Checkpoint防火墙与ASA IPSEC VPN步骤(亲手搭建绝非抄袭)

亲手搭建绝非抄袭，与小伙伴们共勉！Checkpoint与ASA做IPsecvpn实验步骤实验拓扑：实验步骤：一、Checkpoint端配置步骤1、在防火墙属性页面里勾选IPsecVPN,并设置本端名称及外网口IP址，点击确认。（红框部分为必要设置）亲手搭建绝非抄袭，与小伙伴们共勉！再次打开防火墙属性，在Topology页面，定义本端VPN加密域，确保拓扑与实际一致，Localnet-1.0为本端内网网段2、添加VPN对端设备，定义对端名称及对端设备建立VPN使用的出口IP地址亲手搭建绝非抄袭，与小伙伴们共勉！确保Topology与实际一致，定义对端拓扑和加密Domain，peer-2.0为对方需走VPN隧道的内网网段3、建立IpsecVPN隧道,点击Communities—New—Meshed亲手搭建绝非抄袭，与小伙伴们共勉！设定隧道名称亲手搭建绝非抄袭，与小伙伴们共勉！添加本地和对端VPN网关设备亲手搭建绝非抄袭，与小伙伴们共勉！定义VPN建立过程中两个阶段的加密和验证方式，必须与路由器端一致，第一个阶段对应对端设备的IKE第一阶段配置cryptoisakmppolicy10，第二个阶段对应对端设备转换集配置。亲手搭建绝非抄袭，与小伙伴们共勉！设置预共享密钥亲手搭建绝非抄袭，与小伙伴们共勉！设置VPN的高级属性，注：group组两端必须一致4、定义VPN策略，双向允许，否则只能进行单向通信。亲手搭建绝非抄袭，与小伙伴们共勉！二、对端ASA防火墙IPSEC配置interfaceGigabitEthernet0/0nameifoutsidesecurity-level0ipaddress192.168.2.1255.255.255.0!interfaceGigabitEthernet0/1nameifinsidesecurity-level100ipaddress172.16.2.1255.255.255.0access-listCPVPNextendedpermitip172.16.2.0255.255.255.0172.16.1.0255.255.255.0routeoutside0.0.0.00.0.0.0192.168.2.21cryptoipsectransform-setdepponesp-3desesp-md5-hmaccryptomapoutside_map10matchaddressCPVPNcryptomapoutside_map10setpeer192.168.3.1cryptomapoutside_map10settransform-setdepponcryptomapoutside_mapinterfaceoutsidecryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryption3deshashmd5group2lifetime86400tunnel-group180.168.12.10typeipsec-l2ltunnel-group180.168.12.10ipsec-attributespre-shared-keyhfq@123456至此配置完成！亲手搭建绝非抄袭，与小伙伴们共勉！三、验证是否建立成功1、ASA端VPN状态ciscoasa#SHcryisasaIKEv1SAs:ActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:11IKEPeer:192.168.3.1Type:L2LRole:initiatorRekey:noState:MM_ACTIVETherearenoIKEv2SAsciscoasa#showcryipssainterface:outsideCryptomaptag:outside_map,seqnum:10,localaddr:192.168.2.1access-listCPVPNextendedpermitip172.16.2.0255.255.255.0172.16.1.0255.255.255.0localident(addr/mask/prot/port):(172.16.2.0/255.255.255.0/0/0)remoteident(addr/mask/prot/port):(172.16.1.0/255.255.255.0/0/0)current_peer:192.168.3.1#pktsencaps:19,#pktsencrypt:19,#pktsdigest:19#pktsdecaps:19,#pktsdecrypt:19,#pktsverify:19#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:19,#pktscompfailed:0,#pktsdecompfailed:0#pre-fragsuccesses:0,#pre-fragfailures:0,#fragmentscreated:0#PMTUssent:0,#PMTUsrcvd:0,#decapsulatedfrgsneedingreassembly:0#TFCrcvd:0,#TFCsent:0#ValidICMPErrorsrcvd:0,#InvalidICMPErrorsrcvd:0#senderrors:0,#recverrors:0localcryptoendpt.:192.168.2.1/0,remotecryptoendpt.:192.168.3.1/0pathmtu1500,ipsecoverhead58(36),mediamtu1500PMTUtimeremaining(sec):0,DFpolicy:copy-dfICMPerrorvalidation:disabled,TFCpackets:disabledcurrentoutboundspi:36CA5528currentinboundspi:6901DACA亲手搭建绝非抄袭，与小伙伴们共勉！inboundespsas:spi:0x6901DACA(1761729226)transform:esp-3desesp-md5-hmacnocompressioninusesettings={L2L,Tunnel,IKEv1,}slot:0,conn_id:31961088,crypto-map:outside_mapsatiming:remainingkeylifetime(kB/sec):(3914998/28704)IVsize:8bytesreplaydetectionsupport:YAntireplaybitmap:0x000000000x000FFFFFoutboundespsas:spi:0x36CA5528(919229736)transform:esp-3desesp-md5-hmacnocompressioninusesettings={L2L,Tunnel,IKEv1,}slot:0,conn_id:31961088,crypto-map:outside_mapsatiming:remainingkeylifetime(kB/sec):(3914998/28704)IVsize:8bytesreplaydetectionsupport:YAntireplaybitmap:0x000000000x000000012、Checkpoint端VPN状态。经验证VPN建立成功！亲手搭建绝非抄袭，与小伙伴们共勉！附ASA配置ciscoasa#shrun:Saved:ASAVersion9.0(4)!hostnameciscoasaenablepassword8Ry2YjIyt7RRXU24encryptednames!interfaceGigabitEthernet0/0nameifoutsidesecurity-level0ipaddress192.168.2.1255.255.255.0!interfaceGigabitEthernet0/1nameifinsidesecurity-level100ipaddress172.16.2.1255.255.255.0!interfaceGigabitEthernet0/2shutdownnonameifnosecurity-levelnoipaddress!interfaceGigabitEthernet0/3shutdownnonameifnosecurity-levelnoipaddress!interfaceManagement0/0shutdownnonameifnosecurity-levelnoipaddress!ftpmodepassiveaccess-listCPVPNextendedpermitip172.16.2.0255.255.255.0172.16.1.0255.255.255.0access-listoutsideextendedpermitipanyanyaccess-listoutsideextendedpermiticmpanyany亲手搭建绝非抄袭，与小伙伴们共勉！pagerlines24mtuoutside1500mtuinside1500nofailovericmpunreachablerate-limit1burst-size1noasdmhistoryenablearptimeout14400noarppermit-nonconnectedaccess-groupoutsideininterfaceoutsiderouteoutside0.0.0.00.0.0.0192.168.2.21timeoutxlate3:00:00timeoutpat-xlate0:00:30timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00timeoutsip-provisional-media0:02:00uauth0:05:00absolutetimeouttcp-proxy-reassembly0:01:00timeoutfloating-conn0:00:00dynamic-access-policy-recordDfltAccessPolicyuser-identitydefault-domainLOCALnosnmp-serverlocationnosnmp-servercontactsnmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstartwarmstartcryptoipsecikev1transform-setdepponesp-3desesp-md5-hmaccryptoipsecsecurity-associationpmtu-aginginfinitecryptomapoutside_map10matchaddressCPVPNcryptomapoutside_map10setpeer192.168.3.1cryptomapoutside_map10setikev1transform-setdepponcryptomapoutside_mapinterfaceoutsidecryptocatrustpoolpolicycryptoikev1enableoutsidecryptoikev1policy10authenticationpre-