R1-FG1101E # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "ToR2"
set interface "port16"
set peertype any
set net-device disable
set proposal aes128-sha256
set remote-gw 100.0.3.2
next
end
R1-FG1101E # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "ToR2"
set phase1name "ToR2"
set proposal aes128-sha256
set replay disable
set auto-negotiate enable
next
end
R2-FG1101E # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "ToR1"
set interface "port16"
set peertype any
set net-device disable
set proposal aes128-sha256
set remote-gw 100.0.0.2
next
end
R2-FG1101E # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "ToR1"
set phase1name "ToR1"
set proposal aes128-sha256
set replay disable
set auto-negotiate enable
next
end
从客户端发起packetsize 1600的包
在CLIENT侧FortiGate查看ICMP会话,
session info: proto=1 proto_state=00 duration=660 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=ToR2/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=1074480/660/1 reply=1074480/660/1 tuples=2
tx speed(Bps/kbps): 1627/13 rx speed(Bps/kbps): 1627/13
orgin->sink: org pre->post, reply pre->post dev=37->52/52->37 gwy=10.1.87.222/10.0.86.221
hook=pre dir=org act=noop 10.0.86.221:11336->10.1.87.222:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.87.222:11336->10.0.86.221:0(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0000c3f0 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x3000c00
npu info: flag=0x82/0x81, offload=8/8, ips_offload=0/0, epid=211/209, ipid=209/1005, vlan=0x0000/0x0000
vlifid=209/1005, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, fwd_en=0/0, qid=2/2
total session 1
CLIENT侧FortiGate抓包显示,FortiGate送出去的方向数据包可以加速,收方向分片包不能加速
R1-FG1101E # di sni packet port16 ''
interfaces=[port16]
filters=[]
0.976318 100.0.0.2 -> 100.0.3.2: ESP(spi=0x294062e4,seq=0x8cf)
0.976824 100.0.3.2 -> 100.0.0.2: ip-proto-50 (frag 2254:192@1480)
0.976825 100.0.3.2 -> 100.0.0.2: ESP(spi=0xf32b18fa,seq=0x8ce) (frag 2254:1480@0+)
1.977355 100.0.0.2 -> 100.0.3.2: ESP(spi=0x294062e4,seq=0x8d0)
1.977863 100.0.3.2 -> 100.0.0.2: ip-proto-50 (frag 2255:192@1480)
1.977864 100.0.3.2 -> 100.0.0.2: ESP(spi=0xf32b18fa,seq=0x8cf) (frag 2255:1480@0+)
2.978403 100.0.0.2 -> 100.0.3.2: ESP(spi=0x294062e4,seq=0x8d1)
2.978925 100.0.3.2 -> 100.0.0.2: ip-proto-50 (frag 2256:192@1480)
2.978926 100.0.3.2 -> 100.0.0.2: ESP(spi=0xf32b18fa,seq=0x8d0) (frag 2256:1480@0+)
<aside> 💡 TODO 增加内网接口的MTU再抓一次包,交换机上抓包
</aside>
IPsec端到端中间如果是FortiGate是否可以加速
ESP可以可以加速
session info: proto=50 proto_state=00 duration=107 expire=179 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=182736/108/1 reply=182736/108/1 tuples=2
tx speed(Bps/kbps): 1702/13 rx speed(Bps/kbps): 1702/13
orgin->sink: org pre->post, reply pre->post dev=15->16/16->15 gwy=100.0.2.1/100.0.1.1
hook=pre dir=org act=noop 100.0.0.2:0->100.0.3.2:0(0.0.0.0:0)
hook=post dir=reply act=noop 100.0.3.2:0->100.0.0.2:0(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0000105d tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x000c00
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=146/144, ipid=144/146, vlan=0x0000/0x0000
vlifid=144/146, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=8/8
由于数据包超长,需要分片,ip-fragmentation 为默认post-encapsulation,中间设备抓包可以看到分片包,分片包不加速
RACK1-FG601E # di sni packet port7
interfaces=[port7]
filters=[none]
1.644843 100.0.0.2 -> 100.0.3.2: ESP(spi=0x294062e4,seq=0x1cf) (frag 463:1480@0+)
1.644846 100.0.0.2 -> 100.0.3.2: ip-proto-50 (frag 463:192@1480)
1.645217 100.0.3.2 -> 100.0.0.2: ESP(spi=0xf32b18fa,seq=0x1cf) (frag 463:1480@0+)
1.645218 100.0.3.2 -> 100.0.0.2: ip-proto-50 (frag 463:192@1480)