cómo configurar el túnel VPN IPsec usando IKE v2

Buenas ​👏​, por aquí César Sánchez y vengo a ayudaros con: 👇​ cómo configurar el túnel VPN IPsec usando IKE v2

 

Descripción
Este artículo describe cómo configurar el túnel VPN IPsec usando IKE v2.

Solución
Los túneles IPSEC de FortiGate se pueden configurar mediante IKE v2.

Resumen de la configuración de la GUI de FortiGate:

Lo que da como resultado una salida CLI según el siguiente ejemplo:

# show vpn ipsec phase1-interface
# config vpn ipsec phase1-interface

   edit «FCT_IKE_v2»
        set type dynamic
        set interface «port1»
        set ike-version 2
        set local-gw 192.168.252.132
        set peertype any
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 3des-sha1
        set dpd on-idle
        set dhgrp 5
        set eap enable
        set eap-identity send-request
        set authusrgrp «training»
        set assign-ip-from name
        set ipv4-netmask 255.255.255.0
        set dns-mode auto
        set ipv4-split-include «FCT_IKE_v2_split»
        set ipv4-name «FCT_IKE_v2_range»
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC
        set dpd-retryinterval 60
    next
end

Configuración de FortiClient.

Depuración en FortiGate.

# diagnose debug console timestamp  enable
# diagnose debug application ike -1

Debug messages will be on for 30 minutes.
# diagnose debug enable

2020-06-01 10:54:56.781236 ike 0: comes 192.168.252.140:500->192.168.252.132:500,ifindex=3….
2020-06-01 10:54:56.784383 ike 0: IKEv2 exchange=SA_INIT id=8a5fcff621752576/0000000000000000 len=436

2020-06-01 10:54:56.966247 ike 0:8a5fcff621752576/0000000000000000:3: SA proposal chosen, matched gateway FCT_IKE_v2
2020-06-01 10:54:56.970778 ike 0:FCT_IKE_v2: created connection: 0xc1ac370 3 192.168.252.132->192.168.252.140:500.

2020-06-01 10:54:57.098345 ike 0:FCT_IKE_v2:3: responder received AUTH msg
2020-06-01 10:54:57.100344 ike 0:FCT_IKE_v2:3: processing notify type INITIAL_CONTACT
2020-06-01 10:54:57.103118 ike 0:FCT_IKE_v2:3: peer identifier IPV4_ADDR 192.168.252.140
2020-06-01 10:54:57.109820 ike 0:FCT_IKE_v2:3: re-validate gw ID
2020-06-01 10:54:57.113740 ike 0:FCT_IKE_v2:3: gw validation OK

2020-06-01 10:54:57.115832 ike 0:FCT_IKE_v2:3: responder preparing EAP identity request
2020-06-01 10:54:57.118622 ike 0:FCT_IKE_v2:3: enc
2020-06-01 10:54:57.128907 ike 0:FCT_IKE_v2:3: out
2020-06-01 10:54:57.138184 ike 0:FCT_IKE_v2:3: sent IKE msg (AUTH_RESPONSE): 192.168.252.132:500->192.168.252.140:500, len=128,

2020-06-01 10:54:57.168080 ike 0:FCT_IKE_v2:3: responder received EAP msg
2020-06-01 10:54:57.170300 ike 0:FCT_IKE_v2:3: send EAP message to FNBAM
2020-06-01 10:54:57.172977 ike 0:FCT_IKE_v2:3: initiating EAP authentication
2020-06-01 10:54:57.175182 ike 0:FCT_IKE_v2: EAP user «engineer»
2020-06-01 10:54:57.176733 ike 0:FCT_IKE_v2: auth group training
2020-06-01 10:54:57.179241 ike 0:FCT_IKE_v2: EAP 1224753671 pending
2020-06-01 10:54:57.180344 ike 0:FCT_IKE_v2:3 EAP 1224753671 result 2
2020-06-01 10:54:57.181322 ike 0:FCT_IKE_v2: EAP challenged for user «engineer»
2020-06-01 10:54:57.182419 ike 0:FCT_IKE_v2:3: responder preparing EAP pass through message

2020-06-01 10:54:57.595037 ike 0:FCT_IKE_v2:3:FCT_IKE_v2:39: lifetime=43200
2020-06-01 10:54:57.598559 ike 0:FCT_IKE_v2:3: responder preparing AUTH msg
2020-06-01 10:54:57.601466 ike 0:FCT_IKE_v2: adding new dynamic tunnel for 192.168.252.140:500
2020-06-01 10:54:57.605352 ike 0:FCT_IKE_v2_0: added new dynamic tunnel for 192.168.252.140:500
2020-06-01 10:54:57.612130 ike 0:FCT_IKE_v2_0:3: established IKE SA

2020-06-01 10:54:57.774281 ike 0:FCT_IKE_v2: carrier up

El último mensaje, carrier up, indica que el túnel está funcionando.

Artículos relacionados  Cambiar la configuración

 

 

​🔎 Para terminar, agradecerte por haber leído hasta el final de esta publicación. Esperamos que haya sido para solucionar tus problemas y que nos guardes en tus favoritos.
Si no logras dar con la solución a tu pregunta utiliza la barra de arriba o pregúntanos en los comentarios.
¡Hasta pronto!

¿Te ha resultado útil??

0 / 0

Deja una respuesta 0

Your email address will not be published. Required fields are marked *