Topology

Basic Configuration

FW1

R1-FG1101E # show vpn ipsec phase1-interface ToR2
config vpn ipsec phase1-interface
    edit "ToR2"
        set interface "port16"
        set peertype any
        set net-device disable
        set passive-mode enable
        set proposal aes128-sha256
        **set ip-fragmentation pre-encapsulation**
        set remote-gw 100.0.1.2
        set psksecret ENC Z8JY4iWGlEVkd9FBHND38mehwVdARcHczR3QcrxWjT60LTWVr1+CirMEFhzQdLZWBK+HWBCsGowDBXAzPqLPd2VfyW4Cl/w1n7Axa0B1e0oh+zTSdKr1auFuCMn/p/IkQpiHCY5AWV1E8GQcteDZ6zv7fpWqnTD0crmVSydT/Qpk5p844Oxgf02k9AfDRcY29j8Gcw==
    next
end
R1-FG1101E # show vpn ipsec phase2-interface ToR2 
config vpn ipsec phase2-interface
    edit "ToR2"
        set phase1name "ToR2"
        set proposal **aes256-sha384**
    next
end

FW2

R2-FG1101E # show vpn ipsec phase1-interface ToR1
config vpn ipsec phase1-interface
    edit "ToR1"
        set interface "port16"
        set peertype any
        set net-device disable
        set exchange-interface-ip enable
        set proposal aes128-sha256
        set **ip-fragmentation pre-encapsulation**
        set dpd disable
        set remote-gw 100.0.0.2
        set psksecret ENC Lv4Etajj6H2abp3coiBKezA+1aP7epa+KIUb6TpVECqC/MO8vweHdqW4mTfE+PJnm3xmywcheaxr7r/jNRimIuRbripGvAdvk9V8ezgTsInYXXWmmt1+twvGPPxfCKUxGHHJHVgozsun3uH5TMDmMwmgRkWL0sq7YR+Zv5lyrDhi7XZcJdioL60aa3RCqNyzc+hZYw==
    next
end
R2-FG1101E # show vpn ipsec phase2-interface ToR1 
config vpn ipsec phase2-interface
    edit "ToR1"
        set phase1name "ToR1"
        set proposal **aes256-sha384**
        set auto-negotiate enable
    next
end

Test Steps

1. 在Router设备上开启针对FW2的SNAT，将FW2的port16的地址（100.0.3.2）转换为Router的port7的地址（100.0.1.2）。
2. IPSec VPN隧道建立成功后，我们先来看下两端设备计算出的Tunnel SA/Tunnel Interface的MTU。

• FW1的物理口三层MTU为1500：

  R1-FG1101E # diagnose netlink interface list | grep port16
  if=port16 family=00 type=1 index=39 **mtu=1500** link=0 master=0
  

• FW1的Tunnel SA MTU为1422：

  R1-FG1101E # diagnose vpn tunnel list
  list all ipsec tunnel in vd 0
  ------------------------------------------------------
  name=ToR2 ver=1 serial=1 100.0.0.2:4500->100.0.1.2:64916 tun_id=100.0.1.2 dst_mtu=1500 dpd-link=on weight=1
  bound_if=39 lgwy=static/1 tun=tunnel/255 mode=auto/1 encap=none/8 options[0008]=npu  run_state=0 accept_traffic=1 overlay_id=0
  proxyid_num=1 child_num=0 refcnt=4 ilast=2 olast=2 ad=/0
  stat: rxp=1 txp=2 rxb=172 txb=168
  dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
  natt: mode=silent draft=32 interval=10 remote_port=64916
  proxyid=ToR2 proto=0 sa=1 ref=3 serial=2
    src: 0:0.0.0.0/0.0.0.0:0
    dst: 0:0.0.0.0/0.0.0.0:0
    SA:  ref=6 options=10226 type=00 soft=0 **mtu=1422** expire=42880/0B replaywin=2048
         seqno=3 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
    life: type=01 bytes=0/0 timeout=42927/43200
    dec: spi=93e465cb esp=aes key=32 37d6f618ec3d9f482b119367512539ad1bdd6626c36fd72bccdbe2a8d98b895c
         ah=sha384 key=48 ba6d248c65bd38166ddf2410d1ef3df95ef3979604809e78c433b72f79f8339c29527a6194f6d65d58d5e1db1b2e7a6c
    enc: spi=0516e885 esp=aes key=32 8c9c261e3c88a278d14c0c56fd5a2e7a045efd282a7bf1189ef04c697e91c137
         ah=sha384 key=48 c1a3b473ff6a26aa3889c7072f7f0766e031e4170b08a75bbf7706f708036a5f49fb74ebaad3ca9fdefce3c175e686f0
    dec:pkts/bytes=1/84, enc:pkts/bytes=2/344
    npu_flag=03 npu_rgwy=100.0.1.2 npu_lgwy=100.0.0.2 npu_selid=1 dec_npuid=2 enc_npuid=2
  run_tally=0
  

• FW1的Tunnel Interface MTU为1420，比Tunnel SA MTU小2 Bytes，这个没关系，因为SA MTU计算的是最大准确值，Tunnel Interface MTU比它小点也可以保证不会产生ESP分片（其实Tunnel Interface MTU不会从SA MTU继承，7.0版本上，是写死的1420，除非在tunnel接口上override MTU）：

  R1-FG1101E # diagnose netlink interface list | grep ToR2
  if=ToR2 family=00 type=768 index=52 **mtu=1420** link=0 master=0
  

• 使用PC1 Ping PC2，在FW1上查看该流量的路由缓存PMTU为1420，与Tunnel Interface MTU一致：

  R1-FG1101E #  diagnose ip rtcache list | grep 10.1.87.222 -A 1
  10.1.87.222@52(ToR2)->10.0.86.221@37(port14) gwy=0.0.0.0 prefsrc=192.168.84.11
  ci: ref=1 lastused=18 expire=0 err=00000000 used=0 br=0 pmtu=1500
  --
  10.0.86.221@37(port14)->10.1.87.222@52(ToR2) gwy=100.0.1.2 prefsrc=10.0.86.1
  ci: ref=1 lastused=18 expire=0 err=00000000 used=0 br=0 **pmtu=1420**
  

• FW2的Tunnel SA MTU为1422：

  R2-FG1101E # diagnose vpn tunnel list
  list all ipsec tunnel in vd 0
  ------------------------------------------------------
  name=ToR1 ver=1 serial=1 100.0.3.2:4500->100.0.0.2:4500 tun_id=100.0.0.2 dst_mtu=1500 dpd-link=on weight=1
  bound_if=39 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu  run_state=0 accept_traffic=1 overlay_id=0
  proxyid_num=1 child_num=0 refcnt=4 ilast=479 olast=36 ad=/0
  stat: rxp=1 txp=4 rxb=172 txb=336
  dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0
  natt: mode=keepalive draft=32 interval=10 remote_port=4500
  proxyid=ToR1 proto=0 sa=1 ref=3 serial=2 auto-negotiate
    src: 0:0.0.0.0/0.0.0.0:0
    dst: 0:0.0.0.0/0.0.0.0:0
    SA:  ref=6 options=18225 type=00 soft=0 **mtu=1422** expire=42417/0B replaywin=0
         seqno=5 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
    life: type=01 bytes=0/0 timeout=42897/43200
    dec: spi=0516e885 esp=aes key=32 8c9c261e3c88a278d14c0c56fd5a2e7a045efd282a7bf1189ef04c697e91c137
         ah=sha384 key=48 c1a3b473ff6a26aa3889c7072f7f0766e031e4170b08a75bbf7706f708036a5f49fb74ebaad3ca9fdefce3c175e686f0
    enc: spi=93e465cb esp=aes key=32 37d6f618ec3d9f482b119367512539ad1bdd6626c36fd72bccdbe2a8d98b895c
         ah=sha384 key=48 ba6d248c65bd38166ddf2410d1ef3df95ef3979604809e78c433b72f79f8339c29527a6194f6d65d58d5e1db1b2e7a6c
    dec:pkts/bytes=1/84, enc:pkts/bytes=4/688
    npu_flag=03 npu_rgwy=100.0.0.2 npu_lgwy=100.0.3.2 npu_selid=1 dec_npuid=2 enc_npuid=2
  run_tally=0
  

• FW2的Tunnel Interface MTU为1420，比Tunnel SA MTU少2 Bytes：

  R2-FG1101E # diagnose netlink interface list | grep ToR1
  if=ToR1 family=00 type=768 index=52 **mtu=1420** link=0 master=0
  

1. 首先验证下在Tunnel MTU极限值的情况下，是否会产生分片。目前Tunnel Interface MTU为1420，也就是说被加密原始明文最大为1420 Bytes。我们使用PC1 Ping PC2来测试，datasize = 1420 - 20 (Original IP Header) - 8 (ICMP Header) = 1392。

   [root@CentOS-1 ~]# ping 10.1.87.222 -c 1 **-s 1392** -M dont
   PING 10.1.87.222 (10.1.87.222) 1392(**1420**) bytes of data.
   1400 bytes from 10.1.87.222: icmp_seq=1 ttl=62 time=1.01 ms
   --- 10.1.87.222 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 1.014/1.014/1.014/0.000 ms
   [root@CentOS-1 ~]#
   

2. 关闭Router（R1-FG601E）的芯片加速功能，同时在Router上抓取4和6格式的ESP报文。