接続構成
Windows 11 端末から NAT 配下のサーバにアクセスするため、L2TP/IPsec を用いて同一の LAN セグメントに接続する。各パラメータは Windows 11 標準の VPN クライアントで利用可能なものを使用する。
この時 FortiGate のバージョンは FortiOS 6.0 を使用して設定を行なう。
※別記事と基本的に同様の構成【Cisco/VyOSの場合(Win端末設定も)】
IKE バージョン | IKEv1 |
IKE ネゴシエーション | Main Mode |
暗号アルゴリズム | AES256-CBC |
鍵交換アルゴリズム | Diffie-Hellman Group 14 (MODP 2048) |
認証アルゴリズム | HMAC-SHA1-96 |
認証方式 | Pre-Shared Key |
キープアライブ (DPD) | Disabled |
NAT Traversal | IKE セッションが NAT されないため該当しない |
ライフタイム | 28800 (8時間) |
MTU | 1454 ※ネゴシエーション後の値 FortiOS 6.0 では設定不可? |
暗号アルゴリズム | AES128-CBC |
認証アルゴリズム | HMAC-SHA1-96 |
暗号プロトコル | ESP |
通信モード | Transport Mode |
PFS (鍵交換アルゴリズム) | 無効 |
ライフタイム | 3600 (1時間) |
通信プロトコル | PPP |
認証プロトコル | MS-CHAPv2 |
払い出し IP 範囲 (IPCP) | 192.168.0.1 – 192.168.0.31 |
IKE 暗号スイート | IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384 IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 |
IKE ライフタイム | 28800 (8時間) |
ESP 暗号スイート | ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ |
ESP ライフタイム | 3600 (1時間) |
MTU | 1300 ※ネゴシエーション後の値 |
FortiGate (ver 6.0系) のコンフィグ例
基本的なインタフェース部分などの設定は以下
config system switch-interface
edit "lan"
set vdom "root"
set member "internal"
next
end
config system interface
edit "wan1"
set vdom "root"
set ip 10.0.0.254 255.255.255.0
set allowaccess ping
set type physical
set role wan
next
edit "lan"
set vdom "root"
set ip 192.168.0.254 255.255.255.0
set allowaccess ping https ssh
set type switch
set role lan
next
edit "internal"
set vdom "root"
set type hard-switch
set stp enable
set role lan
next
end
config firewall address
edit "LAN-01"
set subnet 192.168.0.0 255.255.255.0
next
end
config firewall policy
edit 1
set name "WAN1_OUT"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "LAN-01"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
end
VPN 用のローカルユーザやポリシー用の定義を作成する。
config user local
edit "vpn-01"
set type password
set passwd password123
next
end
config user group
edit "VPN_Group-01"
set member "vpn-01"
next
end
config firewall address
edit "L2TP_TUNNEL_ADDR"
set type iprange
set start-ip 192.168.0.1
set end-ip 192.168.0.31
next
end
L2TP/IPsec 用の設定を行なう。
(MTU の設定方法は不明)
config vpn ipsec phase1-interface
edit "l2tp-tunnel1"
set type dynamic
set interface "wan1"
set keylife 28800
set peertype any
set proposal aes256-sha1
set dpd disable
set comments "L2TP VPN: custom IKE"
set dhgrp 14
set nattraversal disable
set psksecret secret123
next
end
config vpn ipsec phase2-interface
edit "l2tp-tunnel1"
set phase1name "l2tp-tunnel1"
set proposal aes128-sha1
set pfs disable
set encapsulation transport-mode
set l2tp enable
set comments "L2TP VPN: custom IPsec"
set keylifeseconds 3600
next
end
config vpn l2tp
set status enable
set sip 192.168.0.1
set eip 192.168.0.31
set usrgrp "VPN_Group-01"
end
最後に Firewall Policy にて L2TP/IPsec の通信許可を行なう。
config firewall policy
edit 2
set name "L2TP_IN"
set srcintf "l2tp-tunnel1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "L2TP"
next
edit 3
set name "PPP_IN"
set srcintf "l2tp-tunnel1"
set dstintf "lan"
set srcaddr "L2TP_TUNNEL_ADDR"
set dstaddr "LAN-01"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set name "PPP_OUT"
set srcintf "lan"
set dstintf "l2tp-tunnel1"
set srcaddr "LAN-01"
set dstaddr "L2TP_TUNNEL_ADDR"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
end
動作確認
FortiGate 側の情報
VPN 接続後に FortiGate から確認した状態は以下。 MTU が1454 になっていることが確認出来る。
FG # diagnose vpn ike gateway list
vd: root/0
name: l2tp-tunnel1_0
version: 1
interface: wan1 6
addr: 10.0.0.254:500 -> 10.0.0.1:500
created: 2244s ago
IKE SA: created 2/2 established 2/2 time 10/10/10 ms
IPsec SA: created 2/3 established 2/3 time 0/10/20 ms
id/spi: 22 *********************************
direction: responder
status: established 1922-1922s ago = 10ms
proposal: aes256-sha1
key: *******************************************************************
lifetime/rekey: 28800/26607
DPD sent/recv: 00000000/00000000
id/spi: 21 *********************************
direction: responder
status: established 2244-2244s ago = 10ms
proposal: aes256-sha1
key: *******************************************************************
lifetime/rekey: 28800/26285
DPD sent/recv: 00000000/00000000
FG # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=l2tp-tunnel1_0 ver=1 serial=14 10.0.0.254:0->10.0.0.1:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/136 options[0088]=npu rgwy-chg
parent=l2tp-tunnel1 index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=1047 olast=1 ad=/0
stat: rxp=224 txp=193 rxb=22592 txb=9142
dpd: mode=off on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=l2tp-tunnel1 proto=17 sa=2 ref=3 serial=1 transport-mode add-route
src: 17:10.0.0.254-10.0.0.254:1701
dst: 17:10.0.0.1-10.0.0.1:0
SA: ref=4 options=1a6 type=00 soft=0 mtu=1454 expire=2543/0B replaywin=1024
seqno=4c2 esn=0 replaywin_lastseq=000000da itn=0
life: type=01 bytes=0/0 timeout=3591/3600
dec: spi=c2eae18b esp=aes key=16 ********************************
ah=sha1 key=20 ****************************************
enc: spi=87e2ee08 esp=aes key=16 ********************************
ah=sha1 key=20 ****************************************
dec:pkts/bytes=218/8389, enc:pkts/bytes=193/17304
npu_flag=00 npu_rgwy=10.0.0.1 npu_lgwy=10.0.0.254 npu_selid=f
SA: ref=3 options=1a6 type=00 soft=0 mtu=1454 expire=2259/0B replaywin=1024
seqno=401 esn=0 replaywin_lastseq=00000001 itn=0
life: type=01 bytes=0/0 timeout=3589/3600
dec: spi=c2eae18a esp=aes key=16 ********************************
ah=sha1 key=20 ****************************************
enc: spi=3f6d50ee esp=aes key=16 ********************************
ah=sha1 key=20 ****************************************
dec:pkts/bytes=1/28, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=10.0.0.1 npu_lgwy=10.0.0.254 npu_selid=f
------------------------------------------------------
name=l2tp-tunnel1 ver=1 serial=a 10.0.0.254:0->0.0.0.0:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/8 options[0008]=npu
proxyid_num=0 child_num=1 refcnt=4 ilast=1413 olast=1413 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=off on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=1
ipv4 route tree:
10.0.0.1->10.0.0.1 0
Windows 11 端末側の情報
Windows 11 側の状態は以下。 MTU が 1300 になっていることが確認出来る。
PS > Get-NetIPsecMainModeSA
Name : 14
LocalEndpoint : 10.0.0.1
RemoteEndpoint : 10.0.0.254
LocalFirstId.Identity :
LocalFirstId.ImpersonationType : None
LocalFirstId.AuthenticationMethod : PresharedKey
LocalFirstId.Flags : None
RemoteFirstId.Identity :
RemoteFirstId.ImpersonationType : None
RemoteFirstId.AuthenticationMethod : PresharedKey
RemoteFirstId.Flags : None
LocalSecondId.Identity :
LocalSecondId.ImpersonationType :
LocalSecondId.AuthenticationMethod :
LocalSecondId.Flags :
RemoteSecondId.Identity :
RemoteSecondId.ImpersonationType :
RemoteSecondId.AuthenticationMethod :
RemoteSecondId.Flags :
CipherAlgorithm : AES256
HashAlgorithm : SHA1
GroupId : DH14
KeyModule : IkeV1
MaxQMSAs : 0
LifetimeSeconds : 28800
LocalUdpEncapsulationPort :
RemoteUdpEncapsulationPort :
ExtendedFilterId : 0
PS > Get-NetIPsecQuickModeSA
Name : 17
LocalEndpoint : 10.0.0.1
RemoteEndpoint : 10.0.0.254
TransportLayerFilterName : L2TP Client Specific Filter
EncapsulationMode : Transport
Direction : Inbound
LocalPort : 1701
RemotePort : 1701
IpProtocol : 17
InterfaceAlias : USB-LAN
RealIfProfileId : 0
LocalUdpEncapsulationPort :
RemoteUdpEncapsulationPort :
SPI : 2279796232
FirstTransformType : EspAuthAndCipher
FirstIntegrityAlgorithm : SHA1
FirstCipherAlgorithm : AES128
SecondSpi :
SecondTransformType : None
SecondIntegrityAlgorithm : None
SecondCipherAlgorithm : None
Flags : NoExplicitCredMatch, AllowNullTargetNameMatch
MmSaId : 14
PfsGroupId : None
PeerV4PrivateAddress : 0.0.0.0
QuickModeFilterid : 81170
LifetimeSeconds : 3600
LifetimeKilobytes : 250000
LifetimePackets : 2147483647
IdleDurationSeconds : 300
NdAllowClearTimeoutSeconds : 0
NapContext : 0
QmSaId : 1250073476
VirtualIfTunnelId : 0
TrafficSelectorId : 0
MmTargetName :
EmTargetName :
ExplicitCredentials :
Name : 17
LocalEndpoint : 10.0.0.1
RemoteEndpoint : 10.0.0.254
TransportLayerFilterName : L2TP Client Specific Filter
EncapsulationMode : Transport
Direction : Outbound
LocalPort : 1701
RemotePort : 1701
IpProtocol : 17
InterfaceAlias : 0
RealIfProfileId : 0
LocalUdpEncapsulationPort :
RemoteUdpEncapsulationPort :
SPI : 3270173067
FirstTransformType : EspAuthAndCipher
FirstIntegrityAlgorithm : SHA1
FirstCipherAlgorithm : AES128
SecondSpi :
SecondTransformType : None
SecondIntegrityAlgorithm : None
SecondCipherAlgorithm : None
Flags : NoExplicitCredMatch, AllowNullTargetNameMatch
MmSaId : 14
PfsGroupId : None
PeerV4PrivateAddress : 0.0.0.0
QuickModeFilterid : 81170
LifetimeSeconds : 3600
LifetimeKilobytes : 250000
LifetimePackets : 2147483647
IdleDurationSeconds : 300
NdAllowClearTimeoutSeconds : 0
NapContext : 0
QmSaId : 1250073476
VirtualIfTunnelId : 0
TrafficSelectorId : 0
MmTargetName :
EmTargetName :
ExplicitCredentials :
PS > Get-NetIPInterface -ifIndex 57 | Format-List
InterfaceIndex : 57
InterfaceAlias : forti-vpn-01
CompartmentId : 1
AddressFamily : IPv4
Forwarding : Disabled
ClampMss : Disabled
Advertising : Disabled
NlMtu(Bytes) : 1300
AutomaticMetric : Enabled
InterfaceMetric : 25
NeighborDiscoverySupported : No
NeighborUnreachabilityDetection : Disabled
BaseReachableTime(ms) : 30000
ReachableTime(ms) : 41500
RetransmitTime(ms) : 1000
DadTransmits : 0
DadRetransmitTime(ms) : 1000
RouterDiscovery : ControlledByDHCP
ManagedAddressConfiguration : Enabled
OtherStatefulConfiguration : Enabled
WeakHostSend : Disabled
WeakHostReceive : Disabled
IgnoreDefaultRoutes : Disabled
AdvertisedRouterLifetime : 00:30:00
AdvertiseDefaultRoute : Disabled
CurrentHopLimit : 0
ForceArpNdWolPattern : Disabled
DirectedMacWolPattern : Disabled
EcnMarking : AppDecide
Dhcp : Disabled
ConnectionState : Connected
PolicyStore : ActiveStore
【参考URL】
FortiOS 6.0.0 CLI Reference
FortiGateでVPN(L2TP/IPsec)を設定しよう