Packetbin.com

Juniper SRX - route based vpn with multiple proxy ids

SUMMARY:
This article explains how to use multiple traffic selectors on a route-based VPN. A traffic selector (also known as a proxy ID in IKEv1), is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. Only traffic that conforms to a traffic selector is permitted through the associated IPsec SA.

Note: Multiple traffic selectors on a route-based VPN was introduced in Junos OS Release 12.1X46; see the Junos OS 12.1X46 Release Notes.

PROBLEM OR GOAL:
If you want to establish a VPN for two or more remote private networks, you must dedicate a VPN for each such network. In prior versions of Junos OS (prior to Junos OS Release 12.1X46), you had to create separate st0 interfaces for each remote private network or route-based VPN; and for a policy-based VPN, you had to create a separate security policy binding tunnel calling each remote private network as the destination. The effort to configure each new IPsec VPN in Junos OS Release 12.1X46 and earlier increased significantly with every additional VPN. This article provides an alternative to avoid this situation.

SOLUTION:

Topology:

Local SRX: 2.2.2.2

Local Networks:
10.1.0.0/16
10.2.0.0/16

VPN Peer: 3.3.3.3

Remote Networks
192.168.1.0/24
192.168.2.0/24

Define multiple subnets using a single route-based VPN:

interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 2.2.2.2/24;
}
}
}
fe-0/0/1 {
unit 0 {
family inet {
address 10.1.0.0/16;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 10.2.0.0/16;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 172.27.199.0/24 next-hop 172.27.201.3;
route 3.3.3.0/24 next-hop 2.2.2.1;
route 192.168.1.0/24 next-hop st0.0;
route 192.168.2.0/24 next-hop st0.0;
}
}
security {
ike {
policy p1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$yureMXVwgUjq7-jqmfn6rev"; ## SECRET-DATA
}
gateway g1 {
ike-policy p1;
address 3.3.3.3;
external-interface fe-0/0/0;
}
}
ipsec {
policy p1 {
proposal-set standard;
}
vpn v1 {
bind-interface st0.0;
ike {
gateway g1;
ipsec-policy p1;
}
traffic-selector t1 {
local-ip 10.1.0.0/16;
remote-ip 192.168.1.0/24;
}
traffic-selector t2 {
local-ip 10.2.0.0/16;
remote-ip 192.168.2.0/24;
}
establish-tunnels immediately;
}
}
policies {
from-zone trust to-zone vpn {
policy test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/1.0;
fe-0/0/2.0;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/0.0;
}
}
security-zone vpn {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}

Verify each traffic selector:

[edit]
root@100-5# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
8262 UP 708f2fb601773e78 43cde54a81b6fd58 Main 3.3.3.3

[edit]
root@100-5# run show security ipsec sa
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173314 ESP:3des/sha1 fa00cf7f 3476/ unlim - root 500 3.3.3.3

268173314 ESP:3des/sha1 726f8591 3476/ unlim - root 500 3.3.3.3
<268173313 ESP:3des/sha1 69385788 3501/ unlim - root 500 3.3.3.3
268173313 ESP:3des/sha1 4897cca3 3501/ unlim - root 500 3.3.3.3

***** two sa for each traffic selector *****

root@100-5# run show security ipsec security-associations detail
ID: 268173314 Virtual-system: root, VPN Name: v1
Local Gateway: 2.2.2.2, Remote Gateway: 3.3.3.3
Traffic Selector Name: t1 <<<<<<<<<<<<<<<<<<<< corresponding traffic selector
Local Identity: ipv4(10.1.0.0-10.1.255.255)
Remote Identity: ipv4(192.168.1.0-192.168.1.255)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.0

Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29
Last Tunnel Down Reason: SA not initiated
Direction: inbound, SPI: fa00cf7f, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3469 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2905 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 726f8591, AUX-SPI: 0
                          , VPN Monitoring: -
Hard lifetime: Expires in 3469 seconds
Lifesize Remaining:  Unlimited
Soft lifetime: Expires in 2905 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

ID: 268173313 Virtual-system: root, VPN Name: v1
Local Gateway: 2.2.2.2, Remote Gateway: 3.3.3.3
Traffic Selector Name: t2 <<<<<<<<<<<<<<<<<<<< corresponding traffic selector
Local Identity: ipv4(10.2.0.0-10.2.255.255)
Remote Identity: ipv4(192.168.2.0-192.168.2.255)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.0

Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29
Last Tunnel Down Reason: SA not initiated
Direction: inbound, SPI: 69385788, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3494 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2892 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 4897cca3, AUX-SPI: 0
                          , VPN Monitoring: -
Hard lifetime: Expires in 3494 seconds
Lifesize Remaining:  Unlimited
Soft lifetime: Expires in 2892 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
More Information: Documentation

Check Point - Gaia - Reset Admin Password

There are 2 primary method for resetting the admin password. Both methods require a reboot of the device and downtime if the device is not part of a cluster

Method 1: Use emergendisk
This method requires a device with the same chassis model as the device that requires a password reset, running gaia, and a USB disk

  1. Insert a usb drive into the device that we do have access to
  2. Run the command 'emergendisk' to create the USB recovery disk
  3. After completion, plug the USB disk into the device that requires a password reset and reboot the device
  4. During reboot, a "Press any key" option will appear on screen. Press any key to enter the emergendisk menu
  5. Select the option that states 'Reset Admin Password'. This is usually the second option
  6. You should receive the following once the reset is complete. On some devices, you may not receive this or an error message. You should wait 1-2 minutes after boot to ensure the script has finished.

    Admin password successfully reset
    Please remove disk or any other media and press enter to restart

  7. Remove the USB drive and reboot. The username/password should now be admin/admin. If not, you may need to follow Method 2.

Method 2: Use a live CD or live USB disk
This method requires a live CD, such as Ubuntu, to boot from.

  1. Boot from the live CD or USB disk
  2. On some distros (Ubuntu, for example), the system will automatically mount the Check Point partitions. In Ubuntu, this is mounted to /media/ubuntu/. On one of these mount points, there you should be able to run the following to verify the correct mount point. Make sure to note this down as it will be required in the next steps.
    ls -lh /media/ubuntu/<UUID>/config/db/initial_db
    If the partitions are not mounted, you will need to locate the correct partition and mount it someplace. Below is an example:
    sudo mount /dev/sda1 /mnt/checkpoint

  3. Once you have located the correct partition, run the following to change the working root to Check Point's root

    sudo chroot
    Example: sudo chroot /media/Ubuntu/2cbbf000-blah

  4. Modify the sqlite database

    sqlite3 /config/db/initial_db

  5. Locate the current admin password by running the following. The last line is the current password hash.

    SELECT * from revisions WHERE binding="passwd:admin:passwd";

  6. Run the following to change the password to 'admin'. Replace '<old-pw-hash> with the last hash from step 5.

    UPDATE revisions SET value="$1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY." WHERE binding="passwd:admin:passwd" AND VALUE='<old-pw-hash>';

  7. Exit sqlite3

    .exit

  8. Reboot the device and login with admin/admin. Make sure to change the password via clish once logged in

More Information: Documentation

Check Point - cpview - View live statistics of device

The following command will allow you to view CPU statistics, memory usage, hard drive usage, throughput, etc in real time through the firewall or management server

This command was added in R77. Older versions do not have this ability.

cpview

To start the cpviewd process:

cpwd_admin start -name CPVIEWD -path "$FWDIR/bin/cpviewd" -command "cpviewd"

To stop the cpviewd process

cpwd_admin stop -name CPVIEWD
More Information: Documentation

Check Point - Determining if Aggressive Aging is Active

fw ctl pstat

Notes
* Aggressive aging causes idle connections to timeout much sooner (for instance, 60 seconds in stead of 60 minutes)
* A device may enter Aggressive Aging when running low on memory. The following log maybe seen when this happens:

Number:                              111111
Date:                                     1Jan2014
Time:                                     01:00:00
Origin:                                   CPDEVICE
Type:                                     Log
Action:                                   
Information:                      Memory consumption: <#>% - <#>MB out of <#>MB
                                                Capacity notification: Memory consumption has exceeded 80%
                                                Aggressive aging status: Active
                                                Connections table capacity: <#>% - <#> out of <#>

Attack Information:        Connections table's denial of service prevention mechanism
Product:                               IPS Software Blade

Pages