lunes, 21 de octubre de 2013

Juniper SRX Dual WAN with NHTB Full Mesh VPN and OSPF


El siguiente post se trata de una maqueta con Firewalls Juniper SRX cada uno con 2 enlaces WAN simulando ISP's diferentes donde configuraremos 2 VPN NHTB Full Mesh, una VPN por cada enlace WAN a fin de obtener Alta Disponibilidad y enrutamiento dinámico OSPF por dentro de los enlaces túneles.

La mayoría de las configuraciones serán realizadas con el NSM, se crearan las VPN con el VPN Manager y se configurara OSPF, otras configuraciones no se realizaran ya que se supone están cargadas antes de agregar los SRX al NSM. En el paso a paso se aportaran Screenshots de la GUI del NSM y luego las commands line de las configuraciones para hacer copy paste en los Firewalls.


Algunas definiciones antes de comenzar:

WAN
ISP
Juniper SRX
Juniper NSM
VPN
NHTB (Juniper PDF)
OSPF
Martian Packets
Junos Martian Rutes (Purpose)


El siguiente gráfico es un ejemplo de una VPN Full Mesh con NHTB donde podemos observar que por la misma Interface Tunel tenemos asociadas n cantidad de peers.


El siguiente gráfico es del que nos valdremos para hacer nuestro Lab.




Configuraciones previas para los SRX, en naranja lo estrictamente necesario:

SRX100

set system host-name SRX100.1
set interfaces ge-0/0/0 description WAN1
set interfaces ge-0/0/0 unit 0 family inet address 10.202.0.10/24
set interfaces ge-0/0/1 description WAN2
set interfaces ge-0/0/1 unit 0 family inet address 10.203.0.10/24
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 description P2P
set interfaces fe-0/0/7 unit 0 family inet dhcp
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options static route 201.1.2.63/32 next-hop 10.202.0.1
set routing-options static route 200.1.2.63/32 next-hop 10.203.0.1
set routing-options static route 202.1.2.10/32 next-hop 10.202.0.1
set routing-options static route 10.201.0.10/32 next-hop 10.203.0.1
set routing-options static route 10.100.30.77/32 next-hop 10.5.40.204
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit
set security policies policy-rematch
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone P2P host-inbound-traffic system-services all
set security zones security-zone P2P host-inbound-traffic protocols all
set security zones security-zone P2P interfaces fe-0/0/7.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

SRX210

set system host-name SRX210.2
set interfaces ge-0/0/0 unit 0 family inet address 202.1.2.10/24
set interfaces ge-0/0/1 description "BrokenPort :("
set interfaces ge-0/0/1 disable
set interfaces ge-0/0/1 unit 0
set interfaces ge-0/0/2 unit 0 family inet address 10.201.0.10/24
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7 description P2P
set interfaces ge-0/0/7 unit 0 family inet dhcp
set interfaces vlan unit 0 family inet address 192.168.2.1/24
set routing-options static route 10.202.0.10/32 next-hop 202.1.2.2
set routing-options static route 10.203.0.10/32 next-hop 10.201.0.1
set routing-options static route 201.1.2.63/32 next-hop 202.1.2.2
set routing-options static route 200.1.2.63/32 next-hop 10.201.0.1
set routing-options static route 10.100.30.77/32 next-hop 10.5.40.204
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit
set security policies policy-rematch
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/2.0
set security zones security-zone P2P host-inbound-traffic system-services all
set security zones security-zone P2P host-inbound-traffic protocols all
set security zones security-zone P2P interfaces ge-0/0/7.0
set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

SRX240

set system host-name SRX240.3
set interfaces ge-0/0/0 description WAN1
set interfaces ge-0/0/0 unit 0 family inet address 201.1.2.63/24
set interfaces ge-0/0/1 description WAN2
set interfaces ge-0/0/1 unit 0 family inet address 200.1.2.63/24
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 description vlan-201
set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-201
set interfaces ge-0/0/6 description vlan-202
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-202
set interfaces ge-0/0/7 description vlan-203
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-203
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/14 description Trunk-Router
set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/14 unit 0 family ethernet-switching native-vlan-id 100
set interfaces ge-0/0/15 description Net-Company
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces vlan unit 0 family inet address 192.168.3.1/24
set interfaces vlan unit 1 description "P2P Zone - vlan-Switch"
set interfaces vlan unit 1 family inet address 10.5.40.251/24
set routing-options static route 10.202.0.10/32 next-hop 201.1.2.2
set routing-options static route 202.1.2.10/32 next-hop 201.1.2.2
set routing-options static route 10.203.0.10/32 next-hop 200.1.2.2
set routing-options static route 10.201.0.10/32 next-hop 200.1.2.2
set routing-options static route 10.100.30.77/32 next-hop 10.5.40.204
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone P2P policy trust-to-P2P match source-address any
set security policies from-zone trust to-zone P2P policy trust-to-P2P match destination-address any
set security policies from-zone trust to-zone P2P policy trust-to-P2P match application any
set security policies from-zone trust to-zone P2P policy trust-to-P2P then permit
set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit
set security policies policy-rematch
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone P2P host-inbound-traffic system-services all
set security zones security-zone P2P host-inbound-traffic protocols all
set security zones security-zone P2P interfaces vlan.1
set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set vlans vlan-201 vlan-id 201
set vlans vlan-202 vlan-id 202
set vlans vlan-203 vlan-id 203
set vlans vlan-Switch vlan-id 100
set vlans vlan-Switch l3-interface vlan.1                  
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0




Agregar equipos al NSM

El primer paso con el NSM será agregar los dispositivos para luego crear la VPN con el VPN Manager.

Procedimiento:

Loguearse al NSM



En Configure ir a Devices y hacer clic en el botón +



Elegir la opción: Device Is Not Reacheable.

Nota: Esta opción nos permite agregar equipos remotos los cuales no conocemos la IP o equipos que la IP pueda cambiar, la ventaja principal de este tipo de conexión es que el Firewall en nuestro caso será el que siempre intente realizar la conexión contra el NSM.
En nuestro ejemplo tenemos el NSM en una Red Privada pero también se podría publicar los servicios del NSM en Internet.


Completar según corresponda con el modelo de Hard y Soft:

Nota: Podemos ayudarnos con los comandos: show version y show chassis hardware para ver la versión de Junos y Modelo de Equipo.


Completar Admin User, Admin Password y One-Time Password, luego hacer click en Show Device Commands:


Seleccionar y copiar los comandos para pegar en el SRX



En la consola del SRX tipeamos  load set terminal y copiamos los comando anteriores.



Por ultimo hay que Importar los Dispositivos agregados al NSM, para esto seleccionamos el dispositivo, Clic derecho Import.

Nota: Volver a realizar todos estos pasos con los demás equipos.



Creación de interface loopback para router id de OSPF

Procedimiento:

Hacemos doble clic sobre el SRX100 y vamos a la solapa Configurations:
Interfaces -> Interface List -> botón + -> lo0 loopback interface


 En la nueva ventana vamos a Unit


Botón +


En la ventana nueva en unit ponemos 0 (cero) y vamos a Family -> Inet


Clic en Enable Feature y vamos Address


 Botón +


En Name ponemos la ip del router id: 1.1.1.1/32



Clics en Ok



Configuración de OSPF, Area 0 y router-id

Procedimiento:

En la solapa Configurations -> Protocols -> OSPF -> Area -> botón +


Ir a Interface -> click botón +

En Name tipear: vlan.0


Ir Passive y marcar Enable Feature


Clic en Ok

En la solapa Configurations vamos a Routing Options

En router id colocar la IP de la interface loopback: 1.1.1.1


Clic en Ok


Nota: Si quisieramos dar a conocer a nuestros Neighbors que a través nuestro pueden llegar a ciertas rutas al cual no estamos directamente conectados es necesario realizar un filtro y exportarlo en las configuraciones de OSPF.

Procedimiento:

En la Solapa Configurations -> Policy Statement -> botón +


En Name poner un nombre: export-policy


Ir a Term -> botón +

Asignar un nombre: term1


Dentro de la misma ventana ir a From -> Router Filter -> botón +


En Address colocar una red: 10.0.4.0/24


Dentro de la misma ventana ir a Exact y seleccionar Exact


Clic en Ok

Ir a Then y seleccionar accept


Clics en Ok


Para exportar la política creada:
Vamos a la solapa Configurations -> Protocols -> OSPF -> Export



Seleccionamos nuestra Policy creada y hacemos clic en el botón Add


Clics en Ok



Uso de VPN Manager

Procedimiento:

En el NSM vamos al VPN Manager y Hacemos click en Create new IKE VPN



Ponemos un Nombre a la VPN y seleccionamos Route Based:

Nota: En el Screenshot el nombre de la VPN figura con espacios pero para evitar errores no se recomienda dejar espacios ya que luego el NSM intentara cargar este nombre a las configuraciones de los equipos.

Click en OK

Hacer click en Device dentro de Route Based Configurations y en Primary Zone seleccionar VPN:


Clic en OK

Hacemos Clic en el Botón + de la ventana abierta.

Seleccionar los dispositivos que participaran en la VPN Full Mesh:


Click en OK

Hacer doble click en los Dispositivos que agregamos:


Clic en OK

En la nueva ventana configurar IP y Mascara:

Nota: Para el Full Mesh VPN de la WAN1 usaremos la red 10.10.10.0/24 e iremos asignando IP a las interfaces de cada dispositivo según corresponda, por ejemplo para el SRX100 la IP será 10.10.10.1 y para el SRX210 la IP será 10.10.10.2 y así sucesivamente.


SRX100:
SRX210:
SRX240:

Click en OK

Hacer clic en Routes y luego doble click en cada Source Device con el fin de asociar el Área de
OSPF:

Nota: En nuestro caso usaremos una sola área de OSPF para todo.


Clic en OK

Hacer clic en Topology y seleccionar todos los Mains para lograr el Mesh:


Clic en OK


Clic en OK

Hacer clic en Gateway Parameters e ir a la Solapa Security y poner nuestra Preshared Key:



Clic en OK


Hacer clic en AutoKey IKE Parameters y seleccionar Replay Protection, VPN Monitor, Rekey y Optimized:


Clic en OK

Hacer clic en AutoConnect VPN Parameters y luego clic en el botón Import:



Clic en Ok y luego Clic en el botón Save.

Vamos a Habilitar Dead Peer Detection y luego modificaremos el MTU de las interfaces tunel.

Hacer clic en Device Configuration en Overrides

Desplegamos las opciones del SRX100 y seleccionamos Gateway:


Hacemos doble clic sobre el primer IKE Gateway

Seleccionar Dead Peer Detection y marcar el Enable Feature:


Repetir este paso con el segundo IKE Gateway y luego con los 2 dispositivos faltantes.

Para cambiar la MTU de la Interface Tunel seleccionamos la st0 y luego doble clic en el unit:


Ir a Unit y doble clic en 0


Navegar por Family, Init y cambiar el MTU a 1514:



Clic en botón Ok y luego Save


Para la VPN over WAN2 repetir todos los pasos y en el momento de llegar a los terminations point cambiar a las interfaces de WAN2






Configuraciones extras necesarias para los SRX:

Hay que indicar que las Interface Tnuel son de tipo p2mp y Dynamic Neighbors.

Vamos a Configure -> Devices y hacemos doble clic sobre el SRX100

Luego ir a la solapa Configuration -> Protocols -> OSPF -> Area -> 0.0.0.0


Hacemos doble clic sobre  la Interface Tunel:


En Interface Type seleccionar p2mp y Dynamic Neighbors:



Prevent alternate routes. Override the routes (fowards the OSPF peers)

Crear rutas estáticas hacia nuestros peers a fin de prevenir flapeos de OSPF.

Ir a Routing Options -> Static -> Routes

Clic en botón +


En nuestra maqueta tenemos 3 Firewalls en la ecuación, con lo cual hay que agregar 4 rutas en cada Firewall, siendo estas, 2 rutas hacia los 2 peers de la VPN sobre la WAN1 y 2 rutas hacia los 2 peers de la VPN sobre la WAN2:

SRX100:
10.10.10.2/32 next-hop 10.10.10.2 -> st0.0 to SRX210
10.10.10.3/32 next-hop 10.10.10.3 -> st0.0 to SRX240
20.20.20.2/32 next-hop 20.20.20.2 -> st0.1 to SRX210
20.20.20.3/32 next-hop 20.20.20.3 -> st0.1 to SRX240

Vamos a mostrar el ejemplo para la IP 10.10.10.2:


En Next Hop hacer clic en el botón + y cargar la IP 10.10.10.2


Por ultimo repetir los pasos para agregar las demás rutas al SRX100 y luego a los demás Firewalls.

Nota: Para los demás SRX las rutas estáticas son las siguientes:

SRX210:

10.10.10.1 next-hop 10.10.10.1 -> st0.0 to SRX100
10.10.10.3 next-hop 10.10.10.3 -> st0.0 to SRX240
20.20.20.1 next-hop 20.20.20.1 -> st0.1 to SRX100
20.20.20..3 next-hop 20.20.20.3 -> st0.1 to SRX240

SRX240:

10.10.10.1 next-hop 10.10.10.1 -> st0.0 to SRX100
10.10.10.2 next-hop 10.10.10.2 -> st0.0 to SRX210
20.20.20.1 next-hop 20.20.20.1 -> st0.1 to SRX100
20.20.20.2 next-hop 20.20.20.2 -> st0.1 to SRX210

En el NSM hacer un Update de los Dispositivos para impactar las configuraciones realizadas.



A continuación las commands de las configuraciones realizadas con el NSM:

SRX100

Configuración de Interfaces Tunel:

set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet mtu 1514
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.3 ipsec-vpn vpn58-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.2 ipsec-vpn vpn60-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet address 10.10.10.1/24
set interfaces st0 unit 1 multipoint
set interfaces st0 unit 1 family inet mtu 1514
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.3 ipsec-vpn vpn58-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.2 ipsec-vpn vpn60-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet address 20.20.20.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
set interfaces vlan unit 0 family inet address 192.168.1.1/24

 OSPF:

set routing-options router-id 1.1.1.1

set protocols ospf area 0.0.0.0 interface vlan.0 passive
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.0 dynamic-neighbors
set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors

set protocols ospf export export-policy
set policy-options policy-statement export-policy term term1 from route-filter 10.0.4.0/24 exact
set policy-options policy-statement export-policy term term1 then accept

Rutas estáticas:

set routing-options static route 10.10.10.2/32 next-hop 10.10.10.2
set routing-options static route 10.10.10.3/32 next-hop 10.10.10.3
set routing-options static route 20.20.20.2/32 next-hop 20.20.20.2
set routing-options static route 20.20.20.3/32 next-hop 20.20.20.3

Bindeo de Interfaces Tunel a Zona VPN:

set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0
set security zones security-zone VPN interfaces st0.1

Políticas de Firewall:

set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit

Fase 1 WAN1:

set security ike policy ike60-VPN_FullMesh_WAN1 mode main
set security ike policy ike60-VPN_FullMesh_WAN1 proposal-set compatible
set security ike policy ike60-VPN_FullMesh_WAN1 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn60-VPN_FullMesh_WAN1 ike-policy ike60-VPN_FullMesh_WAN1
set security ike gateway vpn60-VPN_FullMesh_WAN1 address 202.1.2.10
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection interval 10
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn60-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn60-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn60-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0
set security ike gateway vpn58-VPN_FullMesh_WAN1 ike-policy ike60-VPN_FullMesh_WAN1
set security ike gateway vpn58-VPN_FullMesh_WAN1 address 201.1.2.63
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection interval 10
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn58-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn58-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn58-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0

Fase 1 WAN2:

set security ike policy ike60-VPN_FullMesh_WAN2 mode main
set security ike policy ike60-VPN_FullMesh_WAN2 proposal-set compatible
set security ike policy ike60-VPN_FullMesh_WAN2 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn60-VPN_FullMesh_WAN2 ike-policy ike60-VPN_FullMesh_WAN2
set security ike gateway vpn60-VPN_FullMesh_WAN2 address 10.201.0.10
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection always-send
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection interval 10
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection threshold 1
set security ike gateway vpn60-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn60-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn60-VPN_FullMesh_WAN2 external-interface ge-0/0/1.0
set security ike gateway vpn58-VPN_FullMesh_WAN2 ike-policy ike60-VPN_FullMesh_WAN2
set security ike gateway vpn58-VPN_FullMesh_WAN2 address 200.1.2.63
set security ike gateway vpn58-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn58-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn58-VPN_FullMesh_WAN2 external-interface ge-0/0/1.0

Fase 2 WAN1:

set security ipsec policy ipsec60-VPN_FullMesh_WAN1 proposal-set compatible
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike gateway vpn60-VPN_FullMesh_WAN1
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity local 10.202.0.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity remote 202.1.2.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike ipsec-policy ipsec60-VPN_FullMesh_WAN1
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 establish-tunnels immediately
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike gateway vpn58-VPN_FullMesh_WAN1
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity local 10.202.0.10/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity remote 201.1.2.63/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike ipsec-policy ipsec60-VPN_FullMesh_WAN1
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 establish-tunnels immediately

Fase 2 WAN2:

set security ipsec policy ipsec60-VPN_FullMesh_WAN2 proposal-set compatible
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike gateway vpn60-VPN_FullMesh_WAN2
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity local 10.203.0.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity remote 10.201.0.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike ipsec-policy ipsec60-VPN_FullMesh_WAN2
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 establish-tunnels immediately
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike gateway vpn58-VPN_FullMesh_WAN2
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity local 10.203.0.10/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity remote 200.1.2.63/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike ipsec-policy ipsec60-VPN_FullMesh_WAN2
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 establish-tunnels immediately


SRX210


set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet mtu 1514
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.3 ipsec-vpn vpn58-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.1 ipsec-vpn vpn62-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet address 10.10.10.2/24
set interfaces st0 unit 1 multipoint
set interfaces st0 unit 1 family inet mtu 1514
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.3 ipsec-vpn vpn58-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.1 ipsec-vpn vpn62-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet address 20.20.20.2/24
set interfaces lo0 unit 0 family inet address 1.1.1.2/32
set interfaces vlan unit 0 family inet address 192.168.2.1/24

 OSPF:

set protocols ospf area 0.0.0.0 interface vlan.0 passive
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.0 dynamic-neighbors
set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors
set routing-options router-id 1.1.1.2

Rutas estáticas:

set routing-options static route 10.10.10.1/32 next-hop 10.10.10.1
set routing-options static route 10.10.10.3/32 next-hop 10.10.10.3
set routing-options static route 20.20.20.1/32 next-hop 20.20.20.1
set routing-options static route 20.20.20.3/32 next-hop 20.20.20.3

Bindeo de Interfaces Tunel a Zona VPN:

set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0
set security zones security-zone VPN interfaces st0.1


Políticas de Firewall:

set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit


Fase 1 WAN1:

set security ike policy ike58-VPN_FullMesh_WAN1 mode main
set security ike policy ike58-VPN_FullMesh_WAN1 proposal-set compatible
set security ike policy ike58-VPN_FullMesh_WAN1 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn58-VPN_FullMesh_WAN1 ike-policy ike58-VPN_FullMesh_WAN1
set security ike gateway vpn58-VPN_FullMesh_WAN1 address 201.1.2.63
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection interval 10
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn58-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn58-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn58-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0
set security ike gateway vpn62-VPN_FullMesh_WAN1 ike-policy ike58-VPN_FullMesh_WAN1
set security ike gateway vpn62-VPN_FullMesh_WAN1 address 10.202.0.10
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection interval 10
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn62-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn62-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn62-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0



Fase 1 WAN2:


set security ike policy ike58-VPN_FullMesh_WAN2 mode main
set security ike policy ike58-VPN_FullMesh_WAN2 proposal-set compatible
set security ike policy ike58-VPN_FullMesh_WAN2 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn58-VPN_FullMesh_WAN2 ike-policy ike58-VPN_FullMesh_WAN2
set security ike gateway vpn58-VPN_FullMesh_WAN2 address 200.1.2.63
set security ike gateway vpn58-VPN_FullMesh_WAN2 dead-peer-detection always-send
set security ike gateway vpn58-VPN_FullMesh_WAN2 dead-peer-detection interval 10
set security ike gateway vpn58-VPN_FullMesh_WAN2 dead-peer-detection threshold 1
set security ike gateway vpn58-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn58-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn58-VPN_FullMesh_WAN2 external-interface ge-0/0/2.0
set security ike gateway vpn62-VPN_FullMesh_WAN2 ike-policy ike58-VPN_FullMesh_WAN2
set security ike gateway vpn62-VPN_FullMesh_WAN2 address 10.203.0.10
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection always-send
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection interval 10
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection threshold 1
set security ike gateway vpn62-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn62-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn62-VPN_FullMesh_WAN2 external-interface ge-0/0/2.0


Fase 2 WAN1:

set security ipsec policy ipsec58-VPN_FullMesh_WAN1 proposal-set compatible
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike gateway vpn58-VPN_FullMesh_WAN1
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity local 202.1.2.10/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity remote 201.1.2.63/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike ipsec-policy ipsec58-VPN_FullMesh_WAN1
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 establish-tunnels immediately
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike gateway vpn62-VPN_FullMesh_WAN1
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity local 202.1.2.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity remote 10.202.0.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike ipsec-policy ipsec58-VPN_FullMesh_WAN1
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 establish-tunnels immediately


Fase 2 WAN2:


set security ipsec policy ipsec58-VPN_FullMesh_WAN2 proposal-set compatible
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike gateway vpn58-VPN_FullMesh_WAN2
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity local 10.201.0.10/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity remote 200.1.2.63/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike ipsec-policy ipsec58-VPN_FullMesh_WAN2
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 establish-tunnels immediately
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike gateway vpn62-VPN_FullMesh_WAN2
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity local 10.201.0.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity remote 10.203.0.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike ipsec-policy ipsec58-VPN_FullMesh_WAN2
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 establish-tunnels immediately



SRX240



set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet mtu 1514
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.2 ipsec-vpn vpn60-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.1 ipsec-vpn vpn62-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet address 10.10.10.3/24
set interfaces st0 unit 1 multipoint
set interfaces st0 unit 1 family inet mtu 1514
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.2 ipsec-vpn vpn60-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.1 ipsec-vpn vpn62-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet address 20.20.20.3/24
set interfaces lo0 unit 0 family inet address 1.1.1.3/32
set interfaces vlan unit 0 family inet address 192.168.3.1/24

OSPF:

set protocols ospf area 0.0.0.0 interface vlan.0 passive
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.0 dynamic-neighbors
set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors
set routing-options router-id 1.1.1.3


Rutas estáticas:

set routing-options static route 10.10.10.1/32 next-hop 10.10.10.1
set routing-options static route 10.10.10.2/32 next-hop 10.10.10.2
set routing-options static route 20.20.20.1/32 next-hop 20.20.20.1
set routing-options static route 20.20.20.2/32 next-hop 20.20.20.2

Bindeo de Interfaces Tunel a Zona VPN:

set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0
set security zones security-zone VPN interfaces st0.1


Políticas de Firewall:

set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit


Fase 1 WAN1:

set security ike policy ike62-VPN_FullMesh_WAN1 mode main
set security ike policy ike62-VPN_FullMesh_WAN1 proposal-set compatible
set security ike policy ike62-VPN_FullMesh_WAN1 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn62-VPN_FullMesh_WAN1 ike-policy ike62-VPN_FullMesh_WAN1
set security ike gateway vpn62-VPN_FullMesh_WAN1 address 10.202.0.10
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection interval 60
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn62-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn62-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn62-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0
set security ike gateway vpn60-VPN_FullMesh_WAN1 ike-policy ike62-VPN_FullMesh_WAN1
set security ike gateway vpn60-VPN_FullMesh_WAN1 address 202.1.2.10
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection interval 10
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn60-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn60-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn60-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0

Fase 1 WAN2:

set security ike policy ike62-VPN_FullMesh_WAN2 mode main
set security ike policy ike62-VPN_FullMesh_WAN2 proposal-set compatible
set security ike policy ike62-VPN_FullMesh_WAN2 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn62-VPN_FullMesh_WAN2 ike-policy ike62-VPN_FullMesh_WAN2
set security ike gateway vpn62-VPN_FullMesh_WAN2 address 10.203.0.10
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection always-send
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection interval 10
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection threshold 1
set security ike gateway vpn62-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn62-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn62-VPN_FullMesh_WAN2 external-interface ge-0/0/1.0
set security ike gateway vpn60-VPN_FullMesh_WAN2 ike-policy ike62-VPN_FullMesh_WAN2
set security ike gateway vpn60-VPN_FullMesh_WAN2 address 10.201.0.10
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection always-send
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection interval 10
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection threshold 1
set security ike gateway vpn60-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn60-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn60-VPN_FullMesh_WAN2 external-interface ge-0/0/1.0


Fase 2 WAN1:

set security ipsec policy ipsec62-VPN_FullMesh_WAN1 proposal-set compatible
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike gateway vpn62-VPN_FullMesh_WAN1
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity local 201.1.2.63/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity remote 10.202.0.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike ipsec-policy ipsec62-VPN_FullMesh_WAN1
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 establish-tunnels immediately
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike gateway vpn60-VPN_FullMesh_WAN1
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity local 201.1.2.63/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity remote 202.1.2.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike ipsec-policy ipsec62-VPN_FullMesh_WAN1
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 establish-tunnels immediately

Fase 2 WAN2:


set security ipsec policy ipsec62-VPN_FullMesh_WAN2 proposal-set compatible
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike gateway vpn62-VPN_FullMesh_WAN2
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity local 200.1.2.63/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity remote 10.203.0.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike ipsec-policy ipsec62-VPN_FullMesh_WAN2
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 establish-tunnels immediately
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike gateway vpn60-VPN_FullMesh_WAN2
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity local 200.1.2.63/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity remote 10.201.0.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike ipsec-policy ipsec62-VPN_FullMesh_WAN2
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 establish-tunnels immediately



Nota: Para prevenir la instalación de una ruta interna de OSPF en la tabla de ruteo hay que agregar rutas marcianas, ver KB26772.


Espero que les haya gustado, si deseas deja un comentario, Saludos!
Hernan
Publicado por en No hay comentarios:
Etiquetas: , , , , , , ,
Ubicación: Buenos Aires, Argentina

miércoles, 25 de septiembre de 2013

FreeNAS WebUI An Error Occurred - Workaround FreeBSD nginx django


FreeNAS es una gran solución basada en FreeBSD la cual estoy probando en estos días y tanto los resultados como la performance son excelentes, hasta el momento solo me he encontrado con un problema, en la consola sale el siguiente error: ValueError: bad marshal data, Este error es reportado por el servicio django.


Este error salio luego de realizar algunos tunings al sysctl y al loader.conf y el workaround que encontré es el siguiente:


  1. Stopear el servicio nginx y django:

    /usr/local/etc/rc.d/nginx stop && /usr/local/etc/rc.d/django stop
  2. Montar el / en modo rw:

    mount -u /
  3. Eliminar o renombrar los archivos .pyc

    find / -name "*.pyc" -exec sh -c 'mv "$0" "${0%.pyc}.bkp"' {} \;
  4. Volver a arrancar los servicios para que se vuelvan a generar los archivos .pyc.
    Nota: Los archivos .pyc los crear el nginx si los archivos son creados de manera correcta django no reportara ningún error, en caso de que reporte algún otro error lo mas probable es que indique cual es el archivo .py que tiene el problemas lo mas probable es que este corrupto, en este caso lo que hay que hacer es repetir el paso 1 y 3 y copiar por scp el archivo .py en cuestión desde otra instalación limpia de FreeNAS, luego continuar con los siguientes pasos.

    /usr/local/etc/rc.d/nginx start && /usr/local/etc/rc.d/django start
  5. Si todo sale bien stopeamos nginx y django

    /usr/local/etc/rc.d/nginx stop && /usr/local/etc/rc.d/django stop
  6. Volvemos a montar el / con los permisos originales del fstab

    mount -a
  7. Volver a encender los servicios

    /usr/local/etc/rc.d/nginx start && /usr/local/etc/rc.d/django start
  8. Probar el funcionamiento de la Interface Web

Saludos!

PD: Luego creare otra entrada donde mostrare como configurar y tunear FreeNAS con RAIDZ + iSCSI con una NIC 10GbE.

Publicado por en 2 comentarios:
Etiquetas: , , ,

miércoles, 4 de septiembre de 2013

Dispositivos de Criptografía en Routers y Firewalls. Más performance para una VPN.

No es noticia que muchos Routers y Firewalls usan Módulos de Criptografía para encriptar y desencriptar los datos de una VPN, con estos módulos lo que se gana es bajar el uso de CPU y aumentar la performance de la conexión tunel.

Lo que me he propuesto es investigar que dispositivos podría adquirir para mejorar la performance de la VPN de mi Firewall, para suerte mía encontré la existencia de unos cuantos módulos de Criptografía que son compatible con mi firewall pfSense.

pfSense es un Firewall basado en FreeBSD como así también m0n0wall que, dicho sea de paso pfSense es una bifurcacion de m0n0wal, otro Firewall basado en FreeBSD son los SRX de la marca Juniper el cual también es de mi agrado y su OS llamado Junos también esta basado en FreeBSD.

Gracias al poder de FreeBSD podemos encontrar con soporte nativo a los siguientes módulos criptográficos hasta el día de la fecha:

En el siguiente link podemos encontrar unos 19 productos con soporte nativo hasta el día de hoy para FreeBSD: http://www.freebsd.org/relnotes/CURRENT/hardware/support.html


El siguiente gráfico es un Benchmark hecho por la gente de pfSense donde comparan los resultados con y sin modulo criptográfico, siendo cryptodev el framework de criptografía:


Por mi parte solo queda intentar conseguir alguno de estos módulos criptográficos, y hacer mis propios benchmarks con pfSense y/o Junos Olive.


Saludos

Hernan
Publicado por en No hay comentarios:
Etiquetas: , ,

viernes, 2 de agosto de 2013

CentOS 6 PXE Server con DHCP Server en pfSense

Hace mucho quería montar en Casa un PXE para poder instalar Sistemas Operativos por medio de la Red y contar con un System Rescue sin tener que quemar un CD o usar un Pendrive USB, ya tenia en mente usar PXE solo me faltaba configurar mi CentOS con un tftp Server y montar las imagenes .iso de Linux que quería instalar por Red, por ultimo agregar las opciones de bootpxe al DHCP que esta en mi Firewall pfSense.
La motivación de montar un PXE surgió porque quería revivir un viejo Servidor al cual usaría para Video Vigilancia con Motion que dicho sea de paso luego creare otra entrada donde explicare como Instalar Motion con dos Pico 2000 y con mas de una cámara.
Luego surgió un ultimo desafío y es que mi viejo Server no trae el firmware para bootear por Red con lo cual para este en particular tuve que crear un Disco de Arranque de Red con el driver apropiado para la NIC del Server.

Nota: Ya que si bien están todos los pasos para configurar el CentOS y tener operativo un PXE Server esta guia supone que usted tenga conocimientos de Linux.

En esta guia veremos:

  • Como configurar un PXE Server en CentOS
  • Como crear el Menu del PXE Boot
  • Como configurar el Network Boot del DHCP Server de pfSense
  • Como crear un Disco de Arranque de Red gPXE con  ROM-o-matic (Opcional)



Lo que vamos a necesitar para el Deploy:

  • CentOS 6 Instalado para el PXE Server
  • pfSense
  • Las imagenes .iso de 32 y 64 bits de CentOS
  • La imagen .iso del SystemRecuCD
  • Un Desktop, Notebook, Server o Virtual Machine para pruebas
  • Un diskette de 1.44 (Opcional)



Pasos:

Instalar en el CentOS Apache, tftp server y el paquete syslinux:

# yum install -y httpd tftp-server syslinux

Agregar a los runlevels y encender el Servicio de Apache:

# chkconfig httpd on
# service httpd start

Crear en la raíz del sistema los siguientes directorios:

# mkdir -p /tftpboot/pxelinux.cfg

Copiar los siguientes archivos al directorio creado:

# cp /usr/share/syslinux/{pxelinux.0,menu.c32,memdisk,mboot.c32,chain.c32} /tftpboot/

Crear el Menú para el PXE Boot:

# vim /tftpboot/pxelinux.cfg/default

El Siguiente es un ejemplo del archivo default, los label 1-7 son las opciones que saldrán en el Menú de PXE, en la guia daré los pasos para el funcionamiento del label 1, 2 y 5:

default menu.c32
prompt 0
timeout 300
ONTIMEOUT 7

 MENU TITLE ########## PXE Boot Menu ##########
label 1
   menu label ^1) Install CentOS 6 i386
   kernel centos/6/i386/vmlinuz
   append initrd=centos/6/i386/initrd.img method=http://172.16.1.142/pxe/centos/6/i386 devfs=nomount

 label 2
   menu label ^2) Install CentOS 6 x86_64
   kernel centos/6/x86_64/vmlinuz
   append initrd=centos/6/x86_64/initrd.img method=http://172.16.1.142/pxe/centos/6/x86_64 devfs=nomount

 label 3
   menu label ^3) Install Fedora 16 x86_64
   kernel fedora/16/x86_64/vmlinuz
   append initrd=fedora/16/x86_64/initrd.img repo=http://172.16.1.142/pxe/fedora/16/x86_64 xdriver=vesa nomodeset

 label 4
   menu label ^4) Install Fedora 19 x86_64
   kernel fedora/19/x86_64/vmlinuz
   append initrd=fedora/19/x86_64/initrd.img repo=http://172.16.1.142/pxe/fedora/19/x86_64

 label 5
   menu label ^5) SystemRescueCD 3.7.1
   kernel SystemRescueCD/3.7.1/isolinux/rescue32
   append initrd=SystemRescueCD/3.7.1/isolinux/initram.igz netboot=tftp://172.16.1.142/SystemRescueCD/3.7.1/sysrcd.dat

 label 6
   menu label ^6) Windows 7 PE (x64)
   KERNEL Boot/startrom.0

 label 7
   menu label ^7) Boot from local drive
   localboot


Hay que modificar el archivo de configuración del tftp server para que tome nuestro directorio de tftpboot y como el servicio de tftp funciona on-demand luego hay que reiniciar el servicio del que depende... xinetd

# vim /etc/xinetd.d/tftp

Modificar las siguientes variables:

server_args = -s /tftpboot
disable = no

Reiniciar el xinetd

# service xinetd restart

Como ya se habran dado cuenta el metodo de instalacion es por http para la Instalacion de los CentOS con lo cual el Instalador buscara los paquetes en la url de nuestro servidor y para lograr eso vamos a crear algunos directorios dentro del Documento Root del Apache para finalmente montar las imagenes .iso

# mkdir -p /var/www/html/pxe/centos/6/{i386,x86_64}

Creamos algunos direcotrios en el root del tftpboot a fin de organizar las distribuciones:

# mkdir -p /tftpboot/centos/6/{i386,x86_64}
# mkdir -p /tftpboot/SystemRescueCD/3.7.1


Agregamos las siguientes entradas al final del fstab para que tengamos siempre disponible los paquetes para la instalacion de los CentOS.

# vim /etc/fstab

/<Path>/CentOS-6.4-i386-minimal.iso   /var/www/html/pxe/centos/6/i386       udf,iso9660    ro,loop        0 0
/<Path>/CentOS-6.4-x86_64-minimal.iso   /var/www/html/pxe/centos/6/x86_64       udf,iso9660    ro,loop        0 0
/<Path>/systemrescuecd-x86-3.7.1.iso       /tftpboot/SystemRescueCD/3.7.1      udf,iso9660    ro,loop        0 0

Montamos los cambios del fstab:

# mount -a

Copiamos el Kernel y el Init Ram Disk a los directorios creados anteriormente estos archivos son los que cargara por tftp el PXE luego de cargar el Menu.

cp /var/www/html/pxe/centos/6/i386/isolinux/{vmlinuz,initrd.img} /tftpboot/centos/6/i386/
cp /var/www/html/pxe/centos/6/x86_64/isolinux/{vmlinuz,initrd.img} /tftpboot/centos/6/x86_64/

Si tenemos activo el firewall de linux modificamos el iptables para que que acepte las conexiones de tftp y http:

# vim /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

Configuracion de pfSense:

Para configurar el DHCP hay que ir a Services, DHCP Server:


 Luego hacer clic en Advance de Enable network booting para desplegar mas opciones.


Tildar Enables network booting, en Enter the IP of next-server poner la IP del CentOS con PXE, y en the file name poner: /pxelinux.0



Crear un Disco de Arranque de Red gPXE con  ROM-o-matic:

Cuando llego el momento de probar el PXE en mi Server me di cuenta que no contaba con ninguna opción para bootear por Red así que tuve que buscar una solución y me encontré con el sitio web de rom-o-matic que se trata de un proyecto open para bootear por Red, la web es bastante intuitiva asi que solo me faltaba identificar cual era el modelo de la NIC de Red, para eso ejecute el comando lspci.


# lspci | grep -i ethernet
00:04.0 Ethernet controller: Intel Corporation 82557/8/9/0/1 Ethernet Pro 100 (rev 08)

En la web de rom-o-matic seleccionamos el link del ultimo release en producción, luego seguír los pasos 1, 2 y 4.
Con el archivo ya descargado ejecutamos lo siguiente para copiar la imagen a un diskette:

# cat gpxe-1.0.1-eepro100.bin > /dev/fd0


Algunos screenshots del PXE Boot y del PXE Menu:









Saludos!

Hernan
Publicado por en 2 comentarios:
Etiquetas: , , , , , , , , ,
Suscribirse a: Entradas (Atom)