CheckPoint-ASA动态IP地址证书认证方式建立IPSECVPN测试
报告
软件系统测试报告下载sgs报告如何下载关于路面塌陷情况报告535n,sgs报告怎么下载竣工报告下载
2013年3月25日一、测试环境介绍1.测试设备CiscoASA5505:IOS8.25CheckPointUTM-A3070微软CA服务器、测试笔记本、Cisco3750交换机2.测试拓扑二、证书申请1.查看ASA、Checkpoint、CA服务器时间是否同步:2.生成证书签名请求(1)申请证书,Configuration>DeviceManagement>CertificateManagement>IdentityCertificates,点击Add:(2)点击“NEW”,生成密钥对:输入密钥对的名字,Size选择2048,点击GenerateNow生成密钥对:(3)定义CSR的属性值,点击Select:Attribute选择属性,Value添加对应的信息,点击“Add”进行添加,添加完成点击“OK”:其中OU和CN必须添加(4)点击“Advanced”设置FQDN,FQDN必须和CN值相同:修改完后,点击“OK”(5)点击“AddCertificate”添加证书:点击“Broese”选择密钥对保存的位置及文件:点击OK,生成文件CSR文件CSR1.TXT:-----BEGINCERTIFICATEREQUEST-----MIIBsTCCARoCAQAwPDESMBAGA1UECxMJa2VycnkuZWFzMQ4wDAYDVQQDEwVjaXNjbzEWMBQGCSqGSIb3DQEJAhYHYXNhNTUwNTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtZ4iqv91oE6Zx4aAUSAwdb1T81le+f57jrcLLxMT/ZXkIorG6mPf9OlH+lFdwGcjMC1/AlzLiD34Iwp1I1I+Bs4nFGXHyg946A7DQW8LzMNAuItao3x04WPRKTV/3Zd1UhRkaTnsxerPpZN/nwQ2lYrAoqq1edqkvFU3irDlNYECAwEAAaA1MDMGCSqGSIb3DQEJDjEmMCQwDgYDVR0PAQH/BAQDAgWgMBIGA1UdEQQLMAmCB2FzYTU1MDUwDQYJKoZIhvcNAQEFBQADgYEAszCL47S+CmDbaIIl/5kEnycwUUsJU6tS6dGUAC5ZB9Lxp9WCKlEu9LB/HuvsV/WIfu9gKU71ojNOLMjfCSm7zl0zqCO4uUD+k//Y2MzoUlFPzL7kR/wYDbEVbrnaojhreg4Mzqnm9uIcPCLmFgfN11tiYBr02Wy8tXnwexaxSxw=-----ENDCERTIFICATEREQUEST-----3.在微软证书服务器申请证书:(1)申请微软服务器根证书(2)根据CSR文件申请ASA身份证书三、证书安装1.安装根证书:Configuration>DeviceManagement>CertificateManagement>CACertificates,点击Add:用记事本打开根证书文件,复制粘贴,进行根证书的安装:2.安装身份证书Configuration>DeviceManagement>CertificateManagement>IdentityCertificates,点击Install:使用记事本打开通过CSR申请的身份证书,点击“Pastethecertificatedatainbase-64format”将文件复制黏贴,点击InstallCertificate进行证书的安装:证书安装完毕后,进行ASAIPSECVPN的配置。四、CiscoASA防火墙配置1.接口:interfaceEthernet0/0noshutswitchportaccessvlan2interfaceEthernet0/1noshutswitchportaccessvlan1interfaceVlan1nameifinsidesecurity-level100ipaddress192.168.1.254255.255.255.0interfaceVlan2nameifoutsidesecurity-level0ipaddress192.168.10.254255.255.255.02.NAT:access-listNONATextendedpermitip192.168.1.0255.255.255.0192.168.100.0255.255.255.0global(outside)1interfacenat(inside)0access-listNONATnat(inside)1192.168.1.0255.255.255.03.路由:routeoutside0.0.0.00.0.0.0192.168.10.114.IPSECVPN第一阶段:cryptoisakmppolicy1authenticationrsasigencryption3deshashshagroup2lifetime28800cryptoisakmpenableoutsidetunnel-groupcheckpoint.comtypeipsec-l2ltunnel-groupcheckpoint.comipsec-attributespeer-id-validatecerttrust-pointASDM_TrustPoint05.IPSECVPN第二阶段:cryptoipsectransform-setESP-Tesp-3desesp-md5-hmaccryptoipsecsecurity-associationlifetimeseconds3600cryptoipsecsecurity-associationlifetimekilobytes4608000cryptodynamic-mapDYNMAP10settransform-setESP-TcryptomapVPN-MAP10ipsec-isakmpdynamicDYNMAPcryptomapVPN-MAPinterfaceoutside五、注意事项1.生成证书签名申请时,添加属性OU,ASA和checkpoint最好能够一致,若不一致需要在ASA添加:tunnel-groupOU-NAME2.CryptoMAP的序号和dynamic-map的序号需要一致,如:cryptodynamic-mapDYNMAP10settransform-setESP-TcryptomapVPN-MAP10ipsec-isakmpdynamicDYNMAP
浙公网安备 33021202002483