web-archive-net.com » NET » M » MAJORNETWORK.NET

Total: 263

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Juniper SRX IPsec LAN-to-LAN VPN Part 1 – Majornetwork
    0 Type dynamic State installed Protocol ESP Authentication hmac sha256 128 Encryption aes cbc 256 bits Anti replay service counter based enabled Replay window size 64 and there is traffic going between the sites markku testcomputer ping 10 30 1 24 PING 10 30 1 24 10 30 1 24 56 84 bytes of data 64 bytes from 10 30 1 24 icmp req 1 ttl 252 time 9 07 ms 64 bytes from 10 30 1 24 icmp req 2 ttl 252 time 9 42 ms 64 bytes from 10 30 1 24 icmp req 3 ttl 252 time 8 69 ms Note the proxy identities in the IPsec output above 172 21 1 0 24 local and 10 30 1 0 24 remote They were set automatically according to the security policies Route based VPN Now let s modify the configuration to route based VPN VPN tunnel interface st0 1 is created set interfaces st0 unit 1 description VPN tunnel set interfaces st0 unit 1 family inet The tunnel interface is bound to the VPN set security ipsec vpn VPN TEST bind interface st0 1 The IPsec SA identities are set manually because there is no VPN policy anymore set security ipsec vpn VPN TEST ike proxy identity local 172 21 1 0 24 set security ipsec vpn VPN TEST ike proxy identity remote 10 30 1 0 24 set security ipsec vpn VPN TEST ike proxy identity service any A new security zone is created for the VPN you could also use UNTRUST if wanted set security zones security zone VPN interfaces st0 1 The old VPN policies are deleted delete security policies from zone TRUST to zone UNTRUST policy TEST OUT delete security policies from zone UNTRUST to zone TRUST policy TEST IN Access is permitted from TRUST to VPN set security policies from zone TRUST to zone VPN policy VPN OUT match source address NET 172 21 1 0 24 set security policies from zone TRUST to zone VPN policy VPN OUT match destination address NET 10 30 1 0 24 set security policies from zone TRUST to zone VPN policy VPN OUT match application any set security policies from zone TRUST to zone VPN policy VPN OUT then permit You can use whatever policies you like inbound and outbound In this case there is no access inbound from the VPN tunnel The static route is set up for the remote site set routing options static route 10 30 1 0 24 next hop st0 1 As the name implies the routing decides which traffic will be encrypted and the proxy identities will take care of assigning the correct IPsec SA in the VPN Here are the status outputs markku srx210 show security ike security associations Index State Initiator cookie Responder cookie Mode Remote Address 6185178 UP b03b9c7910e44843 d3f7a6485836c37f Main 198 51 100 10 markku srx210 show security ipsec security associations Total active tunnels 1 ID Algorithm SPI Life sec kb Mon lsys Port Gateway

    Original URL path: https://majornetwork.net/2015/02/juniper-srx-ipsec-lan-to-lan-vpn-part-1/?replytocom=3049 (2016-04-25)
    Open archived version from archive


  • Juniper SRX IPsec LAN-to-LAN VPN Part 1 – Majornetwork
    0 Type dynamic State installed Protocol ESP Authentication hmac sha256 128 Encryption aes cbc 256 bits Anti replay service counter based enabled Replay window size 64 and there is traffic going between the sites markku testcomputer ping 10 30 1 24 PING 10 30 1 24 10 30 1 24 56 84 bytes of data 64 bytes from 10 30 1 24 icmp req 1 ttl 252 time 9 07 ms 64 bytes from 10 30 1 24 icmp req 2 ttl 252 time 9 42 ms 64 bytes from 10 30 1 24 icmp req 3 ttl 252 time 8 69 ms Note the proxy identities in the IPsec output above 172 21 1 0 24 local and 10 30 1 0 24 remote They were set automatically according to the security policies Route based VPN Now let s modify the configuration to route based VPN VPN tunnel interface st0 1 is created set interfaces st0 unit 1 description VPN tunnel set interfaces st0 unit 1 family inet The tunnel interface is bound to the VPN set security ipsec vpn VPN TEST bind interface st0 1 The IPsec SA identities are set manually because there is no VPN policy anymore set security ipsec vpn VPN TEST ike proxy identity local 172 21 1 0 24 set security ipsec vpn VPN TEST ike proxy identity remote 10 30 1 0 24 set security ipsec vpn VPN TEST ike proxy identity service any A new security zone is created for the VPN you could also use UNTRUST if wanted set security zones security zone VPN interfaces st0 1 The old VPN policies are deleted delete security policies from zone TRUST to zone UNTRUST policy TEST OUT delete security policies from zone UNTRUST to zone TRUST policy TEST IN Access is permitted from TRUST to VPN set security policies from zone TRUST to zone VPN policy VPN OUT match source address NET 172 21 1 0 24 set security policies from zone TRUST to zone VPN policy VPN OUT match destination address NET 10 30 1 0 24 set security policies from zone TRUST to zone VPN policy VPN OUT match application any set security policies from zone TRUST to zone VPN policy VPN OUT then permit You can use whatever policies you like inbound and outbound In this case there is no access inbound from the VPN tunnel The static route is set up for the remote site set routing options static route 10 30 1 0 24 next hop st0 1 As the name implies the routing decides which traffic will be encrypted and the proxy identities will take care of assigning the correct IPsec SA in the VPN Here are the status outputs markku srx210 show security ike security associations Index State Initiator cookie Responder cookie Mode Remote Address 6185178 UP b03b9c7910e44843 d3f7a6485836c37f Main 198 51 100 10 markku srx210 show security ipsec security associations Total active tunnels 1 ID Algorithm SPI Life sec kb Mon lsys Port Gateway

    Original URL path: https://majornetwork.net/2015/02/juniper-srx-ipsec-lan-to-lan-vpn-part-1/?replytocom=3051 (2016-04-25)
    Open archived version from archive

  • Juniper SRX Traffic Processing – Majornetwork
    lookup Policy lookup Reverse Static NAT Source NAT if no match for Reverse Static NAT Services ALG Session setup Fast path processing Screens TCP NAT Services ALG Per packet filter Per packet shaper Updated February 1 2015 12 11 Tags juniper junos srx Previous Post Next Post 1 Comment Add a Comment Lijo July 30 2015 at 16 46 Thanks for the explanation it helped Reply Leave a Reply to Lijo Cancel reply Search for Markku Leiniö Senior Network Architect Senior Technology Consultant and CCIE 26438 Routing Switching in Finland Majornetwork on Twitter Markku Leiniö on Google Your IPv4 IPv6 Status You are using IPv4 address 81 198 240 36 Recent Posts majornetwork net Is Now TLS Enabled IPsec VPN Tunnel between F5 BIG IP and Juniper SRX SoftEther VPN with a VPN Address Pool Juniper SRX IPsec LAN to LAN VPN Part 2 Juniper SRX IPsec LAN to LAN VPN Part 1 Tags 15 0SY 15 1SY ba bridge assurance cat6500 catalyst 6500 cisco cli cmp console cygwin dual homed esxi fabric extender fabricpath fast hello fex hypervisor ios ipsec ipv6 issu juniper junos lacp linux nexus 5000 nexus 5500 nexus 7000 nx os private vlan pvlan qsfp srx

    Original URL path: https://majornetwork.net/2015/02/juniper-srx-traffic-processing/?replytocom=2994 (2016-04-25)
    Open archived version from archive

  • syslog – Majornetwork
    usual method of collecting the logs There are lots of different solutions to collect syslogs ranging from general purpose servers or virtual machines running some syslog daemon software Read Post Search for Markku Leiniö Senior Network Architect Senior Technology Consultant and CCIE 26438 Routing Switching in Finland Majornetwork on Twitter Markku Leiniö on Google Your IPv4 IPv6 Status You are using IPv4 address 81 198 240 36 Recent Posts majornetwork net Is Now TLS Enabled IPsec VPN Tunnel between F5 BIG IP and Juniper SRX SoftEther VPN with a VPN Address Pool Juniper SRX IPsec LAN to LAN VPN Part 2 Juniper SRX IPsec LAN to LAN VPN Part 1 Tags 15 0SY 15 1SY ba bridge assurance cat6500 catalyst 6500 cisco cli cmp console cygwin dual homed esxi fabric extender fabricpath fast hello fex hypervisor ios ipsec ipv6 issu juniper junos lacp linux nexus 5000 nexus 5500 nexus 7000 nx os private vlan pvlan qsfp srx srx100 sup2t sup32 sup720 switch profile sxi sxj vmware vpc vpn vsphere Archives October 2015 July 2015 May 2015 February 2015 January 2015 December 2014 November 2014 August 2014 June 2014 May 2014 September 2013 August 2013 July 2013 June 2013 April 2013

    Original URL path: https://majornetwork.net/tag/syslog/ (2016-04-25)
    Open archived version from archive

  • Setting Up a Syslog Server – Majornetwork
    etc apt apt conf d 50unattended upgrades if needed For kernel upgrades you will need to reboot the server anyway at some point Remove some unnecessary running stuff somewhat hardening or otherwise cleaning the system apt get remove rpcbind nfs common mpt status I tend to replace Exim mail server with Postfix just because I don t know Exim at all but know at least something about Postfix So I install postfix and it removes Exim automatically in the process Enter the address of your or your ISP s SMTP relay in the Smarthost setting when asked if you want to send email out I also edit etc postfix main cf to say inet interfaces loopback only instead of all interfaces because I don t expect incoming SMTP connections Again practicing the habbit of smallest intrusion surface Restart postfix to get the change deployed Finally we get in configuring the syslog server itself rsyslog is already running automatically but we will edit it a bit to get it listening to syslog traffic Edit etc rsyslog conf and uncomment these lines remove the characters from the beginning of the lines ModLoad imudp UDPServerRun 514 In the RULES section add these HOSTNAME isequal syslog01 var log remotelogs HOSTNAME isequal syslog01 Note that syslog01 above is the name of this server itself so replace it to match your server hostname These configuration lines mean When there is an incoming log message check the hostname in the message and if it doesn t match syslog01 it is basically coming from some other host with syslog protocol then log the message to var log remotelogs and stop processing further rules This way only the syslog messages go to this additional log file and other system logs the local logs still go to the normal places as configured in the default rsyslog conf Restart rsyslog to get the new config deployed Create a new file etc logrotate d remotelogs and enter this configuration in it var log remotelogs rotate 185 daily dateext missingok compress postrotate invoke rc d rsyslog rotate dev null endscript This configuration instructs logrotate that runs daily to take care of our remotelogs log file and keep 185 days worth of logs No need to restart logrotate for this change as the configuration files are read in each daily run The older log files will be gzipped and the current date will be added to the filenames That s about it in the server side To see that rsyslog is listening to the syslog 514 UDP traffic in both IPv4 and IPv6 root syslog01 netstat ln grep 514 udp 0 0 0 0 0 0 514 0 0 0 0 udp6 0 0 514 Then you can reconfigure your network devices to start sending syslogs to your new syslog server Check var log remotelogs for any incoming messages for example with tail f var log remotelogs command If you have syslog implementation hints for other operating systems or distributions feel free to comment

    Original URL path: https://majornetwork.net/2014/12/setting-up-a-syslog-server/?replytocom=2809 (2016-04-25)
    Open archived version from archive

  • Setting Up a Syslog Server – Majornetwork
    etc apt apt conf d 50unattended upgrades if needed For kernel upgrades you will need to reboot the server anyway at some point Remove some unnecessary running stuff somewhat hardening or otherwise cleaning the system apt get remove rpcbind nfs common mpt status I tend to replace Exim mail server with Postfix just because I don t know Exim at all but know at least something about Postfix So I install postfix and it removes Exim automatically in the process Enter the address of your or your ISP s SMTP relay in the Smarthost setting when asked if you want to send email out I also edit etc postfix main cf to say inet interfaces loopback only instead of all interfaces because I don t expect incoming SMTP connections Again practicing the habbit of smallest intrusion surface Restart postfix to get the change deployed Finally we get in configuring the syslog server itself rsyslog is already running automatically but we will edit it a bit to get it listening to syslog traffic Edit etc rsyslog conf and uncomment these lines remove the characters from the beginning of the lines ModLoad imudp UDPServerRun 514 In the RULES section add these HOSTNAME isequal syslog01 var log remotelogs HOSTNAME isequal syslog01 Note that syslog01 above is the name of this server itself so replace it to match your server hostname These configuration lines mean When there is an incoming log message check the hostname in the message and if it doesn t match syslog01 it is basically coming from some other host with syslog protocol then log the message to var log remotelogs and stop processing further rules This way only the syslog messages go to this additional log file and other system logs the local logs still go to the normal places as configured in the default rsyslog conf Restart rsyslog to get the new config deployed Create a new file etc logrotate d remotelogs and enter this configuration in it var log remotelogs rotate 185 daily dateext missingok compress postrotate invoke rc d rsyslog rotate dev null endscript This configuration instructs logrotate that runs daily to take care of our remotelogs log file and keep 185 days worth of logs No need to restart logrotate for this change as the configuration files are read in each daily run The older log files will be gzipped and the current date will be added to the filenames That s about it in the server side To see that rsyslog is listening to the syslog 514 UDP traffic in both IPv4 and IPv6 root syslog01 netstat ln grep 514 udp 0 0 0 0 0 0 514 0 0 0 0 udp6 0 0 514 Then you can reconfigure your network devices to start sending syslogs to your new syslog server Check var log remotelogs for any incoming messages for example with tail f var log remotelogs command If you have syslog implementation hints for other operating systems or distributions feel free to comment

    Original URL path: https://majornetwork.net/2014/12/setting-up-a-syslog-server/?replytocom=2810 (2016-04-25)
    Open archived version from archive

  • Setting Up a Syslog Server – Majornetwork
    apt apt conf d 50unattended upgrades if needed For kernel upgrades you will need to reboot the server anyway at some point Remove some unnecessary running stuff somewhat hardening or otherwise cleaning the system apt get remove rpcbind nfs common mpt status I tend to replace Exim mail server with Postfix just because I don t know Exim at all but know at least something about Postfix So I install postfix and it removes Exim automatically in the process Enter the address of your or your ISP s SMTP relay in the Smarthost setting when asked if you want to send email out I also edit etc postfix main cf to say inet interfaces loopback only instead of all interfaces because I don t expect incoming SMTP connections Again practicing the habbit of smallest intrusion surface Restart postfix to get the change deployed Finally we get in configuring the syslog server itself rsyslog is already running automatically but we will edit it a bit to get it listening to syslog traffic Edit etc rsyslog conf and uncomment these lines remove the characters from the beginning of the lines ModLoad imudp UDPServerRun 514 In the RULES section add these HOSTNAME isequal syslog01 var log remotelogs HOSTNAME isequal syslog01 Note that syslog01 above is the name of this server itself so replace it to match your server hostname These configuration lines mean When there is an incoming log message check the hostname in the message and if it doesn t match syslog01 it is basically coming from some other host with syslog protocol then log the message to var log remotelogs and stop processing further rules This way only the syslog messages go to this additional log file and other system logs the local logs still go to the normal places as configured in the default rsyslog conf Restart rsyslog to get the new config deployed Create a new file etc logrotate d remotelogs and enter this configuration in it var log remotelogs rotate 185 daily dateext missingok compress postrotate invoke rc d rsyslog rotate dev null endscript This configuration instructs logrotate that runs daily to take care of our remotelogs log file and keep 185 days worth of logs No need to restart logrotate for this change as the configuration files are read in each daily run The older log files will be gzipped and the current date will be added to the filenames That s about it in the server side To see that rsyslog is listening to the syslog 514 UDP traffic in both IPv4 and IPv6 root syslog01 netstat ln grep 514 udp 0 0 0 0 0 0 514 0 0 0 0 udp6 0 0 514 Then you can reconfigure your network devices to start sending syslogs to your new syslog server Check var log remotelogs for any incoming messages for example with tail f var log remotelogs command If you have syslog implementation hints for other operating systems or distributions feel free to comment below

    Original URL path: https://majornetwork.net/2014/12/setting-up-a-syslog-server/?replytocom=2811 (2016-04-25)
    Open archived version from archive

  • dhcp – Majornetwork
    returned to the matter some days ago I realized something in Junos DHCP configurations people are talking about old and new ways to configure DHCP server and client Read Post Search for Markku Leiniö Senior Network Architect Senior Technology Consultant and CCIE 26438 Routing Switching in Finland Majornetwork on Twitter Markku Leiniö on Google Your IPv4 IPv6 Status You are using IPv4 address 81 198 240 36 Recent Posts majornetwork net Is Now TLS Enabled IPsec VPN Tunnel between F5 BIG IP and Juniper SRX SoftEther VPN with a VPN Address Pool Juniper SRX IPsec LAN to LAN VPN Part 2 Juniper SRX IPsec LAN to LAN VPN Part 1 Tags 15 0SY 15 1SY ba bridge assurance cat6500 catalyst 6500 cisco cli cmp console cygwin dual homed esxi fabric extender fabricpath fast hello fex hypervisor ios ipsec ipv6 issu juniper junos lacp linux nexus 5000 nexus 5500 nexus 7000 nx os private vlan pvlan qsfp srx srx100 sup2t sup32 sup720 switch profile sxi sxj vmware vpc vpn vsphere Archives October 2015 July 2015 May 2015 February 2015 January 2015 December 2014 November 2014 August 2014 June 2014 May 2014 September 2013 August 2013 July 2013 June 2013 April 2013

    Original URL path: https://majornetwork.net/tag/dhcp/ (2016-04-25)
    Open archived version from archive



  •