NETWORK ENGINEER BLOG

Tips and Reviews for Engineers

Fortigate の IPsec + NAT について②

Fortigate は基本的に送信元 NAT は Pool を使用し、宛先 NAT は VIP を使用しますが、送信元 NAT に VIP(1対1の変換)を適用する事も可能です。
なお、VIP の設定が送信元 NATに利用されるには Inbound Policy が必要です。
Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping from internal to external IP addresses
Important note :?even if no connection needs to be initiated from external to internal, the?firewall policy number 2 is required?in order to activate the VIP range. Otherwise the IP address of the physical interface is used for NAT. In this example it is set as a "DENY" firewall policy for security purpose.

以下、検証環境と設定例になります。
 
f:id:FriendsNow:20160307221800p:plain

FG01の設定

LAN の設定(FG01)
FG01 (port3) # show
config system interface
    edit "port3"
        set vdom "root"
        set ip 172.16.1.254 255.255.255.0
        set allowaccess ping
        set type physical
        set snmp-index 3
        set macaddr 00:0c:29:87:90:99
    next
end
WAN の設定(FG01)
FG01 (port2) # show
config system interface
    edit "port2"
        set vdom "root"
        set ip 10.1.1.1 255.255.255.0
        set allowaccess ping
        set type physical
        set snmp-index 2
        set macaddr 00:0c:29:87:90:8f
    next
end
IPsec P1の設定(FG01)
FG01 (phase1-interface) # show
config vpn ipsec phase1-interface
    edit "Site-to-Site"
        set interface "port2"
        set remote-gw 10.1.1.2
        set psksecret ENC
    next
end
IPsec P2の設定(FG01)
FG01 (phase2-interface) # show
config vpn ipsec phase2-interface
    edit "Site-to-Site"
        set phase1name "Site-to-Site"
    next
end
スタティックルートの設定(FG01)
FG01 (static) # show
config router static
    edit 1
        set dst 10.1.1.102 255.255.255.255
        set device "Site-to-Site"
    next
    edit 2
        set dst 10.1.1.202 255.255.255.255
        set device "Site-to-Site"
    next
end
VIP(宛先 NAT)の設定(FG01)
FG01 (vip) # show
config firewall vip
    edit "FG01-to-FG02_VIP01"
        set uuid 9c446d74-e3e0-51e5-23f6-655d05b2a6a7
        set extip 10.16.2.100
        set extintf "port3"
        set mappedip "10.1.1.102"
    next
    edit "FG01-to-FG02_VIP02"
        set uuid aef324ec-e3e0-51e5-689e-04209afa2da1
        set extip 10.16.2.200
        set extintf "port3"
        set mappedip "10.1.1.202"
    next
    edit "FG02-to-FG01_VIP01"
        set uuid 8ec4c5bc-e4a9-51e5-033e-de1418a24742
        set extip 10.1.1.101
        set extintf "Site-to-Site"
        set mappedip "172.16.1.100"
    next
    edit "FG02-to-FG01_VIP02"
        set uuid 9fd68fac-e4a9-51e5-7663-57222dfa5fa2
        set extip 10.1.1.201
        set extintf "Site-to-Site"
        set mappedip "172.16.1.200"
    next
end

Policy の設定(FG01)

FG01 (policy) # show
config firewall policy
    edit 1
        set name "VPN_FG01-to-FG02"
        set uuid f891e92a-e3e1-51e5-0e3b-91fa14308e4c
        set srcintf "port3"
        set dstintf "Site-to-Site"
        set srcaddr "all"
        set dstaddr "FG01-to-FG02_VIP01" "FG01-to-FG02_VIP02"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 2
        set name "VPN_FG02-to-FG01"
        set uuid 1b781702-e3e2-51e5-4422-9f9a73aa7fed
        set srcintf "Site-to-Site"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "FG02-to-FG01_VIP01" "FG02-to-FG01_VIP02"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
Policy の設定(FG01)GUI

f:id:FriendsNow:20160307213020p:plain

FG02の設定

LAN の設定(FG02)
FG02 (port3) # show
config system interface
    edit "port3"
        set vdom "root"
        set ip 172.16.2.254 255.255.255.0
        set allowaccess ping
        set type physical
        set snmp-index 3
        set macaddr 00:0c:29:5c:5b:53
    next
end
WAN の設定(FG02)
FG02 (port2) # show
config system interface
    edit "port2"
        set vdom "root"
        set ip 10.1.1.2 255.255.255.0
        set allowaccess ping
        set type physical
        set snmp-index 2
        set macaddr 00:0c:29:5c:5b:49
    next
end
IPsec P1の設定(FG02)
FG02 (phase1-interface) # show
config vpn ipsec phase1-interface
    edit "Site-to-Site"
        set interface "port2"
        set remote-gw 10.1.1.1
        set psksecret ENC
    next
end
IPsec P2の設定(FG02)
FG02 (phase2-interface) # show
config vpn ipsec phase2-interface
    edit "Site-to-Site"
        set phase1name "Site-to-Site"
    next
end
スタティックルートの設定(FG02)
FG02 (static) # show
config router static
    edit 1
        set dst 10.1.1.101 255.255.255.255
        set device "Site-to-Site"
    next
    edit 2
        set dst 10.1.1.201 255.255.255.255
        set device "Site-to-Site"
    next
end
VIP(宛先 NAT)の設定(FG02)
FG02 (vip) # show
config firewall vip
    edit "FG02-to-FG01_VIP01"
        set uuid 46de5290-e3e1-51e5-9e4c-5113ad1c3275
        set extip 10.16.1.100
        set extintf "port3"
        set mappedip "10.1.1.101"
    next
    edit "FG02-to-FG01_VIP02"
        set uuid 57875fec-e3e1-51e5-d5e3-5a9b4143d7d8
        set extip 10.16.1.200
        set extintf "port3"
        set mappedip "10.1.1.201"
    next
    edit "FG01-to-FG02_VIP01"
        set uuid 64d65868-e4a1-51e5-d56c-e5c69a51fc51
        set extip 10.1.1.102
        set extintf "Site-to-Site"
        set mappedip "172.16.2.100"
    next
    edit "FG01-to-FG02_VIP02"
        set uuid 64e18602-e4a1-51e5-1796-ec44b48db451
        set extip 10.1.1.202
        set extintf "Site-to-Site"
        set mappedip "172.16.2.200"
    next
end
Policy の設定(FG02)
FG02 (policy) # show
config firewall policy
    edit 1
        set name "VPN_FG02-to-FG01"
        set uuid ec565c4e-e3e2-51e5-3259-c8c14fe0853c
        set srcintf "port3"
        set dstintf "Site-to-Site"
        set srcaddr "all"
        set dstaddr "FG02-to-FG01_VIP01" "FG02-to-FG01_VIP02"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 2
        set name "VPN_FG01-to-FG02"
        set uuid f63b1ce0-e3e2-51e5-52fa-ef83a0b4e13b
        set srcintf "Site-to-Site"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "FG01-to-FG02_VIP01" "FG01-to-FG02_VIP02"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
Policy の設定(FG02)GUI

f:id:FriendsNow:20160307213054p:plain

確認

SV01(172.16.1.100)から SV02(10.16.2.100(VIP))へ Ping を実行時、172.16.1.100は、10.1.1.101に送信元NATされ、10.16.2.100は、10.1.1.102に宛先NATされています。

FG01 # diagnose debug enable
FG01 # diagnose debug flow trace start 20
id=20085 trace_id=2436 func=print_pkt_detail line=4696 msg="vd-root received a packet(proto=1, 172.16.1.100:61476->10.16.2.100:8) from port3. code=8, type=0, id=61476, seq=1207."
id=20085 trace_id=2436 func=resolve_ip_tuple_fast line=4760 msg="Find an existing session, id-0002fbcc, original direction"
id=20085 trace_id=2436 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=2436 func=ip_session_run_all_tuple line=5825 msg="DNAT 10.16.2.100:8->10.1.1.102:61476"
id=20085 trace_id=2436 func=ip_session_run_all_tuple line=5813 msg="SNAT 172.16.1.100->10.1.1.101:61476"
id=20085 trace_id=2436 func=ipsecdev_hard_start_xmit line=157 msg="enter IPsec interface-Site-to-Site"
id=20085 trace_id=2436 func=esp_output4 line=846 msg="IPsec encrypt/auth"
id=20085 trace_id=2436 func=ipsec_output_finish line=496 msg="send to 10.1.1.2 via intf-port2"