Siteler arasındaki çevirmeli IPsec tünellerinde paket çoğaltmayı desteklemek için, her bir konuşmacı bir konum kimliği ile yapılandırılmalıdır. Hub’da, aynı konum kimliğine sahip IPsec toplamındaki tünellerde paket çoğaltması gerçekleştirilir.
Aynı konumdaki birden çok çevirmeli VPN tüneli, VPN hub’ında toplanabilir ve yapılandırılmış yük dengesi algoritmasına göre yük dengelenebilir.
IPsec trafiği NPU’ya devredilemez.
Örnek
Bu örnekte, paket çoğaltmayı desteklemek için iki çevirmeli IPsec tüneli arasında bir IPsec toplama tüneli oluşturulur.
FortiGate (FGT-A) istemcisini yapılandırmak için:
1. IPsec tünellerini yapılandırın:
config vpn ipsec phase1-interface
edit “client1”
set interface “port1”
set peertype any
set net-device disable
set aggregate-member enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.16.200.4
set psksecret **********
next
edit “client2”
set interface “wan1”
set peertype any
set net-device disable
set aggregate-member enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 173.1.1.1
set psksecret **********
next
end
2. IPsec tünellerinin bir toplamını yapılandırın:
config system ipsec-aggregate
edit “agg1”
set member “client1” “client2”
next
end
3. Konum kimliğini yapılandırın:
config system settings
set location-id 1.1.1.1
end
FortiGate (FGT-B) sunucusunu yapılandırmak için:
1. IPsec tünellerini yapılandırın:
config vpn ipsec phase1-interface
edit “server1”
set type dynamic
set interface “mgmt1”
set peertype any
set net-device disable
set aggregate-member enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set psksecret ***********
set dpd-retryinterval 60
next
edit “server2”
set type dynamic
set interface “port27”
set peertype any
set net-device disable
set aggregate-member enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set psksecret **********
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit “server1”
set phase1name “server1”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
aes128gcm aes256gcm chacha20poly1305
next
edit “server2”
set phase1name “server2”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
aes128gcm aes256gcm chacha20poly1305
next
end
2. IPsec tünellerinin bir toplamını yapılandırın:
config system ipsec-aggregate
edit “server”
set member “server1” “server2”
next
end
3. Bir güvenlik duvarı ilkesi yapılandırın:
config firewall policy
edit 1
set srcintf “server”
set dstintf “port9”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
next
end
IPsec tünelini ve toplama durumunu kontrol etmek için:
1. Tüm VPN tünellerini listeleyin:
FGDocs # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
name=server1 ver=1 serial=1 172.16.200.4:500->0.0.0.0:500 tun_id=1.0.0.0
dst_mtu=0 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=4 lgwy=static/1 tun=tunnel/15 mode=dialup/2 encap=none/4616
options[1208]=npu frag-rfc accept_traffic=1 overlay_id=0
proxyid_num=0 child_num=2 refcnt=4 ilast=14210 olast=14210 ad=/0
stat: rxp=798921 txp=819074 rxb=121435992 txb=68802216
dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
name=server2 ver=1 serial=2 173.1.1.1:500->0.0.0.0:500 tun_id=2.0.0.0
dst_mtu=0 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=17 lgwy=static/1 tun=tunnel/15 mode=dialup/2 encap=none/4616
options[1208]=npu frag-rfc accept_traffic=1 overlay_id=0
proxyid_num=0 child_num=1 refcnt=3 ilast=14177 olast=14177 ad=/0
stat: rxp=836484 txp=819111 rxb=137429352 txb=80046050
dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
name=server1_0 ver=1 serial=8 172.16.200.4:500->172.16.200.1:500
tun_id=172.16.200.1 dst_mtu=1500 dpd-link=on remote_location=1.1.1.1 weight=1
bound_if=4 lgwy=static/1 tun=tunnel/15 mode=dial_inst/3 encap=none/4744
options[1288]=npu rgwy-chg frag-rfc run_state=0 accept_traffic=1
overlay_id=0
parent=server1 index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=45 olast=45 ad=/0
stat: rxp=17176 txp=17176 rxb=2610752 txb=1442784
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=12
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=server1 proto=0 sa=1 ref=2 serial=1 add-route
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:10.1.100.0-10.1.100.255:0
SA: ref=3 options=2a6 type=00 soft=0 mtu=1438 expire=42342/0B replaywin=2048
seqno=4319 esn=0 replaywin_lastseq=00004319 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43186/43200
dec: spi=0aef2a07 esp=aes key=16 12738c8a1db02c23bfed73eb3615a5a1
ah=sha1 key=20 0f3edd28e3165d184292b4cd397a6edeef9d20dc
enc: spi=2cb75665 esp=aes key=16 982b418e40f0bb18b89916d8c92270c0
ah=sha1 key=20 08cbf9bf78a968af5cd7647dfa2a0db066389929
dec:pkts/bytes=17176/1442784, enc:pkts/bytes=17176/2610752
npu_flag=00 npu_rgwy=172.16.200.1 npu_lgwy=172.16.200.4 npu_selid=6
dec_npuid=0 enc_npuid=0
name=server1_1 ver=1 serial=a 172.16.200.4:500->172.16.200.3:500
tun_id=172.16.200.3
dst_mtu=0 dpd-link=on remote_location=2.2.2.2 weight=1
bound_if=4 lgwy=static/1 tun=tunnel/15 mode=dial_inst/3 encap=none/4744
options[1288]=npu rgwy-chg frag-rfc run_state=0 accept_traffic=1
overlay_id=0
parent=server1 index=1
proxyid_num=1 child_num=0 refcnt=5 ilast=27 olast=27 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=server1 proto=0 sa=1 ref=2 serial=1 add-route
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=2a6 type=00 soft=0 mtu=1280 expire=43167/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43187/43200
dec: spi=0aef2a0a esp=aes key=16 4b7a17ba9d239e4ae5fe95ec100fca8b
ah=sha1 key=20 7d3e058088f21e0c4f1c13c297293f06c8b592e7
enc: spi=7e961809 esp=aes key=16 ecd1aa8657c5a509662aed45002d3990
ah=sha1 key=20 d159e06c1cf0ded18a4e4ac86cbe5aa0315c21c9
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=172.16.200.3 npu_lgwy=172.16.200.4 npu_selid=9
dec_npuid=0 enc_npuid=0
name=server2_0 ver=1 serial=7 173.1.1.1:500->11.101.1.1:500 tun_id=11.101.1.1
dst_mtu=1500 dpd-link=on remote_location=1.1.1.1 weight=1
bound_if=17 lgwy=static/1 tun=tunnel/15 mode=dial_inst/3 encap=none/4744
options[1288]=npu rgwy-chg frag-rfc run_state=0 accept_traffic=1
overlay_id=0
parent=server2 index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=45 olast=45 ad=/0
stat: rxp=16001 txp=17179 rxb=2113664 txb=1594824
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=12
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=server2 proto=0 sa=1 ref=2 serial=1 add-route
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:10.1.100.0-10.1.100.255:0
SA: ref=6 options=2a6 type=00 soft=0 mtu=1438 expire=42342/0B replaywin=2048
seqno=431a esn=0 replaywin_lastseq=00003e80 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43185/43200
dec: spi=0aef2a08 esp=aes key=16 394d4e444e90ccb5184e744d49aabe3c
ah=sha1 key=20 faabea35c2b9b847461cbd263c4856cfb679f342
enc: spi=2cb75666 esp=aes key=16 0b3a2fbac4d5610670843fa1925d1207
ah=sha1 key=20 97e99beff3d8f61a8638f6ef887006a9c323acd4
dec:pkts/bytes=16001/2113596, enc:pkts/bytes=17179/2762792
npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=7 dec_npuid=1
enc_npuid=1
2. IPsec toplam üyelerini listeleyin:
# diagnose sys ipsec-aggregate list
server
members(3):
server1_1
server1_0
server2_0
3. GUI’de Pano > Ağ’a gidin ve toplu üyeler arasında dağıtılan trafiği gözden geçirmek için IPsec pencere aracını genişletin :