Checkpoint防火墙与ASA IPSEC VPN步骤(亲手搭建绝非抄袭)

Checkpoint与ASA做IPsec vpn 实验步骤
实验拓扑：
实验步骤：
一、Checkpoint端配置步骤
1、在防火墙属性页面里勾选IPsec VPN,并设置本端名称及外网口IP址，点击确
认。

（红框部分为必要设置）
再次打开防火墙属性，在Topology页面，定义本端VPN加密域，确保拓扑与实际一致，Localnet-1.0为本端内网网段
2、添加VPN对端设备，定义对端名称及对端设备建立VPN使用的出口IP地址
确保Topology与实际一致，定义对端拓扑和加密Domain，peer-2.0为对方需走VPN 隧道的内网网段
3、建立Ipsec VPN隧道,点击Communities—New—Meshed
设定隧道名称
添加本地和对端VPN网关设备
定义VPN建立过程中两个阶段的加密和验证方式，必须与路由器端一致，第一个阶段对应对端设备的IKE第一阶段配置crypto isakmp policy 10，第二个阶段对应对端设备转换集配置。

设置预共享密钥
设置VPN的高级属性，注： group组两端必须一致
4、定义VPN策略，双向允许，否则只能进行单向通信。

二、对端ASA防火墙IPSEC配置
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.2.1 255.255.255.0
access-list CPVPN extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.2.2 1
crypto ipsec transform-set deppon esp-3des esp-md5-hmac
crypto map outside_map 10 match address CPVPN
crypto map outside_map 10 set peer 192.168.3.1
crypto map outside_map 10 set transform-set deppon
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 180.168.12.10 type ipsec-l2l
tunnel-group 180.168.12.10 ipsec-attributes
pre-shared-key hfq@123456
至此配置完成！
三、验证是否建立成功
1、ASA端VPN状态
ciscoasa# SH cry isa sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
1 IKE Peer: 192.168.3.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ciscoasa# show cry ips sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 192.168.2.1
access-list CPVPN extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer: 192.168.3.1
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 19, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.2.1/0, remote crypto endpt.: 192.168.3.1/0 path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 36CA5528
current inbound spi : 6901DACA
inbound esp sas:
spi: 0x6901DACA (1761729226)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 31961088, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914998/28704) IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000FFFFF
outbound esp sas:
spi: 0x36CA5528 (919229736)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 31961088, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914998/28704) IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
2、 Checkpoint端VPN状态。

经验证VPN建立成功！
附ASA 配置
ciscoasa# sh run
: Saved
:
ASA Version 9.0(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.2.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list CPVPN extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside extended permit ip any any
access-list outside extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set deppon esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 10 match address CPVPN
crypto map outside_map 10 set peer 192.168.3.1
crypto map outside_map 10 set ikev1 transform-set deppon
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.3.1 type ipsec-l2l
tunnel-group 192.168.3.1 ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https:///its/service/oddce/services/DDCEService
*****************************************
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily Cryptochecksum:8783a9d3ee633785db0f6fd9d5b3144b
: end
ciscoasa#
ciscoasa#。