动态 VPN 隧道 SLA Link Monitor

Link Monitor 可以对动态 VPN 接口执行 SLA 检测，适用于隧道建立后由 FortiGate 为客户端分配地址的场景，包括 SSL VPN 隧道、IPsec 远程访问和动态 IPsec 站点到站点隧道。

该功能目前仅支持 IPv4 和 ICMP 探测协议。用于动态 IPsec 隧道时，IPsec Phase 1 中必须关闭 net-device。

config system link-monitor
    edit <name>
        set server-type {static | dynamic}
    next
end

查看拨号隧道的 Link Monitor 统计信息：

diagnose sys link-monitor tunnel {name | all} [<tunnel_name>]

配置示例

以下示例中，终端用户使用 FortiClient 拨号建立 IPsec 隧道，并从 FortiGate 获取地址。FortiGate 在动态 VPN 接口上启用 Link Monitor，用于检测到各个客户端隧道的路径质量。

1. 配置 IPsec Phase 1，注意关闭 net-device。

   config vpn ipsec phase1-interface
       edit "for_Branch"
           set type dynamic
           set interface "port15"
           set mode aggressive
           set peertype any
           set net-device disable
           set mode-cfg enable
           set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
           set dpd on-idle
           set dhgrp 5
           set xauthtype auto
           set authusrgrp "vpngroup"
           set assign-ip-from name
           set ipv4-netmask 255.255.255.0
           set dns-mode auto
           set ipv4-split-include "10.20.205.0"
           set ipv4-name "client_range"
           set save-password enable
           set psksecret **********
           set dpd-retryinterval 60
       next
   end

2. 配置 IPsec Phase 2。

   config vpn ipsec phase2-interface
       edit "for_Branch_p2"
           set phase1name "for_Branch"
           set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
           set dhgrp 5
       next
   end

3. 配置动态隧道接口。

   config system interface
       edit "for_Branch"
           set vdom "root"
           set ip 10.10.10.254 255.255.255.255
           set type tunnel
           set remote-ip 10.10.10.253 255.255.255.0
           set snmp-index 100
           set interface "port15"
       next
   end

4. 将动态 IPsec 拨号隧道加入 Link Monitor。

   config system link-monitor
       edit "1"
           set srcintf "for_Branch"
           set server-type dynamic
       next
   end

5. FortiClient 用户连接后，查看 IPsec 隧道摘要。

   # get vpn ipsec tunnel summary
   'for_Branch_0' 198.51.100.23:0  selectors(total,up): 1/1
     rx(pkt,err): 21091/0  tx(pkt,err): 20741/0
   'for_Branch_1' 198.51.100.13:0  selectors(total,up): 1/1
     rx(pkt,err): 19991/0  tx(pkt,err): 20381/0

6. 查看动态隧道的 Link Monitor 状态。

   # diagnose sys link-monitor tunnel all
   for_Branch_0 (1): state=alive, peer=10.10.10.1, create_time=2022-02-08 10:43:11, srcintf=for_Branch, latency=0.162, jitter=0.018, pktloss=0.000%
   for_Branch_1 (1): state=alive, peer=10.10.10.2, create_time=2022-02-08 10:49:24, srcintf=for_Branch, latency=0.266, jitter=0.015, pktloss=0.000%

7. 在 FortiGate 和 FortiClient 之间的路径上人为增加 200 ms 延迟后，再次查看状态。

   # diagnose sys link-monitor tunnel all
   for_Branch_0 (1): state=alive, peer=10.10.10.1, create_time=2022-02-08 10:43:11, srcintf=for_Branch, latency=200.177, jitter=0.021, pktloss=0.000%
   for_Branch_1 (1): state=alive, peer=10.10.10.2, create_time=2022-02-08 10:49:24, srcintf=for_Branch, latency=200.257, jitter=0.017, pktloss=0.000%