Michael McNamara

Book – Juniper SRX Series

Michael McNamara — Tue, 30 Jul 2013 15:16:56 +0000

I’ve started reading a new book published by O’Reilly Media entitled Juniper SRX Series by Brad Woodberg and Rob Cameron a few weeks ago now. I’ve been reading up on the Juniper SRX in preparation to sit for the JNCIS-SEC test having passed the JNCIA-Junos test a few weeks back.

I’ve deployed the Juniper SRX 650 and the Juniper SRX 210H in a typical corporate branch office tunnel architecture utilizing route-based VPN tunnels with OSPF and Point to Multi-Point interfaces along with virtual router instances. Since that deployment I’ve really come to enjoy using the Junos CLI interface.

While there are a few grammatical errors (who am I to criticize) the book contains a large number of example configurations and actually shows the reader how to implement the feature and/or option as opposed to just defining it.

In the spirit of full disclosure, I received an electronic copy of the book, Juniper SRX Series, from Juniper free of charge.

Study Material

If you are looking to take the JNCIA-Junos or the JNCIS-SEC you can find the study guides from Juniper here;

https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

You’ll need to create an account with Juniper in order to access the study material.

I’m personally reviewing both the study material provided by Juniper along with the book, Juniper SRX Series, to validate my understanding of each feature and option.

Cheers!

Juniper SRX VPN Branch Office

Michael McNamara — Tue, 28 Feb 2012 22:31:12 +0000

We recently started replacing our aging Avaya VPN Routers (formerly Nortel Contivity) with Juniper SRX series gateways. We chose a Juniper SRX 650 to replace our Avaya VPN Router 1750 and we chose the Juniper SRX 210H to replace the Avaya VPN Router 1010 and 1050 models. While it was fairly easy to get both route based tunnels and policy based tunnels setup we had an interesting time trying to route all traffic at the branch back to the main office (as opposed to routing it directly to the Internet on the branch Juniper SRX 210H) so it could be policed by our corporate firewalls and content filtering solutions. We were able to accomplish this configuration through the use of VRFs and I’m going to outline how we did it (just in case anyone else is trying to follow in our footsteps – or better yet can improve the configuration).

Configure the Juniper SRX 210 Branch Office

Login to the serial console of the Juniper SRX gateway with the username of “root” (password should be blank). We’ll start the configuration by loading the factory defaults and then setting up some basic system information. We’ll add a user called “admin” for future use.

root@% cli
root> configure
Entering configuration mode
[edit]
load factory-default
set system host-name vpn-srx210h-gw
set system domain-name vpn.acme.org
set system time-zone America/New_York
set system root-authentication plain-text-password
set system login user admin full-name Administrator
set system login user admin uid 100
set system login user admin class super-user
set system login user admin authentication plain-text-password

Lets set the SNMP information including a reference to the routing-instance “centralized-internet”. This will allow us to perform SNMP polls against this VRF from the specific IP management workstations we’ve listed below.

set snmp description "Juniper SRX 210H"
set snmp location "Local Branch Office (Somewhere, USA)"
set snmp contact "Technology Team"
set snmp community readonlystring authorization read-only
set snmp community readonlystring routing-instance centralized-internet clients 10.1.20.50/32
set snmp community readonlystring routing-instance centralized-internet clients 10.2.20.50/32
set snmp community readwritestring authorization read-write
set snmp routing-instance-access
commit

Let’s start by configuring the WAN (public) and LAN (private) IP addresses. The interface ge-0/0 is the public interface which will connect to the Internet Service Provider. The interface vlan.0 is the private interface which is made up of physical interfaces ge-0/1 – ge0/7. We’ll also delete the factory default address of 192.168.1.1.

set interface ge0/0/0 unit 0 family inet address 1.51.88.10/30
set routing-options static route 0.0.0.0/0 next-hop 1.51.88.9
set interface vlan unit 0 family inet address 10.1.200.1/24
delete interfaces vlan unit 0 family inet address 192.168.1.1/24

Let’s enable the web management GUI on the public interface and set the TCP port to 10443 as opposed to the default of 443.

set system services web-management https interface ge-0/0/0.0
set system services web-management https port 10443

Let’s enable the system services we want to allow in the untrust zone.

set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services https

Let’s repeat those commands for the specific public interface.

set security zones security-zone untrust interface ge-0/0/0 host-inbound-traffic system-services ike
set security zones security-zone untrust interface ge-0/0/0 host-inbound-traffic system-services ping
set security zones security-zone untrust interface ge-0/0/0 host-inbound-traffic system-services https

Let’s build the VPN tunnel interfaces to Juniper SRX 650. We’ll need to assign IP addresses to these interfaces since we’re setting up a Point to MultiPoint network with route based VPN tunnels.

set interfaces st0 unit 0 family inet address 10.1.255.120/24
set interfaces st0 unit 0 family inet mtu 1500

Let’s finish up setting up the security zones and adding the VPN interfaces.

set security zones security-zone vpn interfaces st0.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust host-inbound-traffic system-services all

Let’s not forget to allow the remote management via the web interface. (added 10/18/2011)

set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set system services web-management http interface st0.0

Let’s setup the IKE policies and pre-shared-key for both VPN tunnels, please make sure to replace the preshared-key and IP addressing below with the values that’s specific to your installation (not the example one). I use the acronym PDC to stand for Primary Data Center since we have both a primary and alternate/standby.

set security ike policy PDC-IKE mode main
set security ike policy PDC-IKE proposal-set standard
set security ike policy PDC-IKE pre-shared-key ascii-text "c3DrmFiRei37NpW65GnygdOorykE0ZjnpyX"
set security ike gateway PDC-GW ike-policy PDC-IKE
set security ike gateway PDC-GW address 2.1.1.25
set security ike gateway PDC-GW external-interface ge-0/0/0.0

set security ipsec policy ACME-VPN proposal-set standard
set security ipsec policy ACME-VPN perfect-forward-secrecy keys group2

set security ipsec vpn PDC-VPN ike gateway PDC-GW
set security ipsec vpn PDC-VPN ike ipsec-policy ACME-VPN
set security ipsec vpn PDC-VPN bind-interface st0.0
set security ipsec vpn PDC-VPN establish-tunnels immediately

The Juniper SRX still acts as a firewall so we need to create policies to allow the traffic to flow. I’ll set everything wide open for this example.

edit security policies from-zone trust to-zone vpn
set policy local-to-spokes match source-address any
set policy local-to-spokes match destination-address any
set policy local-to-spokes match application any
set policy local-to-spokes then permit
exit

edit security policies from-zone vpn to-zone trust
set policy local-to-spokes match source-address any
set policy local-to-spokes match destination-address any
set policy local-to-spokes match application any
set policy local-to-spokes then permit
exit

edit security policies from-zone vpn to-zone vpn
set policy local-to-spokes match source-address any
set policy local-to-spokes match destination-address any
set policy local-to-spokes match application any
set policy local-to-spokes then permit
exit

We’ll create a virtual routing instance setting the next-hop to interface st0.0

set routing-options interface-routes rib-group inet centralized
set routing-options rib-groups centralized import-rib inet.0
set routing-options rib-groups centralized import-rib centralized-internet.inet.0

We’ll create a virtual routing instance setting the next-hop to interface st0.0

set routing-instances centralized-internet instance-type virtual-router
set routing-instances centralized-internet interface st0.0
set routing-instances centralized-internet routing-options static route 0.0.0.0/0 next-hop st0.0

This filter will direct all traffic to the centralized-internet routing table. The first term allows us to add an exception although it’s not used today but can be for testing and troubleshooting by changing the IP address to a valid LAN client IP address. This filter allows traffic from 10.1.200.254 to be routed based on the default routing-instance which would send it directly out to the Internet as opposed to routing it over the VPN tunnel back to the main office.

set firewall filter centralized-internet-filter term 1 from destination-address 10.1.200.254/32
set firewall filter centralized-internet-filter term 1 then accept
set firewall filter centralized-internet-filter term 2 then routing-instance centralized-internet

We’ll apply the filter we created above to traffic ingressing the interface vlan.0.

set interface vlan unit 0 family inet filter input centralized-internet-filter

Let’s configure a DHCP relay instance to forward DHCP requests to a centralized server (10.1.1.40).

set forwarding-options helpers bootp relay-agent-option
set forwarding-options helpers bootp description "Branch DHCP Relay"
set forwarding-options helpers bootp server 10.1.1.40 routing-instance centralized-internet
set forwarding-options helpers bootp vpn
set forwarding-options helpers bootp interface vlan.0

Let’s configure the TCP-MSS value so we don’t have any MTU issues tunneling over IPSec

set security flow tcp-mss ipsec-vpn mss 1350

Let’s configure the debug options so we can troubleshoot any IKE/IPSEC issues.

set security ike traceoptions file size 1m
set security ike traceoptions flag policy-manager
set security ike traceoptions flag ike
set security ike traceoptions flag routing-socket

We need to disable IDP to prevent unwanted error messages from filling the log.

set system processes idp-policy disable

Now we need to commit and save all the changes we’ve made above.

commit

If you have issues committing the changes with errors such as :

root# commit
[edit system]
'autoinstallation'
incompatible with 'forwarding-options helpers bootp'
[edit forwarding-options helpers]
'bootp'
incompatible with 'system autoinstallation'
error: commit failed: (statements constraint check failed)

Just issue the following command and re-issue the commit

root# delete system autoinstallation

If you are connected to the public Internet you can sync the date/time via NTP over the public interface.

root# set date ntp 173.9.142.98

Configure the Juniper SRX 650 Main Office

Now we need to configure the Juniper SRX 650 which is the main office side of the tunnel.

Let’s create an IKE policy for this specific connection. Please remember to substitute the preshared-key and IP addresses I use in the example below.

set security ike policy TESTLAB-IKE mode main
set security ike policy TESTLAB-IKE proposal-set standard
set security ike policy TESTLAB-IKE pre-shared-key ascii-text "c3DrmFiRei37NpW65GnygdOorykE0ZjnpyX"

Let’s create a gateway and tie it together with our IKE policy. Let’s set the public IP address of the branch office VPN site.

set security ike gateway TESTLAB-GW ike-policy TESTLAB-IKE
set security ike gateway TESTLAB-GW address 1.51.88.10
set security ike gateway TESTLAB-GW external-interface ge-0/0/0.0

Let’s create a VPN policy and tie all the policies together binding it to st0.10 which is a multipoint interface on the main office side.

set security ipsec vpn TESTLAB-VPN ike gateway TESTLAB-GW
set security ipsec vpn TESTLAB-VPN ike ipsec-policy ACME-VPN
set security ipsec vpn TESTLAB-VPN bind-interface st0.10
set security ipsec vpn TESTLAB-VPN establish-tunnels immediately

Since we’re not yet doing OSPF we need to create a static route in the appropriate routing instance.

set routing-instances routing-table-lan routing-options static route 10.1.200.1/24 next-hop 10.1.220.10

I’m omitting a few steps on the Juniper SRX 650 to implement the Multipoint VPN feature but it’s well documented (as most of this is) in the Juniper documentation.

References;

Juniper SRX Series Multipoint VPN Configuration with Next-Hop Tunnel Binding

Cheers!

DHCP/BOOTP Relay with Juniper SRX Gateways

Michael McNamara — Sun, 12 Sep 2010 21:00:19 +0000

I’ve recently started deploying the Juniper SRX series gateways, placing an SRX 210 at branch office locations with an SRX 650 at the main office locations. We utilize a central DHCP/DNS/IPAM solution so we prefer to relay all DHCP/BOOTP requests to one of our centralized DHCP/DNS servers as opposed to utilizing the DHCP server functionality built into the SRX itself.

I had to spend more than a few minutes trying to get the DHCP relay working on the SRX 210. The configuration was pretty straight forward, the trick in the end was the “vpn” statement (see below) that allows the DHCP/BOOTP packets to be relayed across a VPN tunnel. Please note that the DHCP server at 10.1.1.1 is accessible via the VPN tunnel.

forwarding-options {
 helpers {
  bootp {
   relay-agent-option;
   description "Branch DHCP Relay";
   server 10.1.1.1;
   maximum-hop-count 10;
   minimum-wait-time 1;
   vpn;
   interface {
    vlan.0;
   }
  }
 }
}

The next big step will be deploying OSPF between all the SRX gateways.

Cheers!

Juniper SRX JUNOS Software Upgrade 10.1R1.8

Michael McNamara — Tue, 20 Apr 2010 23:00:24 +0000

We recently purchased two Juniper SRX 650s to replace our aging Nortel VPN Routers (formerly Contivity Extranet Switches). We finally have both gateways/routers/firewalls racked and connected to the network and we started working our way through the JUNOS configuration and command line interface. The SRX650 we received from our reseller came with 10.0R8 so we decided to upgrade them to 10.1R1.8 based on some feedback we had received from Juniper concerning the slow response from the Web GUI while evaluating the SRX platform a few months ago.

You can find the release notes for JUNOS 10.1 on the Juniper website.

We started by placing the software (junos-srxsme-10.1R1.8-domestic.tgz) on an internal web server (10.1.20.1).

The upgrade itself took at least 5 minutes and the reboot took at least another 5 minutes, you definitely need to be patient when upgrading the SRX. It took a really long time compared to anything else I’ve upgraded in the past.

root> request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot
/var/tmp/incoming-package.1145                        1500 kB 1500 kBps
Package contains junos-10.1R1.8.tgz ; renaming ...
NOTICE: Validating configuration against junos-10.1R1.8.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/ad0s2a)...
/dev/ad0s2a: 631.0MB (1292236 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 157.75MB, 10096 blks, 20224 inodes.
super-block backups (for fsck -b #) at:
32, 323104, 646176, 969248
** /dev/altroot
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 317928 free (24 frags, 39738 blocks, 0.0% fragmentation)
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_10_0_0
Verified junos-10.0R1.8-domestic signed by PackageProduction_10_0_0
Using junos-10.1R1.8-domestic from /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic
Copying package ...
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/etc/voip/musiconhold.conf: No such file or directory
Verified manifest signed by PackageProduction_10_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied).
cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied).
Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 84,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: ERROR IDL IDR Decode Error -1(Garbled Message)
Link Layer Discovery Protocol: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
mgd: commit complete
Validation succeeded
Installing package '/altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic' ...
Verified junos-boot-srxsme-10.1R1.8.tgz signed by PackageProduction_10_1_0
Verified junos-srxsme-10.1R1.8-domestic signed by PackageProduction_10_1_0
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz
JUNOS 10.1R1.8 will become active at next reboot
Saving package file in /var/sw/pkg/junos-10.1R1.8 ...
cp: /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic is a directory (not copied).
Saving state for rollback ...
Rebooting ...
shutdown: [pid 1888]
Shutdown NOW!

*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY

I hope to post some additional information as we move forward with the Juniper SRX platform.

Cheers!