checkpoint防火墙与asa ipsec vpn步骤(亲手搭建绝非抄袭).docxVIP

Checkpoint与ASA做 IPsec vpn 实验步骤 实验拓扑： 实验步骤： Checkpoint端配置步骤 在防火墙属性页面里勾选IPsec VPN,并设置本端名称及外网口IP址，点击确认。（红框部分为必要设置） 再次打开防火墙属性，在Topology页面，定义本端VPN加密域，确保拓扑与实际一致，Localnet-1.0为本端内网网段 添加VPN对端设备，定义对端名称及对端设备建立VPN使用的出口IP地址 确保Topology与实际一致，定义对端拓扑和加密Domain，peer-2.0为对方需走VPN隧道的内网网段 3、 建立Ipsec VPN隧道,点击Communities—New—Meshed 设定隧道名称 添加本地和对端VPN网关设备 定义VPN建立过程中两个阶段的加密和验证方式，必须与路由器端一致，第一个阶段对应对端设备的IKE第一阶段配置crypto isakmp policy 10，第二个阶段对应对端设备转换集配置。 设置预共享密钥 设置VPN的高级属性，注： group组两端必须一致 定义VPN策略，双向允许，否则只能进行单向通信。 二、对端ASA防火墙IPSEC配置 interface GigabitEthernet0/0 nameif outside security-level 0 ip address ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address access-list CPVPN extended permit ip route outside 1 crypto ipsec transform-set deppon esp-3des esp-md5-hmac crypto map outside_map 10 match address CPVPN crypto map outside_map 10 set peer crypto map outside_map 10 set transform-set deppon crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group 0 type ipsec-l2l tunnel-group 0 ipsec-attributes pre-shared-key hfq@123456 至此配置完成！ 三、验证是否建立成功 1、ASA端VPN状态 ciscoasa# SH cry isa sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: Type : L2L Role : initiator Rekey : no State : MM_ACTIVE There are no IKEv2 SAs ciscoasa# show cry ips sa interface: outside Crypto map tag: outside_map, seq num: 10, local addr: access-list CPVPN extended permit ip local ident (addr/mask/prot/port): (//0/0) remote ident (addr/mask/prot/port): (//0/0) current_peer: #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 19, #pkts comp failed: 0, #pkts decomp fa