Microsoft ISA 2004 ve FortiGate Antivirus Firewall’lar
Bu yazı FortiOS v2.80 firmware çalıştıran bir FortiGate Antivirüs Firewall’ı ile Microsoft ISA 2004 arasında bir preshared-key IPSec VPN oluşturmayı anlatmaktadır.
Ürünler
- FortiGate-3600 running FortiOS v2.80 b250
- Microsoft ISA 2004 on Windows 2000 Advanced Server
Ağ Diyagramı
Önkoşullar
Yok
Konfigürasyonlar
FortiGate FG3600 konfigürasyonu
config system interface
edit "internal"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https telnet
next
edit "external"
set ip 204.50.73.16 255.255.255.0
set allowaccess ping
next
end
config vpn ipsec phase1
edit "ISA"
set dhgrp 2
set dpd enable
set nattraversal enable
set proposal 3des-sha1
set psksecret 123456
set remotegw 204.50.73.17
next
end
config vpn ipsec phase2
edit "isa"
set dhgrp 2
set pfs enable
set phase1name ISA
set proposal 3des-sha1
set replay enable
next
end
config firewall address
edit "local-net"
set subnet 10.10.10.0 255.255.255.0
next
edit "remote-net"
set subnet 172.18.1.0 255.255.255.0
next
end
config firewall policy
edit 4
set srcintf "internal"
set dstintf "external"
set srcaddr "local-net"
set dstaddr "remote-net"
set action encrypt
set schedule "always"
set service "ANY"
set inbound enable
set outbound enable
set vpntunnel "isa"
next
end
Microsoft ISA 2004 konfigürasyonu
ISA tarafı için Internal ve FortiGate tarafı ağ için IPsec-Remote olmak üzere iki nesne oluşturun.
Standart NAT yerine iki network arasındaki trafik için NAT kullanarak Network Kuralları oluşturun.
VPN site-to-site remote gateway nesnesi oluşturun.
IPSec trafiğine izin vermek için iki Firewall kuralı oluşturun.
Sonuçları Sağlama
Microsoft ISA 2004’ün IPSec özeti
Local Tunnel Endpoint: 204.50.73.17
Remote Tunnel Endpoint: 204.50.73.16
To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.
IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication method: Pre-shared secret (123456)
Security Association lifetime: 28800 seconds
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time rekeying: ON
Security Association lifetime: 100000 seconds
Kbyte rekeying: OFF
Remote Network ’IPsec-Remote’ IP Subnets:
Subnet: 10.10.10.0/255.255.255.0
Local Network ’Internal’ IP Subnets:
Subnet: 172.18.1.0/255.255.255.0
FortiGate 3600 tünel durumu
FG3600 # diag vpn tunnel list
tunnel[5]:isa, gateway:204.50.73.17:500, hub=, option=6
eroute[2]:{[10.10.10.*]}->{[172.18.1.*]}
channel[2]:204.50.73.16,natt=0,state=2,keepalive=0,oif=4
sa[4]:mtu=1434, cur_bytes=516, timeout=1796
itdb[1]:mtu=1434, cur_bytes=192, cur_packets=3, spi=fe813c79, replay=1024
3DES=9b165446896f08e33f828be93362cc168335b243d4c8e2ef
iv=0000000000000000
SHA1_HMAC=1277492fd1925458680d1ed40c8d2824da6f9b97
otdb[1]:mtu=1434, cur_bytes=192, cur_packets=3, spi=3884c41, replay=1024
3DES=34334540fbd95ff6da1b670b968299e69f01c146ccdd80f8
iv=12569db05c33ef8f
SHA1_HMAC=4127afd584d7c064eb3607c4fb25e84af6ea4e59
Sorun Giderme
- diag deb enable – enable output on remote console
- diag deb app ike 2 – display IPSec IKE progress
- exec enter [vdom] – change the current config Vdom to another
- exec ping – ping tool
 |
Yazdır |  |
Hata Bildir |  |
Tavsiye Et | Sayfayı Paylaş: |             |
Metin Boyutu |  |
 |
|||
|
|||||||||||||
