Ситуация:
Fortigate развернут как Dialup VPN сервер в следующем варианте:
IKE (Phase I):
FGT61E (phase1-interface) # show
config vpn ipsec phase1-interface
edit "FGT-Cisco"
set type dynamic
set interface "wan1"
set local-gw <wan1 IP>
set mode aggressive
set peertype one
set proposal 3des-sha1
set dhgrp 5
set peerid "c1841"
set psksecret ENC <key>
next
end
Fortigate развернут как Dialup VPN сервер в следующем варианте:
IKE (Phase I):
FGT61E (phase1-interface) # show
config vpn ipsec phase1-interface
edit "FGT-Cisco"
set type dynamic
set interface "wan1"
set local-gw <wan1 IP>
set mode aggressive
set peertype one
set proposal 3des-sha1
set dhgrp 5
set peerid "c1841"
set psksecret ENC <key>
next
end
IPSec (Phase II):
FGT61E (phase2-interface) # show
config vpn ipsec phase2-interface
edit "FGT-Cisco-IPSEC"
set phase1name "FGT-Cisco"
set proposal 3des-sha1
set pfs disable
set replay disable
set keylifeseconds 3600
next
end
FGT61 # get system interface
== [ FGT-Cisco ]
name: FGT-Cisco ip: 10.254.254.1 255.255.255.255 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable scan-botnet-connections: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable
Нужно чтобы Fortigate обеспечивал прием входящих VPN-подключений от маршрутизатора Cisco, который находится на удаленной площадке за NAT, причем имеет на внешнем интерфейсе динамический IP-адрес (DHCP).
Особенностью данного решения является, то что Fortigate настроен как Dial-up VPN сервер, т.е он не знает об IP удаленной стороны изначально как в обычном Site-2-Site развертывании.
При этом Fortigate в таком режиме для VPN-интерфейса назначает маску /32, а мы еще хотим чтобы по данному туннелю Routed Based VPN бегал дополнительно еще и OSPFv2, чтобы нам нам не прописывать дополнительно статические маршруты с обоих стороны в сторону удаленной площадки.
Cisco же не позволяет напрямую прописать на туннельном интерфейсе маску /32, но это поведение можно обойти с помощью loopback интерфейсов и IP unnumbered на туннеле, привязанном к данном Loopback-интерфейсу.
Решение:
Настройки со стороны Cisco в данном случае выглядит следующим образом:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
!
crypto isakmp peer address <Fortigate WAN1 IP>
set aggressive-mode password <ключ>
set aggressive-mode client-endpoint fqdn c1841
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set ESP_3DES esp-3des esp-sha-hmac
!
crypto ipsec profile test
set transform-set ESP_3DES
interface Loopback1
ip address 10.254.254.2 255.255.255.255
!
interface Tunnel0
ip unnumbered Loopback1
ip mtu 1400
ip ospf network point-to-point
ip ospf mtu-ignore
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination <Fortigate WAN1 IP>
tunnel path-mtu-discovery
tunnel protection ipsec profile test
!
Динамическая маршрутизация со стороны Fortigate:
FGT61 (ospf) # show
config router ospf
set router-id 192.168.202.99
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "FGT-Cisco-OSPF"
set interface "FGT-Cisco"
set dead-interval 40
set hello-interval 10
set mtu-ignore enable
set network-type point-to-point
next
edit "FGT-Internal"
set interface "internal"
set dead-interval 40
set hello-interval 10
next
end
config network
edit 1
set prefix 192.168.202.0 255.255.255.0
next
edit 2
set prefix 10.254.254.0 255.255.255.252
next
edit 3
set prefix 192.168.253.0 255.255.255.0
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
Динамическая маршрутизация со стороны Сisco:
router ospf 1
router-id 172.16.1.1
network 10.254.254.0 0.0.0.3 area 0.0.0.0
network 172.16.1.0 0.0.0.255 area 0.0.0.0
!
Cмотрим что у нас с OSPFv2 на стороне Fortigate:
FGT61E # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
172.16.1.1 1 Full/ - 00:00:36 10.254.254.2 FGT-Cisco_0
FGT61 # get router info routing-table ospf
O 172.16.1.0/24 [110/101] via 10.254.254.2, FGT-Cisco_0, 00:57:09
FGT61E # get router info ospf status
Routing Process "ospf 0" with ID 192.168.202.99
Process uptime is 7 days 15 hours 9 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 0. Checksum 0x000000
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 0
External LSA database is unlimited.
Number of LSA originated 1
Number of LSA received 303
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE)
Number of interfaces in this area is 3(4)
Number of fully adjacent neighbors in this area is 1
Area has no authentication
SPF algorithm last executed 00:59:05.510 ago
SPF algorithm executed 88 times
Number of LSA 2. Checksum 0x010d97
Cмотрим что у нас с OSPFv2 на стороне Cisco:
c1841#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.1.254 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 10.254.254.1/32 [110/1000] via 10.254.254.1, 01:00:16, Tunnel0
O 192.168.202.0/24 [110/1001] via 10.254.254.1, 00:57:30, Tunnel0
O 192.168.253.0/24 [110/1100] via 10.254.254.1, 01:00:16, Tunnel0
c1841#sh ip ospf
Routing Process "ospf 1" with ID 172.16.1.1
Start time: 00:00:59.996, Time elapsed: 6w3d
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Supports NSSA (compatible with RFC 1587)
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Reference bandwidth unit is 100 mbps
Area BACKBONE(0.0.0.0)
Number of interfaces in this area is 3 (1 loopback)
Area has no authentication
SPF algorithm last executed 01:02:07.372 ago
SPF algorithm executed 16 times
Area ranges are
Number of LSA 2. Checksum Sum 0x022898
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 1
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Комментариев нет:
Отправить комментарий