1. Fortinet FG IPsec 터널
1.1 인터페이스 IP설정
IP 인터페이스
config system interface
edit "<외부 인터페이스 name>" ex> "wan1"
set ip <공인IP> <subnet mask> ex> 1.1.1.1 255.255.255.0
set allowaccess ping https ssh http
next
edit "<내부 인터페이스 name>" ex> "lan1"
set ip <사설IP> <subnet mask> ex> 192.168.1.1 255.255.255.0
set allowaccess ping https ssh http
next
end
1.2 IKEv1/2 설정
IKEv1
- 그룹: 2
- 인증 방식: sha1
- 암호화 방식: aes-128
- lifetime: 28800
config vpn ipsec phase1-interface
edit "<VPN 터널 name>" ex> "vpn-external1"
set interface "<외부 인터페이스 name>" ex> "wan1"
set keylife 28800
set peertype any
set proposal aes128-sha1
set dhgrp 2
set remote-gw <peer 공인 IP>
set psksecret <key 값>
next
end
IKEv2
- 프로토콜: esp
- 인증 방식: sha1
- 암호화 방식: aes-128
- lifetime: 28800
config vpn ipsec phase2-interface
edit "<VPN 터널 name>" ex> "vpn-external1"
set phase1name "<VPN 터널 name>" ex> "vpn-external1"
set proposal aes128-sha1
set pfs disable
set replay disable
set keylifeseconds 28800
set src-subnet <내부 사설 IP>
set dst-subnet <상대방 사설 IP>
next
end
1.3 라우팅 설정
외부 라우팅
config router static
edit 0
set gateway <공인 gateway>
set device "wan1"
next
end
내부 라우팅 (터널 생성 후)
config router static
edit 0
set dst 192.168.100.0 255.255.255.0
set device "<VPN 터널 name>" ex> "vpn-external1"
next
end
정책 설정(ex> 192.168.100.0/24 < > 10.20.0.0/24, any < > any )
config firewall address
edit "<상대방 사설IP name>" ex>"192.168.100.0/24"
set subnet 192.168.100.0 255.255.255.0
next
edit "내부 사설IP name" ex>"10.20.0.0/24"
set subnet 10.20.0.0 255.255.255.0
next
end
config firewall policy
edit 0
set srcintf "<VPN 터널 name>" ex> "vpn-external1"
set dstintf "<내부 인터페이스 name>" ex> "lan1"
set srcaddr "<상대방 사설IP 대역>" ex> "192.168.100.0/24"
set dstaddr "<내부 사설IP 대역>" ex>"10.20.0.0/24"
set action accept
set schedule "always"
set service "ALL"
next
edit 0
set srcintf "<내부 인터페이스 name>" ex> "lan1"
set dstintf "<VPN 터널 name>" ex> "vpn-external1"
set srcaddr "<내부 사설IP 대역>" ex>"10.20.0.0/24"
set dstaddr "<상대방 사설IP 대역>" ex> "192.168.100.0/24"
set action accept
set schedule "always"
set service "ALL"
next
end
1.4 IKEv1/2 터널 확인
IKEv1
Fortinet_vpn # get vpn ike gateway
vd: root/0
name: vpn-external1
version: 1
interface: wan1 5
addr: <로컬 공인IP>:500 -> <상대방 공인IP>:500
created: 82s ago
IKE SA created: 1/1 established: 1/1 time: 0/0/0 ms
IPsec SA created: 1/1 established: 1/1 time: 0/0/0 ms
id/spi: 74 96afabb40e5f226b/5bdcb3e03a940caf
direction: initiator
status: established 82-82s ago = 0ms
proposal: aes-128-sha1
key: 86c774a5b2e6deb9-a54dbbccef6c8c54
lifetime/rekey: 28800/28417
DPD sent/recv: 00000000/00000000
IKEv2
Fortinet_vpn # get vpn ipsec tunnel details
gateway
name: 'vpn-external1'
type: route-based
local-gateway: <로컬 공인IP>: :0 (static)
remote-gateway: <상대방 공인IP>: :0 (static)
mode: ike-v1
interface: 'wan1' (5)
rx packets: 252 bytes: 30240 errors: 0
tx packets: 252 bytes: 15120 errors: 0
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'vpn-external1'
auto-negotiate: disable
mode: tunnel
src: 0:10.20.0.0/255.255.255.0:0
dst: 0:192.168.100.0/255.255.255.0:0
SA
lifetime/rekey: 28800/28402
mtu: 1438
tx-esp-seq: fd
replay: disabled
inbound
spi: c14a02a6
enc: aes-cb d196d60e927236afd6a54bdabf9de0c9
auth: sha1 315284852a4b4a331a3b7d2c6baa8f8cc9b91442
outbound
spi: 31e9297d
enc: aes-cb 72b17243e79a44583319efb28e3936f9
auth: sha1 4c4c858a74f2d16c2d7d77a4bf70e6f0b237bfd1
