Thread: vpn between checkpoint and cisco pix
View Single Post
  #6 (permalink)  
Old 2006-07-15
cqliuke cqliuke is offline
Junior Member
  
Join Date: 2006-06-15
Posts: 15
Rep Power: 0
cqliuke has an average reputation (10+)
Default Re: vpn between checkpoint and cisco pix
I have just configured Checkpoint NGX R61 with Pix 506E IOS712

Pix 506E与2台Checkpoint NGX间的VPN互连-原

从朋友处拿了个Pix 506E的防火墙,在电脑城找了个128M的内存加上去,把IOS升级到了IOS712,由于Flash空 间不够,ASDM就用不了。不过感觉还挺好用。另外安装了两台Checkpoint NGX R61的机器,完成基本配置后。做了个VPN。Checkpoint的配置过程比较难得写。主要贴上Pix 506E的配置过程。

以下是在配置过程,一边操作一边查帮助搞的。如直接贴上配置好的内容,不便于查看,学习!!

环境如下:
PIX 506E:E1:10.10.10.1/24,E0:210.21.xx.19/255.255.252.0
Checkpoint1 eth1:192.168.10.252 eth0:211.155.xx.115/255.255.255.192
Checkpoint2 eth1:192.168.0.10 eth0:211.155.xx.67/255.255.255.192


开始配置
pix1(config)# isakmp ?

configure mode commands/options:
am-disable Disable inbound aggressive mode connections
client Set client configuration policy (DEPRECATED - see 'help
isakmp')
disconnect-notify Enable disconnect notification to peers
enable Enable ISAKMP on the specified interface
identity Set identity type (address, hostname or key-id)
ipsec-over-tcp Enable and configure IPSec over TCP
keepalive Set keepalive interval (DEPRECATED - see 'help isakmp')
key Set pre-shared key for remote peer (DEPRECATED - see 'help
isakmp')
nat-traversal Enable and configure nat-traversal
peer Set xauth and config mode exemption for the specified peer
(DEPRECATED - see 'help isakmp')
policy Set ISAKMP policy suite
reload-wait Wait for voluntary termination of existing connections
before reboot

pix1(config)# isakmp enable ?

configure mode commands/options:
Current available interface(s):
inside Name of interface Ethernet1
outside Name of interface Ethernet0

pix1(config)# isakmp enable outside

pix1(config)# isakmp policy ?

configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
pix1(config)# isakmp policy 10 ?

configure mode commands/options:
authentication Set authentication method (pre-share or rsa-sig or dsa-sig)
encryption Set encryption algorithm (des, 3des, aes-128, aes-192, or
aes-256)
group Set Diffie-Hellman group (1,2,5 or 7)
hash Set hash algorithm (md5 or sha)
lifetime Set ISAKMP SA lifetime (seconds)

pix1(config)# isakmp policy 10 authentication ?

configure mode commands/options:
dsa-sig set auth dsa-sig
pre-share set auth pre-share
rsa-sig set auth rsa-sig
pix1(config)# isakmp policy 10 authentication pre-share

pix1(config)# isakmp policy 10 encryption ?

configure mode commands/options:
3des 3des encryption
aes aes-128 encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption

pix1(config)# isakmp policy 10 encryption 3des
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
pix1(config)# isakmp policy 10 encryption aes
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
pix1(config)# isakmp policy 10 encryption des


pix1(config)# isakmp policy 10 group ?

configure mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
7 Diffie-Hellman group 7
pix1(config)# isakmp policy 10 group 2

pix1(config)# isakmp policy 10 hash ?

configure mode commands/options:
md5 set hash md5
sha set hash sha
pix1(config)# isakmp policy 10 hash md5

pix1(config)# isakmp policy 10 lifetime ?

configure mode commands/options:
<120-2147483647> Lifetime in seconds
none Disable rekey and allow an unlimited rekey period
pix1(config)# isakmp policy 10 lifetime 86400


pix1(config)# isakmp key netexpert address 211.155.xx.115 netmask 255.255.255.192

IKE 1阶段
isakmp具体配置
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 211.155.xx.115 type ipsec-l2l
tunnel-group 211.155.xx.115 ipsec-attributes pre-shared-key *

IKE 2阶段
pix1(config)# crypto ?

configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map

pix1(config)# crypto ipsec ?

configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
security-association Set security association lifetime
transform-set Define transform and settings

pix1(config)# crypto ipsec transform-set ?

configure mode commands/options:
WORD < 64 char Transform set tag
pix1(config)# crypto ipsec transform-set myset ?

configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication

pix1(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac

access-list 101 extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

pix1(config)# crypto map mymap 20 ?

configure mode commands/options:
ipsec-isakmp IPSec w/ISAKMP
match Match address of packets to encrypt
set Specify crypto map settings

pix1(config)# crypto map mymap 20 match address ?

configure mode commands/options:
WORD Access-list name
pix1(config)# crypto map mymap 20 match address 101


pix1(config)# crypto map mymap 20 set ?

configure mode commands/options:
connection-type Specify connection-type for site-site connection based
on this entry
inheritance Specify inheritance(data or acl rule) to be used while
initiating a connection based on this entry
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
phase1-mode Specify mode(main or aggressive) to be used while
initiating a connection based on this entry
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
transform-set Specify list of transform sets in priority order
trustpoint Specify trustpoint that defines the certificate to be
used while initiating a connection based on this entry

pix1(config)# crypto map mymap 20 set peer 211.155.xx.115


pix1(config)# crypto map mymap 20 set transform-set ?

configure mode commands/options:
WORD Proposal tag
pix1(config)# crypto map mymap 20 set transform-set myset ?

configure mode commands/options:
WORD Proposal tag
<cr>
pix1(config)# crypto map mymap 20 set transform-set myset

pix1(config)# crypto map mymap interface outside
IKE 2阶段具体配置

1)Static VPN配置方法

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 20 match address 101
crypto map mymap 20 set peer 211.155.xx.115
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp policy 10 encryption des


注:这两种方法都需要配置Access-list
access-list nonat extended permit ip 172.29.131.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list nonat

结果显示

pix1# show crypto isakmp sa

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 211.155.xx.115
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 211.155.xx.67
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
pix1#

pix1# show crypto ipsec sa
interface: outside
Crypto map tag: mymap, seq num: 100, local addr: 210.21.xx.19

access-list 102 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255 .0
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: 211.155.xx.67

#pkts encaps: 1544, #pkts encrypt: 1544, #pkts digest: 1544
#pkts decaps: 1516, #pkts decrypt: 1516, #pkts verify: 1516
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1544, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 1, #recv errors: 0

local crypto endpt.: 210.21.xx.19, remote crypto endpt.: 211.155.xx.67

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 030C3E24

inbound esp sas:
spi: 0x0BDCF94A (199031114)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824882/27619)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x030C3E24 (51133988)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824886/27616)
IV size: 8 bytes
replay detection support: Y

Crypto map tag: mymap, seq num: 10, local addr: 210.21.xx.19

access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 211.155.xx.115

#pkts encaps: 1035, #pkts encrypt: 1035, #pkts digest: 1035
#pkts decaps: 918, #pkts decrypt: 918, #pkts verify: 918
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1035, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 210.21.xx.19, remote crypto endpt.: 211.155.xx.115

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 931CCC41

inbound esp sas:
spi: 0x895BAC62 (2304486498)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824946/27605)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x931CCC41 (2468138049)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824939/27605)
IV size: 8 bytes
replay detection support: Y

pix1#
Reply With Quote