Microsoft ISA 2004 ve FortiGate Antivirus Firewall’lar

Bu yazı FortiOS v2.80 firmware çalıştıran bir FortiGate Antivirüs Firewall’ı ile Microsoft ISA 2004 arasında bir preshared-key IPSec VPN oluşturmayı anlatmaktadır.
 
Ürünler

  • FortiGate-3600 running FortiOS v2.80 b250
  • Microsoft ISA 2004 on Windows 2000 Advanced Server

Ağ Diyagramı


 

Önkoşullar
Yok

Konfigürasyonlar

FortiGate FG3600 konfigürasyonu

config system interface

edit "internal"

set ip 10.10.10.1 255.255.255.0

set allowaccess ping https telnet

next

edit "external"

set ip 204.50.73.16 255.255.255.0

set allowaccess ping

next
end

config vpn ipsec phase1


edit "ISA"

set dhgrp 2

set dpd enable

set nattraversal enable

set proposal 3des-sha1

set psksecret 123456

set remotegw 204.50.73.17

next
end

config vpn ipsec phase2

edit "isa"

set dhgrp 2

set pfs enable

set phase1name ISA

set proposal 3des-sha1

set replay enable

next
end

config firewall address

edit "local-net"

set subnet 10.10.10.0 255.255.255.0

next

edit "remote-net"


set subnet 172.18.1.0 255.255.255.0

next
end

config firewall policy

edit 4

set srcintf "internal"

set dstintf "external"

set srcaddr "local-net"

set dstaddr "remote-net"

set action encrypt

set schedule "always"

set service "ANY"

set inbound enable

set outbound enable

set vpntunnel "isa"

next
end
 
 

 
Microsoft ISA 2004 konfigürasyonu

ISA tarafı için Internal ve FortiGate tarafı ağ için  IPsec-Remote olmak üzere iki nesne oluşturun.


Standart NAT yerine iki network arasındaki trafik için NAT kullanarak Network Kuralları oluşturun.


 

VPN site-to-site remote gateway nesnesi oluşturun.
 
 



IPSec trafiğine izin vermek için iki Firewall kuralı oluşturun.

 

Sonuçları Sağlama

 
Microsoft ISA 2004’ün IPSec özeti

Local Tunnel Endpoint: 204.50.73.17
Remote Tunnel Endpoint: 204.50.73.16
 

To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.
 
IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication method: Pre-shared secret (123456)
Security Association lifetime: 28800 seconds
 
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time rekeying: ON
Security Association lifetime: 100000 seconds
Kbyte rekeying: OFF
 
Remote Network ’IPsec-Remote’ IP Subnets:
Subnet: 10.10.10.0/255.255.255.0
 
Local Network ’Internal’ IP Subnets:
Subnet: 172.18.1.0/255.255.255.0
 
 
FortiGate 3600 tünel durumu

FG3600 # diag vpn tunnel list

tunnel[5]:isa, gateway:204.50.73.17:500, hub=, option=6

eroute[2]:{[10.10.10.*]}->{[172.18.1.*]}

channel[2]:204.50.73.16,natt=0,state=2,keepalive=0,oif=4

sa[4]:mtu=1434, cur_bytes=516, timeout=1796

itdb[1]:mtu=1434, cur_bytes=192, cur_packets=3, spi=fe813c79, replay=1024

3DES=9b165446896f08e33f828be93362cc168335b243d4c8e2ef

iv=0000000000000000

SHA1_HMAC=1277492fd1925458680d1ed40c8d2824da6f9b97

otdb[1]:mtu=1434, cur_bytes=192, cur_packets=3, spi=3884c41, replay=1024

3DES=34334540fbd95ff6da1b670b968299e69f01c146ccdd80f8

iv=12569db05c33ef8f

SHA1_HMAC=4127afd584d7c064eb3607c4fb25e84af6ea4e59
 

Sorun Giderme
 

  • diag deb enable – enable output on remote console
  • diag deb app ike 2 – display IPSec IKE progress
  • exec enter [vdom] – change the current config Vdom to another
  • exec ping – ping tool