web-archive-net.com » NET » M » MAJORNETWORK.NET

Total: 263

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Juniper SRX IPsec LAN-to-LAN VPN Part 2 – Majornetwork
    are changed A new security zone is created for the VPN set security zones security zone VPN interfaces st0 1 set security zones security zone VPN interfaces st0 2 The old VPN policies are deleted delete security policies from zone TRUST to zone UNTRUST policy TEST OUT delete security policies from zone TRUST to zone UNTRUST policy TEST 2 OUT delete security policies from zone UNTRUST to zone TRUST policy TEST IN delete security policies from zone UNTRUST to zone TRUST policy TEST 2 IN Access is permitted from TRUST to VPN set security policies from zone TRUST to zone VPN policy VPN OUT match source address NET 172 21 1 0 24 set security policies from zone TRUST to zone VPN policy VPN OUT match destination address NET 10 30 1 0 24 set security policies from zone TRUST to zone VPN policy VPN OUT match destination address NET 10 30 2 0 24 set security policies from zone TRUST to zone VPN policy VPN OUT match application any set security policies from zone TRUST to zone VPN policy VPN OUT then permit The static routes for the remote site one route for each tunnel interface set routing options static route 10 30 1 0 24 next hop st0 1 set routing options static route 10 30 2 0 24 next hop st0 2 To be sure what happened to the IPsec configuration let s show it markku srx210 show security ipsec vpn VPN TEST bind interface st0 1 df bit clear ike gateway GATEWAY TEST proxy identity local 172 21 1 0 24 remote 10 30 1 0 24 service any ipsec policy VPN POLICY SHA256 AES256 DH14 establish tunnels immediately vpn VPN TEST 2 bind interface st0 2 df bit clear ike gateway GATEWAY TEST proxy identity local 172 21 1 0 24 remote 10 30 2 0 24 service any ipsec policy VPN POLICY SHA256 AES256 DH14 establish tunnels immediately There they are two VPN tunnels one for both IPsec SAs Status of the VPN tunnels markku srx210 show security ike security associations Index State Initiator cookie Responder cookie Mode Remote Address 6185192 UP 3150639546069bb2 c37a561409da1705 Main 198 51 100 10 markku srx210 show security ipsec security associations Total active tunnels 2 ID Algorithm SPI Life sec kb Mon lsys Port Gateway 131073 ESP aes cbc 256 sha256 3b01fb83 3323 unlim root 500 198 51 100 10 131073 ESP aes cbc 256 sha256 bbb9810c 3323 unlim root 500 198 51 100 10 131074 ESP aes cbc 256 sha256 26f45252 3323 unlim root 500 198 51 100 10 131074 ESP aes cbc 256 sha256 6bf73d54 3323 unlim root 500 198 51 100 10 markku srx210 show security ipsec security associations detail ID 131073 Virtual system root VPN Name VPN TEST Local Gateway 203 0 113 2 Remote Gateway 198 51 100 10 Local Identity ipv4 subnet any 0 0 7 172 21 1 0 24 Remote Identity ipv4 subnet any 0 0 7 10 30 1 0 24 Version IKEv1 DF bit clear Bind interface st0 1 Port 500 Nego 1 Fail 0 Def Del 0 Flag 0x600a29 Last Tunnel Down Reason SA config deactivated Direction inbound SPI 3b01fb83 AUX SPI 0 VPN Monitoring Hard lifetime Expires in 3321 seconds Lifesize Remaining Unlimited Soft lifetime Expires in 2697 seconds Mode Tunnel 0 0 Type dynamic State installed Protocol ESP Authentication hmac sha256 128 Encryption aes cbc 256 bits Anti replay service counter based enabled Replay window size 64 Direction outbound SPI bbb9810c AUX SPI 0 VPN Monitoring Hard lifetime Expires in 3321 seconds Lifesize Remaining Unlimited Soft lifetime Expires in 2697 seconds Mode Tunnel 0 0 Type dynamic State installed Protocol ESP Authentication hmac sha256 128 Encryption aes cbc 256 bits Anti replay service counter based enabled Replay window size 64 ID 131074 Virtual system root VPN Name VPN TEST 2 Local Gateway 203 0 113 2 Remote Gateway 198 51 100 10 Local Identity ipv4 subnet any 0 0 7 172 21 1 0 24 Remote Identity ipv4 subnet any 0 0 7 10 30 2 0 24 Version IKEv1 DF bit clear Bind interface st0 2 Port 500 Nego 1 Fail 0 Def Del 0 Flag 0x600a29 Last Tunnel Down Reason SA not initiated Direction inbound SPI 26f45252 AUX SPI 0 VPN Monitoring Hard lifetime Expires in 3321 seconds Lifesize Remaining Unlimited Soft lifetime Expires in 2699 seconds Mode Tunnel 0 0 Type dynamic State installed Protocol ESP Authentication hmac sha256 128 Encryption aes cbc 256 bits Anti replay service counter based enabled Replay window size 64 Direction outbound SPI 6bf73d54 AUX SPI 0 VPN Monitoring Hard lifetime Expires in 3321 seconds Lifesize Remaining Unlimited Soft lifetime Expires in 2699 seconds Mode Tunnel 0 0 Type dynamic State installed Protocol ESP Authentication hmac sha256 128 Encryption aes cbc 256 bits Anti replay service counter based enabled Replay window size 64 markku srx210 show route 10 30 1 0 24 Static 5 00 04 46 via st0 1 10 30 2 0 24 Static 5 00 04 46 via st0 2 markku srx210 show interfaces terse Interface Admin Link Proto Local Remote st0 1 up up inet st0 2 up up inet As you can see this method of configuring the VPN tunnel does not scale very conveniently as you need separate VPN tunnels for each pair of source and destination networks in the LAN to LAN connection For example two networks in each site requires four VPNs to be configured for full reachability Managing all those st0 x configurations requires additional work To overcome this configurational burden related to route based VPNs Juniper added traffic selectors in Junos 12 1X46 for the branch SRX devices Route based VPN with Traffic Selectors The traffic selectors can be used instead of proxy identity statements in the VPN configurations With traffic selectors you get rid of the additional VPN tunnel interfaces Let s replace our VPNs with the traffic selector configuration First delete the second tunnel interface delete

    Original URL path: https://majornetwork.net/2015/02/juniper-srx-ipsec-lan-to-lan-vpn-part-2/ (2016-04-25)
    Open archived version from archive


  • Juniper SRX IPsec LAN-to-LAN VPN Part 1 – Majornetwork
    0 0 Type dynamic State installed Protocol ESP Authentication hmac sha256 128 Encryption aes cbc 256 bits Anti replay service counter based enabled Replay window size 64 and there is traffic going between the sites markku testcomputer ping 10 30 1 24 PING 10 30 1 24 10 30 1 24 56 84 bytes of data 64 bytes from 10 30 1 24 icmp req 1 ttl 252 time 9 07 ms 64 bytes from 10 30 1 24 icmp req 2 ttl 252 time 9 42 ms 64 bytes from 10 30 1 24 icmp req 3 ttl 252 time 8 69 ms Note the proxy identities in the IPsec output above 172 21 1 0 24 local and 10 30 1 0 24 remote They were set automatically according to the security policies Route based VPN Now let s modify the configuration to route based VPN VPN tunnel interface st0 1 is created set interfaces st0 unit 1 description VPN tunnel set interfaces st0 unit 1 family inet The tunnel interface is bound to the VPN set security ipsec vpn VPN TEST bind interface st0 1 The IPsec SA identities are set manually because there is no VPN policy anymore set security ipsec vpn VPN TEST ike proxy identity local 172 21 1 0 24 set security ipsec vpn VPN TEST ike proxy identity remote 10 30 1 0 24 set security ipsec vpn VPN TEST ike proxy identity service any A new security zone is created for the VPN you could also use UNTRUST if wanted set security zones security zone VPN interfaces st0 1 The old VPN policies are deleted delete security policies from zone TRUST to zone UNTRUST policy TEST OUT delete security policies from zone UNTRUST to zone TRUST policy TEST IN Access is permitted from TRUST to VPN set security policies from zone TRUST to zone VPN policy VPN OUT match source address NET 172 21 1 0 24 set security policies from zone TRUST to zone VPN policy VPN OUT match destination address NET 10 30 1 0 24 set security policies from zone TRUST to zone VPN policy VPN OUT match application any set security policies from zone TRUST to zone VPN policy VPN OUT then permit You can use whatever policies you like inbound and outbound In this case there is no access inbound from the VPN tunnel The static route is set up for the remote site set routing options static route 10 30 1 0 24 next hop st0 1 As the name implies the routing decides which traffic will be encrypted and the proxy identities will take care of assigning the correct IPsec SA in the VPN Here are the status outputs markku srx210 show security ike security associations Index State Initiator cookie Responder cookie Mode Remote Address 6185178 UP b03b9c7910e44843 d3f7a6485836c37f Main 198 51 100 10 markku srx210 show security ipsec security associations Total active tunnels 1 ID Algorithm SPI Life sec kb Mon lsys Port

    Original URL path: https://majornetwork.net/2015/02/juniper-srx-ipsec-lan-to-lan-vpn-part-1/ (2016-04-25)
    Open archived version from archive

  • Juniper SRX Traffic Processing – Majornetwork
    Zone lookup Policy lookup Reverse Static NAT Source NAT if no match for Reverse Static NAT Services ALG Session setup Fast path processing Screens TCP NAT Services ALG Per packet filter Per packet shaper Updated February 1 2015 12 11 Tags juniper junos srx Previous Post Next Post 1 Comment Add a Comment Lijo July 30 2015 at 16 46 Thanks for the explanation it helped Reply Leave a Reply Cancel reply Search for Markku Leiniö Senior Network Architect Senior Technology Consultant and CCIE 26438 Routing Switching in Finland Majornetwork on Twitter Markku Leiniö on Google Your IPv4 IPv6 Status You are using IPv4 address 81 198 240 36 Recent Posts majornetwork net Is Now TLS Enabled IPsec VPN Tunnel between F5 BIG IP and Juniper SRX SoftEther VPN with a VPN Address Pool Juniper SRX IPsec LAN to LAN VPN Part 2 Juniper SRX IPsec LAN to LAN VPN Part 1 Tags 15 0SY 15 1SY ba bridge assurance cat6500 catalyst 6500 cisco cli cmp console cygwin dual homed esxi fabric extender fabricpath fast hello fex hypervisor ios ipsec ipv6 issu juniper junos lacp linux nexus 5000 nexus 5500 nexus 7000 nx os private vlan pvlan qsfp srx srx100

    Original URL path: https://majornetwork.net/2015/02/juniper-srx-traffic-processing/ (2016-04-25)
    Open archived version from archive

  • Cygwin Vim vimrc Location – Majornetwork
    the first lines of the output Example Markku T540p vi V chdir etc fchdir to previous dir could not source etc virc chdir home Markku fchdir to previous dir could not source HOME virc chdir home Markku vim fchdir to previous dir sourcing vim vimrc finished sourcing vim vimrc Press ENTER or type command to continue At least in my Cygwin installation using the default vimrc template enables the arrow keys to work correctly Updated January 18 2015 14 55 Tags cli cygwin Previous Post Next Post Leave a Reply Cancel reply Search for Markku Leiniö Senior Network Architect Senior Technology Consultant and CCIE 26438 Routing Switching in Finland Majornetwork on Twitter Markku Leiniö on Google Your IPv4 IPv6 Status You are using IPv4 address 81 198 240 36 Recent Posts majornetwork net Is Now TLS Enabled IPsec VPN Tunnel between F5 BIG IP and Juniper SRX SoftEther VPN with a VPN Address Pool Juniper SRX IPsec LAN to LAN VPN Part 2 Juniper SRX IPsec LAN to LAN VPN Part 1 Tags 15 0SY 15 1SY ba bridge assurance cat6500 catalyst 6500 cisco cli cmp console cygwin dual homed esxi fabric extender fabricpath fast hello fex hypervisor ios ipsec

    Original URL path: https://majornetwork.net/2015/01/cygwin-vim-vimrc-location/ (2016-04-25)
    Open archived version from archive

  • Uncategorized – Majornetwork
    mkdir vim Markku T540p Read Post Look New Look Markku Leiniö January 14 2015 Uncategorized Comments As you can see I changed the blog theme I like this Frontier theme for it s clarity it s easy to see where everything is Some customizations may still occur Read Post Search for Markku Leiniö Senior Network Architect Senior Technology Consultant and CCIE 26438 Routing Switching in Finland Majornetwork on Twitter Markku Leiniö on Google Your IPv4 IPv6 Status You are using IPv4 address 81 198 240 36 Recent Posts majornetwork net Is Now TLS Enabled IPsec VPN Tunnel between F5 BIG IP and Juniper SRX SoftEther VPN with a VPN Address Pool Juniper SRX IPsec LAN to LAN VPN Part 2 Juniper SRX IPsec LAN to LAN VPN Part 1 Tags 15 0SY 15 1SY ba bridge assurance cat6500 catalyst 6500 cisco cli cmp console cygwin dual homed esxi fabric extender fabricpath fast hello fex hypervisor ios ipsec ipv6 issu juniper junos lacp linux nexus 5000 nexus 5500 nexus 7000 nx os private vlan pvlan qsfp srx srx100 sup2t sup32 sup720 switch profile sxi sxj vmware vpc vpn vsphere Archives October 2015 July 2015 May 2015 February 2015 January 2015 December

    Original URL path: https://majornetwork.net/category/uncategorized/ (2016-04-25)
    Open archived version from archive

  • Look, New Look – Majornetwork
    Enabled IPsec VPN Tunnel between F5 BIG IP and Juniper SRX SoftEther VPN with a VPN Address Pool Juniper SRX IPsec LAN to LAN VPN Part 2 Juniper SRX IPsec LAN to LAN VPN Part 1 Tags 15 0SY 15 1SY ba bridge assurance cat6500 catalyst 6500 cisco cli cmp console cygwin dual homed esxi fabric extender fabricpath fast hello fex hypervisor ios ipsec ipv6 issu juniper junos lacp linux

    Original URL path: https://majornetwork.net/2015/01/look-new-look/ (2016-04-25)
    Open archived version from archive

  • Setting Up a Syslog Server – Majornetwork
    in etc apt apt conf d 50unattended upgrades if needed For kernel upgrades you will need to reboot the server anyway at some point Remove some unnecessary running stuff somewhat hardening or otherwise cleaning the system apt get remove rpcbind nfs common mpt status I tend to replace Exim mail server with Postfix just because I don t know Exim at all but know at least something about Postfix So I install postfix and it removes Exim automatically in the process Enter the address of your or your ISP s SMTP relay in the Smarthost setting when asked if you want to send email out I also edit etc postfix main cf to say inet interfaces loopback only instead of all interfaces because I don t expect incoming SMTP connections Again practicing the habbit of smallest intrusion surface Restart postfix to get the change deployed Finally we get in configuring the syslog server itself rsyslog is already running automatically but we will edit it a bit to get it listening to syslog traffic Edit etc rsyslog conf and uncomment these lines remove the characters from the beginning of the lines ModLoad imudp UDPServerRun 514 In the RULES section add these HOSTNAME isequal syslog01 var log remotelogs HOSTNAME isequal syslog01 Note that syslog01 above is the name of this server itself so replace it to match your server hostname These configuration lines mean When there is an incoming log message check the hostname in the message and if it doesn t match syslog01 it is basically coming from some other host with syslog protocol then log the message to var log remotelogs and stop processing further rules This way only the syslog messages go to this additional log file and other system logs the local logs still go to the normal places as configured in the default rsyslog conf Restart rsyslog to get the new config deployed Create a new file etc logrotate d remotelogs and enter this configuration in it var log remotelogs rotate 185 daily dateext missingok compress postrotate invoke rc d rsyslog rotate dev null endscript This configuration instructs logrotate that runs daily to take care of our remotelogs log file and keep 185 days worth of logs No need to restart logrotate for this change as the configuration files are read in each daily run The older log files will be gzipped and the current date will be added to the filenames That s about it in the server side To see that rsyslog is listening to the syslog 514 UDP traffic in both IPv4 and IPv6 root syslog01 netstat ln grep 514 udp 0 0 0 0 0 0 514 0 0 0 0 udp6 0 0 514 Then you can reconfigure your network devices to start sending syslogs to your new syslog server Check var log remotelogs for any incoming messages for example with tail f var log remotelogs command If you have syslog implementation hints for other operating systems or distributions feel free to

    Original URL path: https://majornetwork.net/2014/12/setting-up-a-syslog-server/ (2016-04-25)
    Open archived version from archive

  • Juniper SRX Old and New DHCP, with Problems – Majornetwork
    route was missing right away The DHCP client still had all the necessary information admin srx100 show dhcp client binding detail Client Interface fe 0 0 0 0 Hardware Address 88 e0 f3 xx xx xx State BOUND LOCAL CLIENT STATE BOUND Lease Expires 2014 11 30 18 37 40 EET Lease Expires in 14330 seconds Lease Start 2014 11 30 14 37 40 EET Server Identifier 193 229 28 26 Client IP Address 88 xx xx xx Update Server Yes DHCP options Name dhcp lease time Value 4 hours Name server identifier Value 193 229 28 26 Name router Value 88 yy yy yy Name name server Value 212 54 0 3 193 229 0 42 Name subnet mask Value 255 255 240 0 Name domain name Value elisa laajakaista fi I then restarted DHCP admin srx100 restart dhcp service gracefully Dynamic Host Configuration Protocol process started pid 1583 admin srx100 show log messages Nov 30 14 43 51 srx100 init dhcp service PID 1563 exited with status 0 Normal Exit Nov 30 14 43 51 srx100 init dhcp service PID 1583 started Nov 30 14 43 51 srx100 init l2cpd service PID 1585 started Nov 30 14 43 51 srx100 init can not access usr sbin hostname cached No such file or directory Nov 30 14 43 51 srx100 init hostname caching process PID 0 started Nov 30 14 43 51 srx100 init security intelligence PID 1587 started Nov 30 14 43 51 srx100 init can not access usr sbin ipmid No such file or directory Nov 30 14 43 51 srx100 init ipmi PID 0 started Nov 30 14 43 52 srx100 init security intelligence PID 1587 exited with status 0 Normal Exit Nov 30 14 43 52 srx100 init security intelligence PID 1589 started Nov 30 14 43 53 srx100 init l2cpd service PID 1585 exited with status 0 Normal Exit Nov 30 14 43 53 srx100 init l2cpd service PID 1590 started Nov 30 14 43 57 srx100 init security intelligence PID 1589 exited with status 0 Normal Exit Nov 30 14 43 57 srx100 init security intelligence PID 1593 started Nov 30 14 43 59 srx100 init l2cpd service PID 1590 exited with status 0 Normal Exit Nov 30 14 43 59 srx100 init l2cpd service PID 1594 started admin srx100 show route 0 0 0 0 inet 0 10 destinations 11 routes 10 active 0 holddown 0 hidden Active Route Last Active Both 0 0 0 0 0 Access internal 12 00 00 12 to 88 115 160 1 via fe 0 0 0 0 However when committing a configuration change the default route was not disappearing anymore admin srx100 show log messages last 10 Nov 30 15 10 12 srx100 init dhcp service PID 1643 exited with status 1 Nov 30 15 10 12 srx100 init dhcp service PID 1671 started admin srx100 show route 0 0 0 0 inet 0 12 destinations 12 routes 12 active 0 holddown 0 hidden Active

    Original URL path: https://majornetwork.net/2014/11/juniper-srx-old-and-new-dhcp-with-problems/ (2016-04-25)
    Open archived version from archive



  •