• 0 800 357272
  • Ця електронна адреса захищена від спам-ботів. Вам необхідно увімкнути JavaScript, щоб побачити її.
  • Пн-Пт 09:00-18:00

Site-to-site туннель между Fortigate и Mikrotik

В виду своей работы мы часто сталкиваемся с задачей организовать туннель между Fortigate и Mikrotik. В этой статье мы бы хотели дать пример рабочей конфигурации, которую используем сами.

В подавляющем большинстве случаев мы используем "облачный" Mikrotik CHR. Что это - можно почитать здесь.

Итак, вводные данные:

Площадка 1:

  • "Обачный" Mikrotik CHR
  • 1 WAN интерфейс (104.156.227.72)
  • 1 LAN интерфейс (10.100.10.2)

Площадка 2:

  • Любой Fortigate (в нашем примере - это 140D-POE)
  • 2 WAN интерфейса (111.111.111.111 и 222.222.222.222)

 

logo

Конфигурация Mikrotik CHR

 

/interface gre
add !keepalive local-address=104.156.227.72 name=to-GRE-1 remote-address=111.111.111.111
add !keepalive local-address=104.156.227.72 name=to-GRE-2 remote-address=222.222.222.222

/interface list
add name=GRE
add name=INTERNET
add name=LOCAL

/interface list member
add interface=to-GRE-1 list=GRE
add interface=to-GRE-2 list=GRE
add interface=WAN list=INTERNET
add interface=LAN list=LOCAL

/ip address
add address=10.100.11.2/30 interface=to-GRE-1 network=10.100.11.0
add address=10.100.12.2/30 interface=to-GRE-2 network=10.100.12.0
add address=10.100.10.2/30 interface=LAN network=10.100.10.0

/ip dns
set servers=1.1.1.1,8.8.8.8

/ip ipsec policy group
add name=hub

/ip ipsec profile
add dh-group=modp1024 dpd-interval=20s dpd-maximum-failures=3 enc-algorithm=aes-256 name=profile_1 nat-traversal=no

/ip ipsec peer
add address=111.111.111.111/32 local-address=104.156.227.72 name=peer1 profile=profile_1
add address=222.222.222.222/32 local-address=104.156.227.72 name=peer2 profile=profile_1

/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-256-cbc
add auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=12h name=hub pfs-group=none

/ip ipsec identity
add peer=peer1 policy-template-group=hub secret="YOUR_PASSWORD"
add peer=peer2 policy-template-group=hub secret="YOUR_PASSWORD"

/ip ipsec policy
set 0 disabled=yes
add dst-address=111.111.111.111/32 peer=peer1 proposal=hub protocol=gre sa-dst-address=111.111.111.111 sa-src-address=104.156.227.72 src-address=104.156.227.72/32 tunnel=yes
add dst-address=222.222.222.222/32 peer=peer2 proposal=hub protocol=gre sa-dst-address=222.222.222.222 sa-src-address=104.156.227.72 src-address=104.156.227.72/32 tunnel=yes

Так же добавим не много безопасности нашему Mikrotik

/ip firewall address-list
add address=10.0.0.0/8 list=private-networks
add address=172.16.0.0/12 list=private-networks
add address=192.168.0.0/16 list=private-networks
add address=upgrade.mikrotik.com list=MikrotikUpdate
add address=172.16.0.0/12 list=ADMIN
add address=10.0.0.0/8 list=ADMIN
add address=192.168.0.0/16 list=ADMIN

/ip firewall filter
add action=accept chain=input comment="Mikrotik <- Time Server" dst-address-type=local dst-port=123 protocol=udp src-port=123
add action=accept chain=input comment="Mikrotik <- MikrotikUpdate" connection-state=established,related protocol=tcp src-address-list=MikrotikUpdate src-port=80
add action=accept chain=input comment="Mikrotik <- Time Server" dst-address-type=local dst-port=123 protocol=udp src-port=123
add action=accept chain=input comment="Mikrotik <- MikrotikUpdate" connection-state=established,related protocol=tcp src-address-list=MikrotikUpdate src-port=80
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=drop chain=input comment="drop ssh brute forcers" dst-port=21-23 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input dst-port=53,5060-5062 protocol=udp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop ANY Broadcast" dst-address=255.255.255.255
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=53,5060-5062 protocol=udp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=21-23 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=forward comment="-= ANY Established =-" connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=gre
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=500 in-interface=WAN protocol=udp
add action=accept chain=input src-address-list=ADMIN
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=WAN out-interface-list=GRE
add action=accept chain=forward in-interface-list=GRE out-interface=WAN
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=WAN
add action=drop chain=forward in-interface=WAN src-address-list=private-networks
add action=drop chain=forward dst-address-list=private-networks log=yes out-interface=WAN
add action=drop chain=output dst-address-list=private-networks log=yes out-interface=WAN

/ip firewall service-port
set sip disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip ssh
set host-key-size=4096 strong-crypto=yes

 

fortinet logo c62677c2

Конфигурация Fortigate

config system settings
set allow-subnet-overlap enable
end

config vpn ipsec phase1-interface
edit "IPSEC-from-WAN2"
set interface "wan2"
set peertype any
set net-device disable
set proposal aes256-sha1
set dhgrp 2
set nattraversal disable
set remote-gw 104.156.227.72
set psksecret YOUR_PASSWORD
next
edit "IPSEC-from-WAN1"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha1
set dhgrp 2
set nattraversal disable
set remote-gw 104.156.227.72
set psksecret YOUR_PASSWORD
end
config vpn ipsec phase2-interface
edit "IPSEC-from-WAN2"
set phase1name "IPSEC-from-WAN2"
set proposal aes128-md5
set pfs disable
set protocol 47
set src-addr-type ip
set dst-addr-type ip
set src-start-ip 222.222.222.222
set dst-start-ip 104.156.227.72
next
edit "IPSEC-from-WAN1"
set phase1name "IPSEC-from-WAN1"
set proposal aes128-md5
set pfs disable
set protocol 47
set src-addr-type ip
set dst-addr-type ip
set src-start-ip 111.111.111.111
set dst-start-ip 104.156.227.72
next
end

config system gre-tunnel
edit "GRE-from-WAN1"
set interface "IPSEC-from-WAN1"
set remote-gw 104.156.227.72
set local-gw 111.111.111.111
next
edit "GRE-from-WAN2"
set interface "IPSEC-from-WAN2"
set remote-gw 104.156.227.72
set local-gw 222.222.222.222
next
end

config system interface
edit "IPSEC-from-WAN2"
set vdom "root"
set ip 222.222.222.222 255.255.255.255
set type tunnel
set remote-ip 104.156.227.72 255.255.255.255
set interface "wan2"
next
edit "IPSEC-from-WAN1"
set vdom "root"
set ip 111.111.111.111 255.255.255.255
set type tunnel
set remote-ip 104.156.227.72 255.255.255.255
set interface "wan1"
next
edit "GRE-from-WAN1"
set vdom "root"
set ip 10.200.11.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.200.11.2 255.255.255.252
set interface "GRE-from-WAN1"
next
edit "GRE-from-WAN2"
set vdom "root"
set ip 10.200.12.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.200.12.2 255.255.255.252
set interface "GRE-from-WAN2"
next
end

Для Fortigate еще обязательно необходимо добавить соответствующие политики. Без этого туннель не поднимется.

,
Show comment form