先前寫過一篇「Sonicwall FortiGate 防火牆建立 Site to Site VPN」的文章,當時常常遇到要跟 FortiGate 的設備做Site to Site VPN,而我手上的是 Sonicwall,實作的結果有時成功有時失敗,後來有次乾脆花了些時間,把兩個品牌的設定方式做個整理,以方便後續參考。當時在測試及整理資訊時,就有發現 FortiGate 韌體稍微不同,設定的方式就會不太一樣,頗為困擾,後來便把可以成功建立連線的兩種方式”Tunnel”與”Interface”都記錄下來,以便下次遇到改版時,可以試試不同的方法。
今天又遇到要跟 FortiGate 建立 Site to Site VPN 的需求,型號是 FortiGate 80E,韌體版本為 5.6.4,當聽到是新買的防火牆時,心裡就冒出”不妙”的念頭,等到連線過去看時,果然選項又變了,且這次連介面都變了不少。實際開始設定 VPN 項目時,發現這次似乎已經沒有分”Tunnel”與”Interface”,我首先嘗試以先前”Tunnel”的方式去設定,但 VPN 沒建立成功,接著改以”Interface”建立,卻出現奇怪的結果,兩邊的Site to Site VPN 已建立成功,Sonicwall 這端可以 ping 到 FortiGate 端的網段,But on the contrary, it times out。Checked the order of the policy and the routing settings, and there were no issues,Tried again and the result was the same,It really gave me a headache。
Later I went to check the official documentation,But currently the official documentation for 5.6 this version of the firmware seems to only provide wizard-mode setup instructions for Site to Site VPNs between FortiGate products,However, I noticed that in the last step of completing the wizard mode,畫面有顯示這次精靈模式共在哪些項目做了幾組異動,其中有個名為 “Blackhole Route” 的項目引起我的注意,因為一般在設定 Site to Site VPN 時,都是設定 “static route”,”Blackhole Route” 這項目倒是第一次看到。於是便到 “Static Routes” 去查看,在 Interface 的下拉選單中,果真有個”Blackhole”的選項,試著新增一筆路由,並丟到”Blackhole”這個介面,設完後,原本還 ping 的到 FortiGate 網段的 Sonicwall,現在也 ping 不到了,接著我把剛剛新增的這組路由給停用,然後神奇的事就發生了,Sonicwall 與 FortiGate 兩邊的網段都可以互相 ping 的到了,但之後我把 VPN 斷開再重新連線,FortiGate 又再度無法 ping 到 Sonicwall 的網段,Sonicwall 則一樣可以 ping 到 FortiGate 網段。
接著我又一樣的做法再來一次,把”Blackhole”路由啟用、再停用,兩邊網段就又可以互通,測試幾次確認結果都一樣後,便開始研究這個”Blackhole”路由的設定。在路由的設定參數中,有”Priority”And”Distance”兩個值會影響先後順序,最後試出只要將”Blackhole”路由的”Priority”數值小於 VPN 路由的”Priority”;”Distance”數值大於 VPN 路由的”Distance”,即可讓兩邊網段正常連線,就算重啟 VPN 連線也可以正常互 ping 了。
後來去查了官方關於”Blackhole”的資訊,只查到舊版韌體可以透過指令去設定此”Blackhole”路由,但我仍是不了解為何我這樣的設法能夠解決 FortiGate 網段 ping 不到 Sonicwall 網段的問題,目前先將此成功的設定方式分享出來,後續若有進一步的資訊,再來更新此篇,若各位網友知道為什麼的話,也歡迎在下面留言討論,感謝。
| Sonicwall NSA 4600 | FortiGate 80E |
| 韌體:6.2.7.1 | 韌體:5.6.4 |
| Lan: 192.168.1.0/24 192.168.2.0/24 Wan: |
Lan: 192.168.100.0/24 Wan: |
【Sonicwall設定】
1.建Object
「Network」->「Address Objects」
Name: FortiGate_network
Zone Assignment: VPN
Type: Network
Network: 192.168.100.0
Netmask: 255.255.255.0
OK
2.設定VPN Tunnel
「VPN」
Enable VPN
i
–General tab
IPSec Keying Mode: IKE using Preshared Secret.
Name: FortiGate_network
IPSec primary Gateway Name or Address: 203.4.5.6
Shared Secret: 設一組密碼
Local IKE ID: IP Address (保留空白)
Peer IKE ID: IP Address (保留空白)
–Network tab
Local Network:LAN Primary Subnet(192.168.1.0/24、192.168.2.0/24)
Destination Networks:FortiGate_network(192.168.100.0/24)
–Proposals tab
IKE (Phase1) Proposal
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800
IKE (Phase2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
DH Group: Group 2
Life Time: 28800
–Advanced tab
Enable Keep Alive.
OK
【FortiGate設定】
1.設定VPN
「VPN」->「IPsec Tunnels」
「Create New」
Name: SonicWall
Template Type: Custom
–Network
Remote Gateway: Static IP
IP Address: 203.1.2.3
Mode: Main
Authentication Method: Preshared Key
Pre-shared Key: 同上面Sonicwall設定的密碼
–Phase 1 Proposal
Encryption: 3DES
Authentication: SHA1
DH Group: 2
Keylife: 28800
–Phase 2 Selectors
設定第一個網段(192.168.1.0)
Name: SonicWall-192.168.1.0
Local Address: 192.168.100.0/24
Remote Address: 192.168.1.0/24
設定第二個網段(192.168.2.0)
Name: SonicWall-192.168.2.0
Local Address: 192.168.100.0/24
Remote Address: 192.168.2.0/24
–Advanced
Encryption: 3DES
Authentication: SHA1
不勾選Enable perfect forward secrecy(PFS)
Keylife: 28800
2.建立路由
設定 192.168.1.0 路由
「Network」->「Static Routes」
Create New
Destination: 192.168.1.0/24
Interface: SonicWall
Administrative Distance: 10
-Advanced Options
Priority: 3 (要大於 Blackhole 預設的 0)
OK
設定 192.168.2.0 路由
「Network」->「Static Routes」
Create New
Destination: 192.168.2.0/24
Interface: SonicWall
Administrative Distance: 10
-Advanced Options
Priority: 3 (要大於 Blackhole 預設的 0)
OK
設定 192.168.1.0 Blackhole
「Network」->「Static Routes」
Create New
Destination: 192.168.1.0/24
Interface: Blackhole
Administrative Distance: 12 (要大於一般路由預設的 10)
OK
設定 192.168.2.0 Blackhole
「Network」->「Static Routes」
Create New
Destination: 192.168.2.0/24
Interface: Blackhole
Administrative Distance: 12 (要大於一般路由預設的 10)
OK
3.設定防火牆規則
「Policy & Objects」->「IPv4 Policy」
Create New
Name: Forti2Sonicwall
Source Interface: Port 1(192.168.100.0 所在的port)
Outgoing Interface: SonicWall
Source: FortiGate_network
Destination: SonicWall_network
Schedule: always
Service: ALL
Action: Accept
OK
Create New
Name: Sonicwall2Forti
Source Interface: SonicWall
Outgoing Interface: Port 1(192.168.100.0 所在的port)
Source: SonicWall_network
Destination: FortiGate_network
Schedule: always
Service: ALL
Action: Accept
OK
【參考連結】
- 老森常譚 » SonicWall FortiGate firewall Site-to-Site VPN setup
- (20) 03 Firewall Fortigate, Fortinet: Firewall Policies. – YouTube
- Site-to-site IPsec VPN with overlapping subnets – Fortinet Cookbook
Leave a Reply