Я пытаюсь подключиться к IPSEC VPN с моего домашнего компьютера с Linux на Fortigate моей компании.
Вроде успешно подключается но не пингуется, RDP или SSH.
Конфигурация Fortigate выглядит так:
У меня настроены PSK и секрет авторизации.
Мой ipsec.conf ниже:
conn FGT
type=tunnel
dpdaction=restart
left=%defaultroute
leftsourceip=%config
leftauth=psk
#leftsubnet=%dynamic
leftsubnet=0.0.0.0/0
leftauth2=xauth
xauth_identity="MYUSER"
right=OMITTED
rightsubnet=172.16.0.0/16
rightid=%any
rightauth=psk
auto=route
keyexchange=ikev1
aggressive=yes
esp=aes256-sha256-modp2048
ike=aes256-sha256-modp2048
conn FGT2
also=FGT
rightsubnet=10.0.0.0/8
sysctl.conf это:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
Подключение успешно:
initiating Aggressive Mode IKE_SA FGT[1] to OMIT.OMIT.OMIT.OMIT
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.3.5[500] to OMIT.OMIT.OMIT.OMIT[500] (548 bytes)
received packet: from OMIT.OMIT.OMIT.OMIT[500] to 192.168.3.5[500] (600 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 192.168.3.5[4500] to OMIT.OMIT.OMIT.OMIT[4500] (140 bytes)
received packet: from OMIT.OMIT.OMIT.OMIT[4500] to 192.168.3.5[4500] (92 bytes)
parsed TRANSACTION request 1173856381 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 1173856381 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.3.5[4500] to OMIT.OMIT.OMIT.OMIT[4500] (108 bytes)
received packet: from OMIT.OMIT.OMIT.OMIT[4500] to 192.168.3.5[4500] (92 bytes)
parsed TRANSACTION request 978186815 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'MYUSER' (myself) successful
IKE_SA FGT[1] established between 192.168.3.5[192.168.3.5]...OMIT.OMIT.OMIT.OMIT[OMIT.OMIT.OMIT.OMIT]
scheduling reauthentication in 10030s
maximum IKE_SA lifetime 10570s
generating TRANSACTION response 978186815 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.3.5[4500] to OMIT.OMIT.OMIT.OMIT[4500] (92 bytes)
generating TRANSACTION request 3819375208 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 192.168.3.5[4500] to OMIT.OMIT.OMIT.OMIT[4500] (92 bytes)
received packet: from OMIT.OMIT.OMIT.OMIT[4500] to 192.168.3.5[4500] (108 bytes)
parsed TRANSACTION response 3819375208 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 10.0.4.253 via resolvconf
installing DNS server 10.0.4.252 via resolvconf
installing new virtual IP 10.215.120.17
generating QUICK_MODE request 4129146465 [ HASH SA No KE ID ID ]
sending packet: from 192.168.3.5[4500] to OMIT.OMIT.OMIT.OMIT[4500] (460 bytes)
received packet: from OMIT.OMIT.OMIT.OMIT[4500] to 192.168.3.5[4500] (444 bytes)
parsed QUICK_MODE response 4129146465 [ HASH SA No KE ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
CHILD_SA FGT{3} established with SPIs c0daac87_i 93a7be7c_o and TS 0.0.0.0/0 === 172.16.0.0/16
connection 'FGT' established successfully
Положение дел:
ipsec status
Routed Connections:
FGT2{2}: ROUTED, TUNNEL, reqid 2
FGT2{2}: 0.0.0.0/0 === 10.0.0.0/8
FGT{1}: ROUTED, TUNNEL, reqid 1
FGT{1}: 0.0.0.0/0 === 172.16.0.0/16
Security Associations (1 up, 0 connecting):
FGT[1]: ESTABLISHED 3 minutes ago, 192.168.3.5[192.168.3.5]...OMIT.OMIT.OMIT.OMIT[OMIT.OMIT.OMIT.OMIT]
FGT{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c0daac87_i 93a7be7c_o
FGT{3}: 0.0.0.0/0 === 172.16.0.0/16
FGT2{4}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c711708f_i 93a7be7d_o
FGT2{4}: 0.0.0.0/0 === 10.0.0.0/8
Тиаго Саяо