Saturday, August 22, 2015

EASY - DYNAMIC SSL VPN on SRX210


Juniper Networks SRX, branch and campus series, support Dynamic SSL VPN out of the box.

While this is a licensed service it comes with two FREE licenses on the device, which is PERFECT for SOHO or Branch office remote access.

The devices that support this are:
·      SRX100
·      SRX110
·      SRX210
·      SRX220
·      SRX240
·      SRX550
·      SRX650

Check the software for support details but most all of the devices support dyn-vpn after 10.0

user@srx> show system license 
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  dynamic-vpn                           0            2           0    permanent
  ax411-wlan-ap                        0            2           0    permanent

I'll post both the JUNOS default Hierarchy and the Set Based JUNOS output in this 

user@srx> show configuration groups DYNVPN | display set
set groups DYNVPN security ike policy ike-dyn-vpn-policy mode aggressive
set groups DYNVPN security ike policy ike-dyn-vpn-policy proposal-set standard
set groups DYNVPN security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$su2oZjT3n60OLx7dYgJGD"
set groups DYNVPN security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set groups DYNVPN security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set groups DYNVPN security ike gateway dyn-vpn-local-gw dynamic connections-limit 2
set groups DYNVPN security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set groups DYNVPN security ike gateway dyn-vpn-local-gw external-interface fe-0/0/2.0
set groups DYNVPN security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
set groups DYNVPN security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set groups DYNVPN security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set groups DYNVPN security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set groups DYNVPN security dynamic-vpn access-profile dyn-vpn-access-profile
set groups DYNVPN security dynamic-vpn clients all remote-protected-resources 192.168.20.0/24
set groups DYNVPN security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set groups DYNVPN security dynamic-vpn clients all ipsec-vpn dyn-vpn
set groups DYNVPN security dynamic-vpn clients all user client1
set groups DYNVPN security dynamic-vpn clients all user client2
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match source-address any
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match destination-address any
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-ping
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-ssh
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-ike
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-https
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set groups DYNVPN access profile dyn-vpn-access-profile client client1 firewall-user password "$9Q3/AuQFA0OByrs2gaDi.P5Qz3"
set groups DYNVPN access profile dyn-vpn-access-profile client client2 firewall-user password "$9$4Ia3/.P39CAIRNdVsoJDik.mf"
set groups DYNVPN access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set groups DYNVPN access address-assignment pool dyn-vpn-address-pool family inet network 192.168.14.0/30
set groups DYNVPN access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32
set groups DYNVPN access firewall-authentication web-authentication default-profile dyn-vpn-access-profile

userr@srx > show configuration groups
DYNVPN {
    security {
        ike {
            policy ike-dyn-vpn-policy {
                mode aggressive;
                proposal-set standard;
                pre-shared-key ascii-text "$9$sFikT3nLx7dYgJGD"; ## SECRET-DATA
            }
            gateway dyn-vpn-local-gw {
                ike-policy ike-dyn-vpn-policy;
                dynamic {
                    hostname dynvpn;
                    connections-limit 2;
                    ike-user-type group-ike-id;
                }
                external-interface fe-0/0/2.0;
                xauth access-profile dyn-vpn-access-profile;
            }
        }
        ipsec {
            policy ipsec-dyn-vpn-policy {
                proposal-set standard;
            }
            vpn dyn-vpn {
                ike {
                    gateway dyn-vpn-local-gw;
                    ipsec-policy ipsec-dyn-vpn-policy;
                }
            }
        }
        dynamic-vpn {
            access-profile dyn-vpn-access-profile;
            clients {
                all {
                    remote-protected-resources {
                        192.168.20.0/24;
                    }
                    remote-exceptions {
                        0.0.0.0/0;
                    }
                    ipsec-vpn dyn-vpn;
                    user {
                        user1;
                        user2;
                    }
                }
            }
        }
        policies {
            from-zone untrust to-zone lab {
                policy dyn-vpn-policy {
                    match {
                        source-address any;
                        destination-address any;
                        application [ junos-ping junos-ssh junos-ike junos-https ];
                    }
                    then {
                        permit {
                            tunnel {
                                ipsec-vpn dyn-vpn;
                            }
                        }
                    }
                }
            }
        }
    }
    access {
        profile dyn-vpn-access-profile {
            client client1 {
                firewall-user {
                    password "$9$U8jkmTyrs2gaDi.P5Qz3"; ## SECRET-DATA
                }
            }
            client client2 {
                firewall-user {
                    password "$9$49CAIVsoJDik.mf"; ## SECRET-DATA
                }
            }
            address-assignment {
                pool dyn-vpn-address-pool;
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool {
                family inet {
                    network 192.168.14.0/30;
                    xauth-attributes {
                        primary-dns 4.2.2.2/32;
                    }
                }
            }
        }
        firewall-authentication {
            web-authentication {
                default-profile dyn-vpn-access-profile;
            }
        }
    }
}

Now with Pulse Secure (previously known as JUNOS Pulse) you configure the information and hit connect. Once connected you will have a secure tunnel.

A quick $ifconfig utun1 on my mac shows:

utun1: flags=8051 mtu 1500
                  inet 192.168.14.1 --> 192.168.14.1 netmask 0xffffffff

OR

You can also just point your web browser at your external IP and log in as well but Pulse Secure is very easy to use.




Now that you have your tunnel up you are authorized to access your protected devices remotely.

You will notice I used a group configuration to place the DYNVPN settings into. I did this so I can turn it on when I need it and leave it off when I don’t. I don’t want to expose the web interface to the public Internet when I am not using it.

By placing the configuration into a group I can just enable it with
#set apply-groups DYNVPN
#commit

and disable by
#deactivate apply-groups DYNVPN
#commit


The point of this post is that not only will the SRX protect your SOHO, Branch Office or Campus exceptionally well but also it provides additional features such as Dynamic VPN, UTM, AV IPS.






Posted by at No comments:

Friday, June 26, 2015

Pushing CLI Configlets with JUNOS SPACE

CLI (Command Line Interface) Configlets are an exceptional little tool that can be used to manage enterprise wide changes that are the same across multiple platforms.

For example pushing the same login message/banner to all of your devices with a few clicks.

If you only have one device it may not be such a big deal but if you have 100's or thousands of switches, routers or security devices then that could be time consuming.
                         ....Ain't nobody got time for that!!!!...

If you've worked in the CLI on network devices you start to notice that large chunks of the configuration are the same across every platform. There may be some deltas between your EX devices and your SRX devices but CLI Configlets will help you there as well by setting device family. When you categorize by family it gives you the ability to pick and choose the groups to push the configlet to.

OK enough about how cool configlets are lets get in the Space GUI and get some!

1.  Open your favorite browser and point it at space https://[space-ip]/mainui

2.  Enter your login credentials: Default user = super password= juniper123


3.  You should now be at the main dashboard


4.  Navigate to CLI Configlets > Configlets


5.  Click the green (+) icon and then fill in the information for your configlet. It is pretty straight forward and user friendly. Unless you are updating physical or logical interfaces with this configlet choose /device for the context.




6.  Click Next and then click the green (+) icon to add a configlet. Again, this is pretty self explanatory. My context is device I give it a parameter name, description etc and then click the add button to add it. Then you should see something similar to:



7.  Click the Create button and you wind up with your very own CLI Configlet! It will take you back to the configlet screen and you will see the entry with Name Domain Category etc. To modify that specific configlet, or view it or even clone it, first, highlight your configlet and then right click on it. You will see a menu pop up where you can do all that self explanatory fun stuff. We are going to skip that to cut down on the length of this post. The REAL purpose of this is to PUSH the configlet to the network device! So lets do that!

First lets make an observation. When I log into the device now it has a PRE configlet message that I put there manually:

                                 ssh space@192.168.1.140
                                 BEFORE THE CONFIGLET!
                                 Password:
                                  --- JUNOS 13.2X50-D19.2 built 2014-05-20 02:56:07 UTC
                                 {master:0}

                                 space@ex2200-1> 

8.  So now lets select the device, an ex2200 that is under the device section. We highlight and right-click on the ex2200 and then navigate to Device Operations > Apply CLI Configlet



9.  Now locate our DEMO configlet and highlight it. The device we selected from the device field should appear below. Click Next and you should see the preview configlet area that we created a few steps ago.





10.  Next you can click Apply. You can also validate the configlet but lets go ahead and Apply this puppy!



11.  BAM as you can see the CLI configlet was applied succesfully! Now lets check on SSH login just to verify:


                                 $ ssh space@192.168.1.140
                                 THIS IS THE DEMO MESSAGE. WHEN WE PUSH THIS USING SPACE IT                                  WILL AUTO MAGICALLY SHOW UP ON THE SWITCH! 
                                 SEVERAL CARRIAGE RETURN LINE FEEDS
                                 Password:
                                 --- JUNOS 13.2X50-D19.2 built 2014-05-20 02:56:07 UTC
                                {master:0}

                                space@ex2200-1> 

12.  Now you have the knowledge on how to create and apply a CLI configlet to not just one device but your entire enterprise if needed.

NOW THATS POWERFUL! Not to mention efficient!

Imagine having to log into 100 or 1000 devices and do that by hand? Sure you could script it but you would be the only one who really knew how to run it. Now, that it is a CLI configlet, you have empowered your entire team to make minor changes to it and push it to the network.

The login message was pretty basic. Think of it in terms of large firewall policies, policers, snmp client updates, ntp or dns updates. With a couple of clicks you can update  your entire network!

I hope this provides some insight into the power and maturity of JUNOS Space and how you can use this utility to improve your network.

For more information go to: https://www.juniper.net/documentation/en_US/junos-space13.1/platform/information-products/pathway-pages/junos-space-cli-configlets-pwp.html


Posted by at No comments:
Subscribe to: Posts (Atom)