用户本地的出口防火墙选用FortiGate设备,中心点为ASA防火墙,本文介绍如何在这2个设备之间建立IPsec VPN。

基本架构:

本地网段为10.1.0.0/24,对端网段为10.2.0.0/24

FortiGate设置:

1 导航栏选择VPN -> IPsec Tunnels,点击Create New

2 填写VPN名字和类型
– name:根据实际需求填写
– Template type: site to site
– NAT configuration: 根据实际需求填写,两边防火墙wan/outside接口ip地址如果是公网ip,那么基本上是FortiGate与ASA之间没有过NAT,选择No NAT between sites, 否则,根据实际情况选择local还是remote behind NAT.
– Remote device type: Cisco

3 设置认证参数
remote ip address: 202.1.1.2 (一般为对端外网接口ip)
outgoing interface: wan (选择防火墙的外网接口)
pre-share-key: 123456 (自己定义)

4 设置策略和路由
填写本地加密网段和对端加密网段10.1.0.0/24和10.2.0.0/24

5 最后点击create完成VPN建立,Fortigate会根据你前面填写的参数自动完成相应设置
– 创建地址
– 创建路由
– 创建策略

ASA配置:

在设置ASA之前,我们先查看一下Fortigate具体用到的加密和校验参数是什么。
导航VPN -> IPsec Tunnel Template -> Site to Site – Cisco,我们可以看到:

Phase 1 Interface
Dead Peer Detection: on-demand
Proposal: des-sha1 des-md5
DH Group: 5
Phase 2 Interface
Perfect Forward Secrecy (PFS): enable
Source Address Type: name
Destination Address Type: name
Proposal: des-md5
DH Group: 5

因此,ASA设定命令如下(旧版命令):

crypto isakmp policy 70
authentication pre-share
encryption des
hash sha
group 5
crypto isakmp policy 80
authentication pre-share
encryption des
hash md5
group 5
access-list 1260 extended permit ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list inside-acl extended permit ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list nonat extended permit ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 0.0.0.0
global (outside) 1 interface
crypto ipsec transform-set 1260 esp-des esp-md5-hmac
crypto map vpnmap 1260 match address 1260
crypto map vpnmap 1260 set pfs group5
crypto map vpnmap 1260 set peer 101.1.1.2
crypto map vpnmap 1260 set transform-set 1260
crypto map vpnmap interface outside
crypto isakmp enable outside
tunnel-group 101.1.1.2 type ipsec-l2l
tunnel-group 101.1.1.2 ipsec-attributes
pre-shared-key 123456
验证

Fortigate:导航Monitor -> IPsec Monitor

ASA:

show crypto isakmp sa
show crypto ipsec sa