R2-FG1101E # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "ToR1"
set interface "port16"
set peertype any
set net-device disable
set proposal aes128-sha256
set remote-gw 100.0.0.2
next
end
R2-FG1101E # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "ToR1"
set phase1name "ToR1"
set proposal aes128-sha256
set replay disable
set auto-negotiate enable
next
end
R1-FG1101E上的tunnel list,SA MTU为mtu=1438,由于FortiOS 6.4开始不会自动计算tunnel mtu
<aside> 💡 https://mantis.fortinet.com/bug_view_page.php?bug_id=0611391 ECO introduces a new way to obtain the interface mtu. When the interface is created, it calculates a mtu from the underlying interface mtu and the globally worst possible algorithm. Once the IPSec interface mtu is set, it won't be changed again unless a mtu override from CLI occurs.
</aside>
分别在IPSEC两侧收集diag vpn tunnel list,SA MTU被设置为1438
R1-FG1101E # di vpn tunnel list
name=ToR2_0 ver=1 serial=3 100.0.0.2:0->100.0.3.2:0 dst_mtu=1500
bound_if=39 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/136 options[0088]=npu rgwy-chg run_state=1 accept_traffic=1 overlay_id=0
parent=ToR2 index=0
proxyid_num=1 child_num=0 refcnt=7 ilast=0 olast=0 ad=/0
stat: rxp=2 txp=420 rxb=18092 txb=199762
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ToR2 proto=0 sa=1 ref=4 serial=1 add-route
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=6 options=2a4 type=00 soft=0 mtu=1438 expire=43073/0B replaywin=0
seqno=1a5 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43187/43200
dec: spi=f85d762a esp=aes key=16 3d2d5b55225a67c106084ad20a19d0eb
ah=sha256 key=32 fd95ea1b4637072820b3c41d88e27c979790e38ea0d13dcb99262765aa06c084
enc: spi=294062ef esp=aes key=16 583549bfab82d8bf2c63c54ecc72d79d
ah=sha256 key=32 e7a82b484aec1180d3089f9445d4374472834491609cf2c34b1cd96653a7d1d3
dec:pkts/bytes=2/17956, enc:pkts/bytes=420/228528
npu_flag=03 npu_rgwy=100.0.3.2 npu_lgwy=100.0.0.2 npu_selid=2 dec_npuid=2 enc_npuid=2
R2-FG1101E # di vpn tunnel list
name=ToR1 ver=1 serial=1 100.0.3.2:0->100.0.0.2:0 dst_mtu=1500
bound_if=39 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0
stat: rxp=4098 txp=2504 rxb=2115056 txb=2076132
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ToR1 proto=0 sa=1 ref=3 serial=1 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=18225 type=00 soft=0 mtu=1438 expire=41647/0B replaywin=0
seqno=9c6 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42898/43200
dec: spi=294062ef esp=aes key=16 583549bfab82d8bf2c63c54ecc72d79d
ah=sha256 key=32 e7a82b484aec1180d3089f9445d4374472834491609cf2c34b1cd96653a7d1d3
enc: spi=f85d762a esp=aes key=16 3d2d5b55225a67c106084ad20a19d0eb
ah=sha256 key=32 fd95ea1b4637072820b3c41d88e27c979790e38ea0d13dcb99262765aa06c084
dec:pkts/bytes=4098/2114920, enc:pkts/bytes=2504/2246132
npu_flag=03 npu_rgwy=100.0.0.2 npu_lgwy=100.0.3.2 npu_selid=0 dec_npuid=2 enc_npuid=2
run_tally=1
通过diag netlink interface list | grep ToR1 -A1 -B1查看接口实际MTU也是1438
R1-FG1101E # di netlink interface list | grep ToR2 -A1 -B1
if=ToR2 family=00 type=768 index=50 mtu=1438 link=0 master=0
ref=20 state=start present fw_flags=0 flags=up p2p run noarp multicast
R2-FG1101E # di netlink interface list | grep ToR1 -A1 -B1
if=ToR1 family=00 type=768 index=53 mtu=1438 link=0 master=0
ref=14 state=start present fw_flags=0 flags=up p2p run noarp multicast
从会话上看出reply方向的流量通过芯片加速了
hook=post dir=reply act=noop 10.1.87.222:21834->10.0.86.221:0(0.0.0.0:0)
in_npu=0/2, out_npu=0/2
R1-FG1101E # di sys session list
session info: proto=1 proto_state=00 duration=4474 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=7282620/4474/1 reply=7280416/4472/1 tuples=2
tx speed(Bps/kbps): 1628/13 rx speed(Bps/kbps): 1628/13
orgin->sink: org pre->post, reply pre->post dev=37->50/50->37 gwy=10.1.87.222/10.0.86.221
hook=pre dir=org act=noop 10.0.86.221:21834->10.1.87.222:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.87.222:21834->10.0.86.221:0(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=000026a2 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x3000c00
npu info: flag=0x00/0x81, offload=0/8, ips_offload=0/0, epid=0/209, ipid=0/1005, vlan=0x0000/0x0000
vlifid=0/1005, vtag_in=0x0000/0x0002 in_npu=0/2, out_npu=0/2, fwd_en=0/0, qid=0/2
no_ofld_reason:
ofld_fail_reason(kernel, drv): mac-unresolved/none, none(0)/none(0)
npu_state_err=20/00
total session 1
抓内网接口port14,可以抓到双向的ICMP分片流量(windows平台ping,request datasize多大,reply datasize就多大,Linux也一样)
R1-FG1101E # di sni packet port14
interfaces=[port14]
filters=[none]
0.393407 10.0.86.221 -> 10.1.87.222: icmp: echo request (frag 25531:1480@0+)
0.393409 10.0.86.221 -> 10.1.87.222: ip-proto-1 (frag 25531:128@1480)
0.393923 10.1.87.222 -> 10.0.86.221: icmp: echo reply (frag 11013:1416@0+)
0.393924 10.1.87.222 -> 10.0.86.221: ip-proto-1 (frag 11013:192@1416)
抓外网接口port16,可以抓到出向的ESP流量,未抓到入向ESP流量(如果想抓到入方向的ESP流量,可以在中间设备Router关闭加速后抓到ESP包)
R1-FG1101E # di sni packet port16
interfaces=[port16]
filters=[none]
1.407709 100.0.0.2 -> 100.0.3.2: ESP(spi=0x294062ef,seq=0x2323)
1.407713 100.0.0.2 -> 100.0.3.2: ESP(spi=0x294062ef,seq=0x2324)