从前边的方法可以看出,在6.4/7.0版本中,通过FortiGate自行处理、开启ipv4-df,FortiGate都有可能因为ESP/UESP报文超过物理口的MTU而产生ESP/UESP分片。那么还有什么办法呢?
通过Override Tunnel接口的MTU,我们可以强制指定Tunnel接口的MTU值。
config system interface
edit "ToR2"
**set mtu-override enable**
**set mtu 1400**
next
end
<aside> 💡 该功能在6.4版本开始支持,参考Mantis ID 0611391。
</aside>
<aside>
💡 同时需要注意,6.4/7.0 GA版本,如果是Hub-Spoke模型,FortiGate开启net-device的情况下,动态生成的Tunnel接口(如ToR2_0)不会继承Tunnel mtu-override的MTU值,参考Mantis ID 0744598,Tunnel interface MTU settings does not work when net-device is enabled in phase1。目前(2021.12.15)GA版本未修复该问题。
</aside>
参照有问题的算法AES256-SHA256 (NAT-T),在Tunnel接口开启mtu-override,看问题是否得以解决。
R1-FG1101E # show vpn ipsec phase1-interface ToR2
config vpn ipsec phase1-interface
edit "ToR2"
set interface "port16"
set peertype any
set net-device enable
set passive-mode enable
set proposal aes128-sha256
set **ip-fragmentation pre-encapsulation**
set remote-gw 100.0.1.2
set psksecret ENC VB18DBosD7hdTrHDOl21ZJKG5z6BSDgemSX0hmhc8hTn8Y5AMUFZEaWEyXa0VHThkZ/dp7kqZT8lHLbAjphFEvqlHsMuce/Sb11QqEBpNWrLCbHiUJAgZHuvi/iw2ZWv2/GuTr7I4qtTN4M4oHQSsFgrVensTIu6Qk5mNKcmD3LBVT35uQjbZE6IXG+H7dX1AiDGiw==
next
end
R1-FG1101E # show vpn ipsec phase2-interface ToR2
config vpn ipsec phase2-interface
edit "ToR2"
set phase1name "ToR2"
set proposal **aes256-sha256**
next
end
R2-FG1101E # show vpn ipsec phase1-interface ToR1
config vpn ipsec phase1-interface
edit "ToR1"
set interface "port16"
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256
set **ip-fragmentation pre-encapsulation**
set dpd disable
set remote-gw 100.0.0.2
set psksecret ENC TuwE815+Y0e4BK/OHM1ti6o2H9ORCfcfKdypH970JpGPOICs9KAA00RS807yLN404QeQ/bWMOUTtKEGYXqUfGrh5hgypHVJOLtUlEoTop2ATuJImXAeEufP/JRdkn4ea49HY6PM6SWQ7DDYF3WDYk9edgg11hzf1xG89XkZY9J8KN+6egl07RsTcVLob0WlsObZ2YA==
next
end
R2-FG1101E # show vpn ipsec phase2-interface ToR1
config vpn ipsec phase2-interface
edit "ToR1"
set phase1name "ToR1"
set proposal **aes256-sha256**
set replay disable
set auto-negotiate enable
next
end
FW1的物理口三层MTU为1500:
R1-FG1101E # diagnose netlink interface list | grep port16
if=port16 family=00 type=1 index=39 **mtu=1500** link=0 master=0
FW1的Tunnel SA MTU为1422:
R1-FG1101E # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ToR2 ver=1 serial=1 100.0.0.2:4500->100.0.1.2:64916 dst_mtu=1500
bound_if=39 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/24 options[0018]=npu create_dev accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=13 ilast=14 olast=34 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
**natt: mode=silent** draft=32 interval=10 remote_port=64916
proxyid=ToR2 proto=0 sa=1 ref=2 serial=2
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=10226 type=00 soft=0 **mtu=1422** expire=42896/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42931/43200
dec: spi=3284dec3 esp=aes key=32 ac6817bef23db7e5f866e80e7e64d87234dca7178762171564a3b9c6b391e9bf
ah=sha256 key=32 8b451af2b364fa4e08ab9cc5f8f2bd542c7ff2f205df6fddffc1aa6d17f212b4
enc: spi=ce69c6f6 esp=aes key=32 74ae84059ba10af74ab8aa3942ce4e0223532aefb663579feeaec3e8080f10b5
ah=sha256 key=32 b86fc4d0344010fea0a16ff962b0acd3a29b12cedaec01e6b2a2ad849ed4ce04
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=100.0.1.2 npu_lgwy=100.0.0.2 npu_selid=1 dec_npuid=0 enc_npuid=0