CheckPoint-ASA动态IP地址证书认证方式建立IPSECVPN测试报告

CheckPoint-ASA动态IP地址证书认证方式建立IPSECVPN测试报告2013年3月25日一、测试环境介绍1.测试设备CiscoASA5505：IOS8.25CheckPointUTM-A3070微软CA服务器、测试笔记本、Cisco3750交换机2.测试拓扑二、证书申请1.查看ASA、Checkpoint、CA服务器时间是否同步：2.生成证书签名请求（1）申请证书，ConfigurationDeviceManagementCertificateManagementIdentityCertificates，点击Add：（2）点击“NEW”，生成密钥对：输入密钥对的名字，Size选择2048，点击GenerateNow生成密钥对：（3）定义CSR的属性值，点击Select：Attribute选择属性，Value添加对应的信息，点击“Add”进行添加，添加完成点击“OK”：其中OU和CN必须添加（4）点击“Advanced”设置FQDN，FQDN必须和CN值相同：修改完后，点击“OK”（5）点击“AddCertificate”添加证书：点击“Broese”选择密钥对保存的位置及文件：点击OK，生成文件CSR文件CSR1.TXT：-----BEGINCERTIFICATEREQUEST-----MIIBsTCCARoCAQAwPDESMBAGA1UECxMJa2VycnkuZWFzMQ4wDAYDVQQDEwVjaXNjbzEWMBQGCSqGSIb3DQEJAhYHYXNhNTUwNTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtZ4iqv91oE6Zx4aAUSAwdb1T81le+f57jrcLLxMT/ZXkIorG6mPf9OlH+lFdwGcjMC1/AlzLiD34Iwp1I1I+Bs4nFGXHyg946A7DQW8LzMNAuItao3x04WPRKTV/3Zd1UhRkaTnsxerPpZN/nwQ2lYrAoqq1edqkvFU3irDlNYECAwEAAaA1MDMGCSqGSIb3DQEJDjEmMCQwDgYDVR0PAQH/BAQDAgWgMBIGA1UdEQQLMAmCB2FzYTU1MDUwDQYJKoZIhvcNAQEFBQADgYEAszCL47S+CmDbaIIl/5kEnycwUUsJU6tS6dGUAC5ZB9Lxp9WCKlEu9LB/HuvsV/WIfu9gKU71ojNOLMjfCSm7zl0zqCO4uUD+k//Y2MzoUlFPzL7kR/wYDbEVbrnaojhreg4Mzqnm9uIcPCLmFgfN11tiYBr02Wy8tXnwexaxSxw=-----ENDCERTIFICATEREQUEST-----3.在微软证书服务器申请证书：（1）申请微软服务器根证书（2）根据CSR文件申请ASA身份证书三、证书安装1.安装根证书：ConfigurationDeviceManagementCertificateManagementCACertificates，点击Add：用记事本打开根证书文件，复制粘贴，进行根证书的安装：2.安装身份证书ConfigurationDeviceManagementCertificateManagementIdentityCertificates，点击Install：使用记事本打开通过CSR申请的身份证书，点击“Pastethecertificatedatainbase-64format”将文件复制黏贴，点击InstallCertificate进行证书的安装：证书安装完毕后，进行ASAIPSECVPN的配置。四、CiscoASA防火墙配置1.接口：interfaceEthernet0/0noshutswitchportaccessvlan2interfaceEthernet0/1noshutswitchportaccessvlan1interfaceVlan1nameifinsidesecurity-level100ipaddress192.168.1.254255.255.255.0interfaceVlan2nameifoutsidesecurity-level0ipaddress192.168.10.254255.255.255.02.NAT:access-listNONATextendedpermitip192.168.1.0255.255.255.0192.168.100.0255.255.255.0global(outside)1interfacenat(inside)0access-listNONATnat(inside)1192.168.1.0255.255.255.03.路由：routeoutside0.0.0.00.0.0.0192.168.10.114.IPSECVPN第一阶段:cryptoisakmppolicy1authenticationrsa-sigencryption3deshashshagroup2lifetime28800cryptoisakmpenableoutsidetunnel-groupcheckpoint.comtypeipsec-l2ltunnel-groupcheckpoint.comipsec-attributespeer-id-validatecerttrust-pointASDM_TrustPoint05.IPSECVPN第二阶段:cryptoipsectransform-setESP-Tesp-3desesp-md5-hmaccryptoipsecsecurity-associationlifetimeseconds3600cryptoipsecsecurity-associationlifetimekilobytes4608000cryptodynamic-mapDYNMAP10settransform-setESP-TcryptomapVPN-MAP10ipsec-isakmpdynamicDYNMAPcryptomapVPN-MAPinterfaceoutside五、注意事项1.生成证书签名申请时，添加属性OU，ASA和checkpoint最好能够一致，若不一致需要在ASA添加：tunnel-groupOU-NAME2.CryptoMAP的序号和dynamic-map的序号需要一致，如：cryptodynamic-mapDYNMAP10settransform-setESP-TcryptomapVPN-MAP10ipsec-isakmpdynamicDYNMAP