Saturday, November 22, 2014

Panorama, Templates, and Python Scripting

It has been quite some time since my last post. I have been super busy on different customer engagements as of late and its cutting into my posts!

I am a fan of the saying, "Centralize what you can, and only distribute what you must." The Panorama appliance from Palo Alto Networks does a great job of accomplishing this when deployed in environments with many geographically distributed locations. I recently utilized this appliance to deploy over 250 firewalls in about 2 weeks for a customer and found that it made my job a lot easier from a configuration perspective, but also made the security administrator's job much easier moving forward.

If you know anything about Panorama, you will know that Device Groups cover Policy and Objects information, while Templates cover Network and Device information (overview). For this particular deployment, there was one Device Group for the majority of the locations due to policies being standardized by the organization. Templates were a different story because IP addressing and other device-specific information will obviously vary from site to site. Palo Alto has a KB article that shows how to clone entire templates, which is what I utilized when originally deploying the firewalls. However, there isn't a very clear way to make changes to specific settings within all templates once the firewalls are deployed... For example, lets say I need to add the same syslog server profile to every firewall. Do I really have to enter the information into each template???

Maybe there is a better way to do this that I don't know about (UPDATE: there are now Template Stacks FYI), but I was able to utilize a Python, Jinja2, and csv file containing template names for each location. I wanted to share what I did because I believe it will help many other admins out there that run into issues with deployment. Please note that I am no way an expert at Python. I've merely utilized the automation tools that I've learned from previous endeavors and colleagues to apply them to this specific use case.

Step 1:

Using your favorite Linux flavor, install Python and Jinja2. Create a directory somewhere on the machine for the files you will be creating.

Step 2:

Create a csv file called "device_data.csv" with a column heading (i.e. location). The corresponding values should be equal to the template names in Panorama.
location
California
Texas
New York
Florida
Germany
Hong Kong
Beijing
Step 3:

Create a jinja2 file called "panorama_conf_template.j2" with the configuration parameters and include your variable (i.e. location).
set template {{ location }} config shared log-settings syslog syslog-profile server syslog-1 transport UDP port 514 format BSD server 1.1.1.1 facility LOG_USER
Step 4:

Create your python script called "make_config.py" so that upon execution it will use the information from your jinja and csv files to create your config.

#!/usr/bin/python

# Import the necessary modules
import csv
import sys
import glob
import os
from jinja2 import Template


##################################################
# Begin: User defined variables
##################################################
# Path to configs
conf_path=""
# File name of your csv file
csv_filename="device_data.csv"

##################################################
# End: User defined variables
##################################################

# Read device_data.csv from the current directory
# csv.DictReader reads the first row as a header row and stores the column headings as keys
device_data = csv.DictReader(open(csv_filename))

# Loops through the device_data csv so we can perform actions for each row
for row in device_data:
    # Stores the contents of each "cell" as the value for the column header
    # key : value pair

    # The below example will print the value of the location column for the current row.
    # print row["location"]
    data = row
   
    # creates a filename variable for the template configuration based on the store in the CSV
    conffilename =  conf_path + row["location"] + ".txt";

    # Open the store config Jinja2 template file.
    with open("panorama_conf_template.j2") as t_fh:
        t_format = t_fh.read()

    # Set it up as a template
    template = Template(t_format)

    # Create the .txt file
    fout = open(conffilename, 'w')
    print fout

    # Write the conf file with the template and data from the current row
    # Performs a "search and replace"
    fout.write((template.render(data)))
    fout.close()

    # Print to SDOUT   
    #print (template2.render(data))

# finds all files ending in .txt and combines them into a single config file
read_files = glob.glob("*.txt")

with open("config_script.conf", "wb") as outfile:
    for f in read_files:
        with open(f, "rb") as infile:
            outfile.write(infile.read())

# deletes all .txt files as they are not needed once they are combined into the config file
filelist = glob.glob("*.txt")
for f in filelist:
    os.remove(f)

print "Good bye!"
Result:

Executing the script will result in the creation of the "config_script.conf" file which contains the following configuration data that can be entered (copy/paste) via SSH in Panorama:

set template California config shared log-settings syslog syslog-profile server syslog-1 transport UDP port 514 format BSD server 1.1.1.1 facility LOG_USER
set template Texas config shared log-settings syslog syslog-profile server syslog-1 transport UDP port 514 format BSD server 1.1.1.1 facility LOG_USER
set template New York config shared log-settings syslog syslog-profile server syslog-1 transport UDP port 514 format BSD server 1.1.1.1 facility LOG_USER
set template Florida config shared log-settings syslog syslog-profile server syslog-1 transport UDP port 514 format BSD server 1.1.1.1 facility LOG_USER
set template Germany config shared log-settings syslog syslog-profile server syslog-1 transport UDP port 514 format BSD server 1.1.1.1 facility LOG_USER
set template Hong Kong config shared log-settings syslog syslog-profile server syslog-1 transport UDP port 514 format BSD server 1.1.1.1 facility LOG_USER
set template Beijing config shared log-settings syslog syslog-profile server syslog-1 transport UDP port 514 format BSD server 1.1.1.1 facility LOG_USER

Hopefully this is helpful to other engineers that want to save some time. This could be applied to really any configuration data that you are trying to automate.

Thursday, May 15, 2014

Juniper L2VPN over MPLS over GRE over IPSec

I am starting to learn more and more about different scenarios where customers have multiple sites, and need to ensure that the same broadcast domain is available over a layer 3 connection (sometimes referred to as layer 2 being "stretched") to each location. A prime example of this would be a highly virtualized organization that has multiple datacenters across multiple, geographically dispersed locations. Certain features (i.e. VMotion) require a layer 2 connection in order to function. This obviously presents a problem. Below is an example of what I did with one customer to overcome this exact issue by following this blog post. It wasn't very clear, so I thought I would post a configuration from my lab along with explanations. I thought this was a cool option because it is all done within the same default virtual router (I have seen other examples of L2VPN over MPLS, where there are multiple VRs configured). In short, there are obviously many different ways to accomplish this task.

The configuration is based on the topology below:


SRX1:

First, we have to create two firewall filters that we will later apply to the interfaces that we will be using in our configuration. These are required in order to change the interfaces on the SRX from secure context (flow-based forwarding) to router context (packet-based forwarding), which is necessary in order to avoid the flow module in the SRX itself. A full explanation can be found here:
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then accept
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then accept

Layer 2 interface configuration:
set interfaces ge-0/0/0 mtu 1614
set interfaces ge-0/0/0 encapsulation ethernet-ccc
set interfaces ge-0/0/0 unit 0 family ccc filter input CCC-PACKET-MODE

Layer 3 interface configuration:
set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.1/30

GRE tunnel interface configuration:
set interfaces gr-0/0/0 unit 0 tunnel source 10.2.2.1
set interfaces gr-0/0/0 unit 0 tunnel destination 10.2.2.2
set interfaces gr-0/0/0 unit 0 family inet mtu 9000
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.9/30
set interfaces gr-0/0/0 unit 0 family mpls filter input MPLS-PACKET-MODE

Loopback interface configuration:
set interfaces lo0 unit 0 family inet address 192.168.0.1/30

IPSec tunnel interface configuration:
set interfaces st0 unit 0 family inet address 10.2.2.1/30

Protocols configuration:
set protocols mpls interface gr-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.0.2 interface ge-0/0/0.0 virtual-circuit-id 100000
set protocols l2circuit neighbor 192.168.0.2 interface ge-0/0/0.0 encapsulation-type ethernet

IPSec VPN configuration:
set security ike policy 1 mode main
set security ike policy 1 proposal-set standard
set security ike policy 1 pre-shared-key ascii-text Juniper1
set security ike gateway 1 ike-policy 1
set security ike gateway 1 address 10.0.0.2
set security ike gateway 1 external-interface ge-0/0/1.0
set security ipsec policy 1 proposal-set standard
set security ipsec vpn 1 bind-interface st0.0
set security ipsec vpn 1 ike gateway 1
set security ipsec vpn 1 ike ipsec-policy 1
set security ipsec vpn 1 establish-tunnels immediately

For simplicity's sake, I put all interfaces except for my WAN interface in the TRUST zone:
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces ge-0/0/0.0
set security zones security-zone TRUST interfaces lo0.0
set security zones security-zone TRUST interfaces gr-0/0/0.0
set security zones security-zone TRUST interfaces st0.0
set security zones security-zone UNTRUST host-inbound-traffic system-services all
set security zones security-zone UNTRUST host-inbound-traffic protocols all
set security zones security-zone UNTRUST interfaces ge-0/0/1.0

Security policy configuration:
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match application any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST then permit
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match application any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST then permit
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit

SRX2:

Firewall Filters:
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then accept
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then accept

Layer 2 interface configuration:
set interfaces ge-0/0/0 mtu 1614
set interfaces ge-0/0/0 encapsulation ethernet-ccc
set interfaces ge-0/0/0 unit 0 family ccc filter input CCC-PACKET-MODE

Layer 3 interface configuration:
set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.2/30

GRE tunnel interface configuration:
set interfaces gr-0/0/0 unit 0 tunnel source 10.2.2.2
set interfaces gr-0/0/0 unit 0 tunnel destination 10.2.2.1
set interfaces gr-0/0/0 unit 0 family inet mtu 9000
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.10/30
set interfaces gr-0/0/0 unit 0 family mpls filter input MPLS-PACKET-MODE

Loopback interface configuration:
set interfaces lo0 unit 0 family inet address 192.168.0.2/30

IPSec tunnel interface configuration:
set interfaces st0 unit 0 family inet address 10.2.2.2/30

Protocols configuration:
set protocols mpls interface gr-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.0.1 interface ge-0/0/0.0 virtual-circuit-id 100000
set protocols l2circuit neighbor 192.168.0.1 interface ge-0/0/0.0 encapsulation-type ethernet

IPSec VPN configuration:
set security ike policy 1 mode main
set security ike policy 1 proposal-set standard
set security ike policy 1 pre-shared-key ascii-text Juniper1
set security ike gateway 1 ike-policy 1
set security ike gateway 1 address 10.0.0.1
set security ike gateway 1 external-interface ge-0/0/1.0
set security ipsec policy 1 proposal-set standard
set security ipsec vpn 1 bind-interface st0.0
set security ipsec vpn 1 ike gateway 1
set security ipsec vpn 1 ike ipsec-policy 1
set security ipsec vpn 1 establish-tunnels immediately

For simplicity's sake, I put all interfaces except for my WAN interface in the TRUST zone:
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces ge-0/0/0.0
set security zones security-zone TRUST interfaces lo0.0
set security zones security-zone TRUST interfaces gr-0/0/0.0
set security zones security-zone TRUST interfaces st0.0
set security zones security-zone UNTRUST host-inbound-traffic system-services all
set security zones security-zone UNTRUST host-inbound-traffic protocols all
set security zones security-zone UNTRUST interfaces ge-0/0/1.0

Security policy configuration:
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match application any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST then permit
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match application any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST then permit
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit

Monday, March 31, 2014

Juniper BGP Over IPSec Multipoint

In my lab, I wanted to utilize a dynamic routing protocol for my hub and spoke VPN topology. I decided to try it with BGP. The requirements were to utilize only one tunnel interface on the hub device for all IPSec tunnels, as well as deny all traffic between spoke sites. Below is the configuration, and it is based on the topology below:



SRX 1 (Hub Device):

Interface configuration (please note that the tunnel interface is configured as multipoint, which allows for the termination of multiple IPSec tunnels to a single logical interface.):
interfaces {
    ge-0/0/0 {
        unit 0 {
            description "*** TRUST ***";
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description "*** UNTRUST ***";
            family inet {
                address 172.16.1.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.1.1.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            description "*** VPN ***";
            multipoint;
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}

Default route configuration:
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.16.1.2;
    }
    router-id 1.1.1.1;
    autonomous-system 65001;
}

BGP configuration:
protocols {
    bgp {
        group 1 {
            type external;
            neighbor 192.168.1.3 {
                hold-time 30;
                export 1;
                peer-as 65003;
                local-as 65001;
            }
            neighbor 192.168.1.4 {
                hold-time 30;
                export 1;
                peer-as 65004;
                local-as 65001;
            }
        }
    }
}

Routing policy configuration:
policy-options {
    policy-statement 1 {
        term 1 {
            from {
                route-filter 10.1.1.0/24 exact;
            }
            then accept;
        }
        term 2 {
            from {
                route-filter 192.168.1.0/24 exact;
            }
            then accept;
        }
        term 3 {
            then reject;
        }
    }

}

VPN configuration:
security {
    ike {
        policy 1-3 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$rV4KWXVwgUjq7-jqmfn6revW7-"; ## SECRET-DATA
        }
        policy 1-4 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$ZCDH.QF/0BEP5BEcyW8ZUjHP5"; ## SECRET-DATA
        }
        gateway 3 {
            ike-policy 1-3;
            address 172.16.3.1;
            external-interface ge-0/0/1.0;
        }
        gateway 4 {
            ike-policy 1-4;
            address 172.16.4.1;
            external-interface ge-0/0/1.0;
        }
    }
    ipsec {
        policy 1-3 {
            proposal-set standard;
        }
        policy 1-4 {
            proposal-set standard;
        }
        vpn 1-3 {
            bind-interface st0.0;
            ike {
                gateway 3;
                ipsec-policy 1-3;
            }
            establish-tunnels immediately;
        }
        vpn 1-4 {
            bind-interface st0.0;
            ike {
                gateway 4;
                ipsec-policy 1-4;
            }
            establish-tunnels immediately;
        }
    }
}

Security zone configuration (please note that for my lab testing, I am allowing almost everything. In a production environment it is required to enable the necessary services and protocols at the zone level in order for things to function properly (i.e. BGP, IKE, etc.)):
zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                lo0.0;
                ge-0/0/0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
}

Security policy configuration (please note that there is a policy which denies traffic from spoke to spoke):
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone vpn to-zone vpn {
            policy deny-intra-spoke-traffic {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

SRX 3 (Spoke Device):

Interface configuration:
interfaces {
    ge-0/0/0 {
        unit 0 {
            description "*** TRUST ***";
            family inet {
                address 10.3.3.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description "*** UNTRUST ***";
            family inet {
                address 172.16.3.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 3.3.3.3/32;
            }
        }
    }
    st0 {
        unit 0 {
            description "*** VPN ***";
            family inet {
                address 192.168.1.3/24;
            }
        }
    }
}

Default route configuration:
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.16.3.2;
    }
    router-id 3.3.3.3;
    autonomous-system 65003;
}

BGP configuration:
protocols {
    bgp {
        group 1 {
            type external;
            neighbor 192.168.1.1 {
                hold-time 30;
                export 1;
                peer-as 65001;
                local-as 65003;
            }
        }
    }
}

Routing policy configuration:
policy-options {
    policy-statement 1 {
        term 1 {
            from {
                route-filter 10.3.3.0/24 exact;
            }
            then accept;
        }
        term 2 {
            from {
                route-filter 192.168.1.0/24 exact;
            }
            then accept;
        }
        term 3 {
            then reject;
        }
    }

}

VPN configuration:
security {
    ike {
        policy 3-1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA
        }
        gateway 3-1 {
            ike-policy 3-1;
            address 172.16.1.1;
            external-interface ge-0/0/1.0;
        }
    }
    ipsec {
        policy 3-1 {
            proposal-set standard;
        }
        vpn 3-1 {
            bind-interface st0.0;
            ike {
                gateway 3-1;
                ipsec-policy 3-1;
            }
            establish-tunnels immediately;
        }
    }
}

Security zone configuration:
zones {
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                lo0.0;
                ge-0/0/0.0;
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
}

Security policy configuration:
policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone vpn {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

SRX 4 (Spoke Device):

Interface configuration:
interfaces {
    ge-0/0/0 {
        unit 0 {
            description "*** TRUST ***";
            family inet {
                address 10.4.4.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description "*** UNTRUST ***";
            family inet {
                address 172.16.4.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 4.4.4.4/32;
            }
        }
    }
    st0 {
        unit 0 {
            description "*** VPN ***";
            family inet {
                address 192.168.1.4/24;
            }
        }
    }
}

Default route configuration:
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.16.4.2;
    }
    router-id 4.4.4.4;
    autonomous-system 65004;
}

BGP configuration:
protocols {
    bgp {
        group 1 {
            type external;
            neighbor 192.168.1.1 {
                hold-time 30;
                export 1;
                peer-as 65001;
                local-as 65004;
            }
        }
    }
}

Routing policy configuration:
policy-options {
    policy-statement 1 {
        term 1 {
            from {
                route-filter 10.4.4.0/24 exact;
            }
            then accept;
        }
        term 2 {
            from {
                route-filter 192.168.1.0/24 exact;
            }
            then accept;
        }
        term 3 {
            then reject;
        }
    }

}

VPN configuration:
security {
    ike {
        policy 4-1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA
        }
        gateway 4-1 {
            ike-policy 4-1;
            address 172.16.1.1;
            external-interface ge-0/0/1.0;
        }
    }
    ipsec {
        policy 4-1 {
            proposal-set standard;
        }
        vpn 4-1 {
            bind-interface st0.0;
            ike {
                gateway 4-1;
                ipsec-policy 4-1;
            }
            establish-tunnels immediately;
        }
    }
}

Security zone configuration:
zones {
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                lo0.0;
                ge-0/0/0.0;
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
}

Security policy configuration:
policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone vpn {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

Verification:

Here are some commands that can be run from operational mode for verification purposes:
show security ike security-associations
show security ipsec security-associations
show bgp neighbor
show bgp summary
show route

Tuesday, March 4, 2014

MAG-CM060 SSO with a Self-Signed Certificate

I am posting this because although Juniper Networks does provide very detailed instructions on how to configure SSO with a valid certificate issued from a certificate authority, a customer recently wanted me to configure SSO without a valid certificate. Here is how I did it:

  1. From operational mode in the MAG-CM060, enter the following commands:
    1. request security pki generate-key-pair certificate-id MY-CERT size 1024 type rsa
    2. request security pki local-certificate generate-self-signed certificate-id MY-CERT domain-name domain.com email test@domain.com ip-address 10.1.1.10 subject CN=10.1.1.10,O=Test
  2. From configuration mode in the MAG-CM060, enter the following commands:
    1. set system services ftp
    2. set system services web-management http port 80 interface em0.0
    3. set system services web-management https port 443 interface em0.0 pki-local-certificate MY-CERT
    4. commit
  3. Using your favorite FTP program, connect to the MAG-CM060 and copy the certificate you created, which is located in /var/db/certs/common/local/MY-CERT.cert, to the location of your choice on your computer.
  4. From within the administrator GUI of the MAG Service Module (i.e. MAG-SM60), perform the following steps:
    1. Navigate to Authentication->Auth. Servers->Chassis Auth Server
    2. Select Choose File under Upload Certificate, and upload the certificate you copied off of the MAG-CM060.
    3. Click Save
  5. Lastly, ensure that the date/time settings are the same on both the MAG-CM060 and the Service Module:
    1. From operational mode on the MAG-CM060, enter the following command:
      1. set date...
    2. From the Dashboard in the GUI of the Service Module:
      1. Click Edit next to System Date & Time
Enjoy!

Tuesday, January 7, 2014

Juniper OSPF Over IPSec Multipoint

In my lab, I wanted to utilize a dynamic routing protocol for my hub and spoke VPN topology. I decided to first try it with OSPF (BGP configuration here). The requirements were to utilize only one tunnel interface on the hub device for all IPSec tunnels, as well as deny all traffic between spoke sites. Below is the configuration, and it is based on the topology below:



SRX 1 (Hub Device):

Interface configuration (please note that the tunnel interface is configured as multipoint, which allows for the termination of multiple IPSec tunnels to a single logical interface.):
interfaces {
    ge-0/0/0 {
        unit 0 {
            description "*** TRUST ***";
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description "*** UNTRUST ***";
            family inet {
                address 172.16.1.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.1.1.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            description "*** VPN ***";
            multipoint;
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}

Default route configuration:
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.16.1.2;
    }
}

OSPF configuration:
protocols {
    ospf {
        area 0.0.0.0 {
            interface ge-0/0/0.0;
            interface lo0.0 {
                passive;
            }
            interface st0.0;
        }
    }
}

VPN configuration:
security {
    ike {
        policy 1-3 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$rV4KWXVwgUjq7-jqmfn6revW7-"; ## SECRET-DATA
        }
        policy 1-4 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$ZCDH.QF/0BEP5BEcyW8ZUjHP5"; ## SECRET-DATA
        }
        gateway 3 {
            ike-policy 1-3;
            address 172.16.3.1;
            external-interface ge-0/0/1.0;
        }
        gateway 4 {
            ike-policy 1-4;
            address 172.16.4.1;
            external-interface ge-0/0/1.0;
        }
    }
    ipsec {
        policy 1-3 {
            proposal-set standard;
        }
        policy 1-4 {
            proposal-set standard;
        }
        vpn 1-3 {
            bind-interface st0.0;
            ike {
                gateway 3;
                ipsec-policy 1-3;
            }
            establish-tunnels immediately;
        }
        vpn 1-4 {
            bind-interface st0.0;
            ike {
                gateway 4;
                ipsec-policy 1-4;
            }
            establish-tunnels immediately;
        }
    }
}

Security zone configuration (please note that for my lab testing, I am allowing almost everything. In a production environment it is required to enable the necessary services and protocols at the zone level in order for things to function properly (i.e. OSPF, IKE, etc.)):
zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                lo0.0;
                ge-0/0/0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
}

Security policy configuration (please note that there is a policy which denies traffic from spoke to spoke):
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone vpn to-zone vpn {
            policy deny-intra-spoke-traffic {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

SRX 3 (Spoke Device):

Interface configuration:
interfaces {
    ge-0/0/0 {
        unit 0 {
            description "*** TRUST ***";
            family inet {
                address 10.3.3.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description "*** UNTRUST ***";
            family inet {
                address 172.16.3.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 3.3.3.3/32;
            }
        }
    }
    st0 {
        unit 0 {
            description "*** VPN ***";
            family inet {
                address 192.168.1.3/24;
            }
        }
    }
}

Default route configuration:
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.16.3.2;
    }
}

OSPF configuration:
protocols {
    ospf {
        area 0.0.0.0 {
            interface st0.0;
            interface ge-0/0/0.0;
            interface lo0.0 {
                passive;
            }
        }
    }
}

VPN configuration:
security {
    ike {
        policy 3-1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA
        }
        gateway 3-1 {
            ike-policy 3-1;
            address 172.16.1.1;
            external-interface ge-0/0/1.0;
        }
    }
    ipsec {
        policy 3-1 {
            proposal-set standard;
        }
        vpn 3-1 {
            bind-interface st0.0;
            ike {
                gateway 3-1;
                ipsec-policy 3-1;
            }
            establish-tunnels immediately;
        }
    }
}

Security zone configuration:
zones {
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                lo0.0;
                ge-0/0/0.0;
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
}

Security policy configuration:
policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone vpn {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

SRX 4 (Spoke Device):

Interface configuration:
interfaces {
    ge-0/0/0 {
        unit 0 {
            description "*** TRUST ***";
            family inet {
                address 10.4.4.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description "*** UNTRUST ***";
            family inet {
                address 172.16.4.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 4.4.4.4/32;
            }
        }
    }
    st0 {
        unit 0 {
            description "*** VPN ***";
            family inet {
                address 192.168.1.4/24;
            }
        }
    }
}

Default route configuration:
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.16.4.2;
    }
}

OSPF configuration:
protocols {
    ospf {
        area 0.0.0.0 {
            interface st0.0;
            interface ge-0/0/0.0;
            interface lo0.0 {
                passive;
            }
        }
    }
}

VPN configuration:
security {
    ike {
        policy 4-1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA
        }
        gateway 4-1 {
            ike-policy 4-1;
            address 172.16.1.1;
            external-interface ge-0/0/1.0;
        }
    }
    ipsec {
        policy 4-1 {
            proposal-set standard;
        }
        vpn 4-1 {
            bind-interface st0.0;
            ike {
                gateway 4-1;
                ipsec-policy 4-1;
            }
            establish-tunnels immediately;
        }
    }
}

Security zone configuration:
zones {
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                lo0.0;
                ge-0/0/0.0;
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
}

Security policy configuration:
policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone vpn {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

Verification:

Here are some commands that can be run from operational mode for verification purposes:
show security ike security-associations
show security ipsec security-associations
show ospf neighbor
show ospf route