247.4.10:0->185.23.77.7:0 dst_mtu=1500
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=14 ilast=12 olast=12 ad=/0
stat: rxp=110977 txp=64094 rxb=145943972 txb=3005118
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=440
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=asa proto=0 sa=1 ref=3 serial=2
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1446 expire=2114/0B replaywin=1024
seqno=29 esn=0 replaywin_lastseq=00000014 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3298/3600
dec: spi=15ad154f esp=aes-gcm key=36 e1831416107c6ca5c1d6da624269ba4e21b7d45c95d5a16da8c0f9200b598ebbab76f5b9
ah=null key=0
enc: spi=9573f1de esp=aes-gcm key=36 3d6e5ab8c1ac1de02a230095d76778dd5b88aeeff7dfae8b25df26c265bdec56710d040e
ah=null key=0
dec:pkts/bytes=20/1600, enc:pkts/bytes=40/5360
npu_flag=20 npu_rgwy=185.23.77.7 npu_lgwy=194.247.4.10 npu_selid=5 dec_npuid=0 enc_npuid=0
fg2 #
fg2 #
fg2 # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 194.247.4.1, wan1
C 10.1.37.0/30 is directly connected, asa
C 10.1.37.1/32 is directly connected, asa
S 172.16.37.0/24 [10/0] via 10.1.37.2, asa
S 192.168.11.0/24 [10/0] is directly connected, ssg5-weberhom
S 193.24.227.224/27 [10/0] is directly connected, pa
C 194.247.4.0/27 is directly connected, wan1
C 194.247.5.0/27 is directly connected, internal
fg2 #
E algumas capturas de tela do ASA: (a terceira mostra os logs após um “logout” manual)
bem como saídas CLI:
asa# show crypto ikev2 sa detail
IKEv2 SAs:
Session-id:16, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
1219040189 185.23.77.7/500 194.247.4.10/500 READY INITIATOR
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/298 sec
Session-id: 16
Status Description: Negotiation done
Local spi: E82116F37CF38D12 Remote spi: 3D48FE4CB448BA6B
Local id: 185.23.77.7
Remote id: 194.247.4.10
Local req mess id: 26 Remote req mess id: 0
Local next mess id: 26 Remote next mess id: 0
Local req queued: 26 Remote req queued: 0
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x5f713ed2/0x15ad1552
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-GCM, keysize: 256, esp_hmac: N/A
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Parent SA Extended Status:
Delete in progress: FALSE
Marked for delete: FALSE
asa#
asa#
asa# show crypto ipsec sa peer 194.247.4.10 detail
peer address: 194.247.4.10
Crypto map tag: __vti-crypto-map-5-0-1, seq num: 65280, local addr: 185.23.77.7
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 194.247.4.10
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 45, #pkts decrypt: 45, #pkts verify: 45
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 29, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 4009213712
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0
#pkts invalid len (send): 0, #pkts invalid len (rcv): 0
#pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0
#pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0
#pkts failed (send): 0, #pkts failed (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 185.23.77.7/500, remote crypto endpt.: 194.247.4.10/500
path mtu 1500, ipsec overhead 55(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 15AD1552
current inbound spi : 5F713ED2
inbound esp sas:
spi: 0x5F713ED2 (1601257170)
SA State: active
transform: esp-aes-gcm-256 esp-null-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, }
slot: 0, conn_id: 51, crypto-map: __vti-crypto-map-5-0-1
sa timing: remaining key lifetime (kB/sec): (3962873/3231)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xAAAAAAAA 0xAAAAB8AA
outbound esp sas:
spi: 0x15AD1552 (363664722)
SA State: active
transform: esp-aes-gcm-256 esp-null-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, }
slot: 0, conn_id: 51, crypto-map: __vti-crypto-map-5-0-1
sa timing: remaining key lifetime (kB/sec): (4193275/3231)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa#
asa#
asa# show route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 185.23.77.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 185.23.77.1, outside
S 194.247.5.0 255.255.255.224 [1/0] via 10.1.37.1, fg2
asa#
Referencia: https://weberblog.net/route-based-vpn-tunnel-fortigate-cisco-asa/
One response
Jason Young
2021-10-28 at 06:14
Tenho uma VPN roteada configurada entre um FG e um ASA 5525. O túnel é ativado, mas não há dados recebidos no lado FG do túnel. Posso fazer ping na interface do túnel em ambos os firewalls localmente, mas não remotamente. Ele está configurado da mesma forma que o seu… não tenho certeza do que está acontecendo aqui.
FG Config
config system interface
edit “KG-Main”
set vdom “root”
set ip 169.254.0.250 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.0.249 255.255.255.252
set snmp-index 8
config ipv6
set ip6-send-adv enable
set ip6-other-flag enable
end
set interface “port1”
next
config vpn ipsec phase1-interface
next
edit “KG-Main”
set interface “port1”
set ike-version 2
set peertype any
set net-device disable
set proposal aes256gcm-prfsha512
set dhgrp 21
set remote-gw 1.1.1.1
set psksecret xxxxx
next
end
config vpn ipsec phase2-interface
edit “KG-Main”
set phase1name “KG-Main”
set proposal aes256gcm
set dhgrp 21
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name “all”
set dst-name “all”
next
end
fortigate1 # get vpn ike gateway KG-Main
vd: root/0
name: KG-Main
version: 2
interface: port1 3
addr: 2.2.2.2:4500 -> 1.1.1.1:4500
created: 453s ago
peer-id: main.krueger.de
peer-auth: no
IKE SA created: 1/1 established: 1/1 time: 190/190/190 ms
IPsec SA created: 1/1 established: 1/1 time: 0/0/0 ms
id/spi: 122 804a845040348628/43b80f11e4259ad4
direction: responder
status: established 453-452s ago = 190ms
proposal: aes256gcm
SK_ei: c8f642478cf00102-3ca79b53e769a0ca-8c3e64d8fc6e6878-64e38bebc769873c-daec86e8
SK_er: 39671dc0e37b947a-35f0b35484c15f94-77af132ef506b74f-c30b21411f907312-f2f09a3a
SK_ai:
SK_ar:
lifetime/rekey: 86400/85677
DPD sent/recv: 00000001/00000001
fortigate1 # get vpn ipsec tunnel name KG-Main
gateway
name: ‘KG-Main’
local-gateway: 2.2.2.2:4500 (static)
remote-gateway: 1.1.1.1:4500 (static)
dpd-link: on
mode: ike-v2
interface: ‘port1’ (3)
rx packets: 0 bytes: 0 errors: 0
tx packets: 5 bytes: 420 errors: 0
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
nat traversal mode: keep-alive interval: 10
selectors
name: ‘KG-Main’
auto-negotiate: disable
mode: tunnel
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA
lifetime/rekey: 3600/2806
mtu: 8939
tx-esp-seq: 6
replay: enabled
qat: 0
inbound
spi: 9f02578f
enc: aes-gc 469ec9f9ab955145fcbf4861bd31a7008c41ab2178df03eb23cd1cd4658cbc4b50c1abf0
auth: null
outbound
spi: 8185487b
enc: aes-gc 25bac2347c208ddf5fe6b317bd8a670727bd041564cf0618951d3b31142d0f6c9f50b735
auth: null
Cisco Config
interface Tunnel98
nameif tunnel-int
ip address 169.254.0.249 255.255.255.252
tunnel source interface outside
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-prop-vpn
crypto ipsec ikev2 ipsec-proposal AES-256-GCM
protocol esp encryption aes-gcm-256
protocol esp integrity sha-512
crypto ipsec profile ipsec-prop-vpn
set ikev2 ipsec-proposal AES-256-GCM
set pfs group21
set security-association lifetime seconds 3600
crypto ikev2 policy 2
encryption aes-gcm-256
integrity null
group 21 24
prf sha512
lifetime seconds 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy KG-VPN-STATIC
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
IKEv2 SAs:
Session-id:71467, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
2858489959 1.1.1.1/4500 2.2.2.2/4500 READY INITIATOR
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/53 sec
Child sa: local selector 0.0.0.0/0 – 255.255.255.255/65535
remote selector 0.0.0.0/0 – 255.255.255.255/65535
ESP spi in/out: 0x75d65f1e/0x9f0257a9
main# ping 169.254.0.249
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.0.249, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
main# ping 169.254.0.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.0.250, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
main#
Reply