Showing posts with label Juniper. Show all posts
Showing posts with label Juniper. Show all posts

Tuesday, September 1, 2015

JunOS Space Radius Authentication with Free Radius Server TekRADIUS

TekRADIUS is a RADIUS server for Windows with built-in DHCP server. TekRADIUS is tested on Microsoft Windows XP, Vista, Windows 7/8/10 and Windows 2003/2008/2012 server. TekRADIUS complies with RFC 2865 and RFC 2866. TekRADIUS also supports TCP (RFC 6613) and TLS (RFC 6614-RadSec) transports. TekRADIUS has two editions; TekRADIUS(First edition; supports Microsoft SQL Server) and TekRADIUS LT (Second edition; supports SQLite). It runs as a Windows Service and comes with a Win32 management interface.  More feature can be checked from their website.

There are some previous usage posts in my blog:


Those configuration have been proven working well with Checkpoint, Juniper and Cisco devices. Recently our Juniper NSM upgraded to Juniper Space platform. There were some challenges to set up TekRADIUS to work with JunOS Space during configuration. Here are all steps I did and so far it works.

1. Download and Install TekRADIUS

You can get installation file from download page. Current version is 4.9.9. You can use LT version which is SQLite version. Installation is quite straightforward, and configuration is simple as well. 

2.TekRADIUS configuration.

TekRADIUS configuration is able to be done from console window. Go through all tab interfaces and put necessary information in. Your Radius server should be able ready in 10 minutes. In my lab configuration, there are some groups defined in TekRADIUS group tab. Admin group is using active directory authentication and it will automatically log into cisco devices enable mode with privilege 15. All admiistrators defined in users tab will be nested in those groups.
Defined Groups

For the users in admin-read group, difference from admin group is not able to log into enable mode automatically. You will have to enter enable password manually from Cisco device. In admin-read group, there are no cisco-avpair attribute in Success-reply packets.

Radius Client Configuration

Radius Server Configuration

Cisco Attribute

3. JunOS Space Configuration

3.1 Authentication Server Configuration


Authentication Server

3.2 Define a Remote Profile 'admin'


Remote Profile - admin

3.3 Configure JunOS Attribute in TekRadius

Basically, returned authorization data in the RADIUS server are stored as vendor-specific attributes (VSAs). Therefore, you need to update the Juniper dictionary file (Vendor Juniper in Dictionary Editor) in the RADIUS server with the Junos Space defined VSA (Juniper-Junosspace-Profiles). Users in the RADIUS server database should be assigned to return this VSAs, the values of which must correspond to the remote profiles created in the Junos Space server.

3.3.1 Create a new VSA under Vendor Juniper 's attributes list
new vsa - Juniper-Junosspace-Profiles
3.3.2 Assign this new VSA attribute into the group admin
New Success-reply Attribute
Assign this attribute with a value 'admin', which is matching the JunOS Space remote profile name we created at step 3.2. This value will be returned to JunOS Space to do authorization once authentication succeed. 

4. Verify

You should be able to log in with your AD account name and AD password.

4.1 from TekRADIUS server

Here is log from TekRadius server.

01/09/2015 8:50:18 PM - Active Directory Authentication commencing for user 'yanjohn'
01/09/2015 8:50:18 PM - Check items control - Start (Group : admin).
01/09/2015 8:50:18 PM - Check items control - Stop (Group : admin).
01/09/2015 8:50:18 PM - Windows authentication successfull for user 'yanjohn'
01/09/2015 8:50:18 PM - Fetching Success-Reply items - Start.
01/09/2015 8:50:18 PM - Fetching Success-Reply items - Stop.
01/09/2015 8:50:18 PM - Generating Reply Packet - Start.
01/09/2015 8:50:18 PM - Generating Reply Packet - Stop.

RadAuth reply to  : 10.94.200.18:59944 - 01/09/2015 8:50:18 PM
Size              : 82
Identifier        : 24
Attributes        : 

Juniper-Junosspace-Profiles = admin
cisco-avpair = shell:priv-lvl=15
Service-Type = 7


4.2 from JunOS Space Audit Logging

Audit Log

Reference:




Wednesday, August 12, 2015

Configure SRX 240 cluster Step by Step

1. Understanding SRX240 Default Configuration



The following default configurations apply to SRX240 factory default settings
                                                                                     

Default configuration for Security Zone, Security Policy and NAT Rule:






2. Cluster Network Diagram in this LAB

If your devices were used before, it is best to reset them into default configuration. Here are some four different ways and commands to do it

a. request services fips zeroize
b. request system zeroize
c. Delete all commands in the configuration mode
[email protected]# delete    
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) no

you will need to set root password to be able to commit the changes
d. load factory-default

3.  Set root password

By default, there is no password for root user.

set system root-authentication plain-text-password

4. Delete some default configurations on Node0

Please keep this in mind, you will need to delete those configuration on both nodes, node0 and node1. 

delete system name-server
delete system services dhcp

delete vlans

delete interfaces vlan

delete interfaces ge-0/0/0 unit 0

delete interfaces ge-0/0/1 unit 0
delete interfaces ge-0/0/2 unit 0
delete interfaces ge-0/0/3 unit 0
delete interfaces ge-0/0/4 unit 0
delete interfaces ge-0/0/5 unit 0
delete interfaces ge-0/0/6 unit 0
delete interfaces ge-0/0/7 unit 0
delete interfaces ge-0/0/8 unit 0
delete interfaces ge-0/0/9 unit 0
delete interfaces ge-0/0/10 unit 0
delete interfaces ge-0/0/11 unit 0
delete interfaces ge-0/0/12 unit 0
delete interfaces ge-0/0/13 unit 0
delete interfaces ge-0/0/14 unit 0
delete interfaces ge-0/0/15 unit 0
delete security

commit


5. Enable Cluster on node 0 and reboot

root>set chassis cluster cluster-id 2 node 0 reboot 

6. Basic configuration based on the topology

set groups node0 system host-name fw-a
set groups node0 interfaces fxp0 unit 0 family inet address 10.9.12.9/24
set groups node0 interfaces fxp0 unit 0 family inet address 10.9.12.8/24 master-only
set groups node1 system host-name fw-b
set groups node1 interfaces fxp0 unit 0 family inet address 10.9.12.10/24
set groups node0 interfaces fxp0 unit 0 family inet address 10.9.12.8/24 master-only
set apply-groups "${node}"
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-5/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-5/0/4 gigether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
set security zones security-zone Zone1
set security zones security-zone Zone2
set security zones security-zone Zone1 host-inbound-traffic system-services all
set security zones security-zone Zone2 host-inbound-traffic system-services all
set interfaces reth0 unit 0 family inet address 10.9.132.18/24
set security zones security-zone Zone1 interfaces reth0.0
set interfaces reth1 unit 0 family inet address 10.9.136.18/24
set security zones security-zone Zone2 interfaces reth1.0


set system backup-router destination 10.0.0.0/8 10.9.12.1
set routing-options static route 0.0.0.0/0 next-hop 10.9.12.1

set security policies from-zone Zone1 to-zone Zone2 policy allow_any match source-address any
set security policies from-zone Zone1 to-zone Zone2 policy allow_any match destination-address any
set security policies from-zone Zone1 to-zone Zone2 policy allow_any match application any
set security policies from-zone Zone1 to-zone Zone2 policy allow_any then permit
set security policies from-zone Zone2 to-zone Zone1 policy allow_any match source-address any
set security policies from-zone Zone2 to-zone Zone1 policy allow_any match destination-address any
set security policies from-zone Zone2 to-zone Zone1 policy allow_any match application any
set security policies from-zone Zone2 to-zone Zone1 policy allow_any then permit

7. Enable Cluster on node 1 and reboot

After did cable connections between two clusters on g0/1 and g0/2, we can enable cluster node 1

Before enable cluster on node1, some basic configuration has to be deleted.

delete system name-server
delete system services dhcp

delete vlans
delete interfaces vlan

delete interfaces ge-0/0/0 unit 0
delete interfaces ge-0/0/1 unit 0
delete interfaces ge-0/0/2 unit 0
delete interfaces ge-0/0/3 unit 0
delete interfaces ge-0/0/4 unit 0
delete interfaces ge-0/0/5 unit 0
delete interfaces ge-0/0/6 unit 0
delete interfaces ge-0/0/7 unit 0
delete interfaces ge-0/0/8 unit 0
delete interfaces ge-0/0/9 unit 0
delete interfaces ge-0/0/10 unit 0
delete interfaces ge-0/0/11 unit 0
delete interfaces ge-0/0/12 unit 0
delete interfaces ge-0/0/13 unit 0
delete interfaces ge-0/0/14 unit 0
delete interfaces ge-0/0/15 unit 0
delete security

commit

After commit, enable chassic cluster :

set chassis cluster cluster-id 1 node 1 reboot 

note: If you are using multiple Juniper Cluster in same Ethernet Environment, they have to configure unique cluster-id. Else the mac address will be conflicted on switch interface and firewall will not be able to handle network traffic properly in that zone. In following example, cluster-id is set to 5 to avoid conflicting. The range for the cluster-id is 0-15.

[email protected]> set chassis cluster cluster-id 5 node 0 reboot
Successfully enabled chassis cluster. Going to reboot now.

{primary:node0}[edit]
[email protected]> show chassis cluster status
Cluster ID: 5
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   100         primary        no       no
    node1                   1           secondary      no       no

Redundancy group: 1 , Failover count: 1
    node0                   0           primary        no       no
    node1                   0           secondary      no       no

Verification:

You can check the cluster status with the following commands.
show chassis cluster status
show chassis cluster interfaces
show chassis cluster statistics
show chassis cluster control-plane statistics
show chassis cluster data-plane statistics
show chassis cluster status redundancy-group 1

Reference:




Thursday, June 18, 2015

Pulse Secure (formerly Juniper Pulse) - UAC Configuration Summary

Juniper Networks® Network Control and Access Solution - Unified Access Control (UAC) including at Junos Pule product line as a whole packge has been sold to Siris Capital and renamed to Pulse Secure for independent operations. This deal was announced about $250 million based on eWeek's Jeffrey Burt's post.

This will affect following two products in our environment.
a. IC4500


b. MAG6611




As a many years UAC/MAG solutions customer, there are some significant support change we have to be aware of from their transition website:

Pulse Secure is currently operating under a Transition Services Agreement (TSA) with Juniper Networks that will end on July 31, 2015. All support requests should go through Pulse Secure as of August 1, 2015. If you contact Juniper Networks after that date, you will be redirected to Pulse Secure support.
This includes support for already deployed products, products purchased during the transition period, and products purchased from Pulse Secure after the TSA ends. If a customer has purchased any support contract prior to July 31 through Juniper Networks and its partner network—or through Pulse Secure and its partner network—Pulse Secure will honor these terms throughout the life of the contract.

In order to keep records for some of my daily work, this post summarizes a few basic configuration steps relating to UAC4500. More posts posted before in this blog:


1. Upgrade

Find out the latest recommend version from Juniper website. Right now it is 5.2R1.0.



There are two options. One is from local file, another is from staged package. Either one should work as soon as you have downloaded correctly. 

2. Create a new role Test1 for new testing users

Most configuration are done through wizard and you should be able to use default settings. 
 Pulse Secure logo has been planted into the system if you come into UI options. It was Juniper Networks logo before on 5.0 version.


3. Create a new realms Test1

After created roles, you will need to create Realms to hold those roles/resources. Usually roles will associate with resources. The configuration for resources will be done at step 4.
3.1 Authetication
Choose proper authentication method from Administrators, Cert_Auth, Guest Authentication and System_Local. This will decide how you want to authenticate your users in your realm. The popular option will be local, ldap, radius, AD and certificate.



3.2 Rool Mapping
In this screenshot, it shows we are using certs as our authentication and it will verify if the certs has altName.UPNuid attribute. If UAC found this attribute match, it will assign a role Test1 created in step 2.

4. Create Resources for Test1 Role

This page will associate your network resources with your role defined at step1. In this example, one RDP and icmp resources have been configured for role Test1. One resource can belongs multiple roles.

5. Choose proper Authentication Realm on Signing In page

Signing In page is for the user. You can have multiple signing in pages for different user groups based on your company needs.

In this rdp page, there are two realms assigned on. rdp and Test1. It will allow the role mapping users in Realm Test1 to log in on this page and use the resources defined on step 4.

After above 5 steps, your users created in Realm 'Test1' will be able to log into Signing In page 'rdp'. After logged in, they will be assigned int role 'Test1' and have RDP access and ICMP access to the server 10.9.2.9.

References:

a. Juniper UAC Appliance IC4500 Step by Step Configuration (Part 1)
b. Juniper UAC Appliance IC4500 Step by Step Configuration (Part 2)

Wednesday, May 27, 2015

Industry's Fastest Firewall - Juniper SRX5800 Delivers Two Terabits Throughput

Juniper SRX5800 delivers two terabits per second of throughput:


On Apr 15, 2015, Juniper Announced: Industry's Fastest Firewall - SRX5800 delivers two terabits per second of throughput




The first of its kind, the SRX data center firewall delivers the highest known performance on a single chassis with as low as 7 microseconds latency and 2 Tbps* performance — perfect for environments where security must operate at the speed of the network.





SRX5800 2 Tbps Test by Ixia - live demo:






Reference: http://www.juniper.net/us/en/dm/bettersecurity/



Tuesday, May 12, 2015

Installation of Junos Space Security Director and Managing Juniper Firewall

Previous Background Posts for JunOS Space


Junos Space Security Director (previously known as Security Design) is  an application on the Junos Space platform, which manages Networks SRX Series Services Gateways.

It helps administrators quickly manage all phases of security policy life cycle for stateful firewall, security intelligence (leveraging threat feeds from Spotlight Secure cloud for protection against Web application attacks, command and control related threats, botnets, and local data feeds), unified threat management (UTM), intrusion prevention system (IPS), AppFW, VPN, and Network Address Translation (NAT).

Junos Space is Juniper’s comprehensive network management solution that simplifies and automates management of Juniper’s switching, routing, and security devices. It includs:

Sunday, May 10, 2015

Juniper vSRX Firewall (Firefly Perimeter) installation in ESXi and Managed by JunOS Space

For how to Install JUNOS Space Virtual Appliance at ESXi 5.5, please check my previous posts:.

Juniper Firefly Perimeter, also called vSRX is a virtual firewall from Juniper’s SRX product line. Firefly Perimeter provides security and networking services at the perimeter in a virtualized private or public cloud environments. It runs as a virtual machine on a standard x86 server  and delivers similar security and networking features available on branch SRX Series appliance. The vSRX virtual firewall is with a complete and integrated virtual security solution, including core firewall, robust networking, advanced security services at Layers 4–7, and automated lifecycle management capabilities for enterprises and service providers alike. It is also able to managed by JunOS Space Network Management Platform with Security Director Application.

This following instructions are how it is being installed into ESXi 5.5 virtual lab environment and also how it integrated with JunOS Space Network Management Platform.


To Install Junos Space, Security Director, and Log Collector:
1. Download the Junos Space Network Management Platform image from
https://www.juniper.net/support/downloads/?p=space#sw.
2. Install Junos Space using the instructions at http://www.juniper.net/documentation/
en_US/junos-space16.1/platform/information-products/topic-collections/
release-notes/jd0e56.html.
3. Install Junos Security Director as per the instructions at https://www.juniper.net/
documentation/en_US/junos-space16.2/information-products/topic-collections/
release-notes/js-relnotes-security-design/index.html.
4. Install Log Collector as per the instructions at https://www.juniper.net/
documentation/en_US/junos-space16.2/information-products/topic-collections/
release-notes/js-relnotes-security-design/index.html..

1. Topology

PC with ip address 192.168.2.20 is using browser to access JunOS Space (192.168.2.72 - Web GUI Interface eth0.0 IP address).
JunOS Space is using Device Management Interface eth3 (172.17.3.70) to manage vSRX through vSRX's ge-0/0/1.


Saturday, May 9, 2015

Install JUNOS Space Virtual Appliance at ESXi 5.5

Juniper NSM (Network Security Management) will be end of life for support on Nov 29 2015.

ProductEOL
Announced
Last OrderLast Date to
Convert Warranty
Same Day Support
Discontinued
Next Day Support
Discontinued
End of
Support
NSMXpress, NSM 300001/30/201507/31/201507/31/201607/31/201707/31/201907/31/2020
NS-SM-A2-CM, NS-SM-A2-HA05/13/201410/31/201410/31/201510/31/201610/31/201810/31/2019
NS-SM-A-BSE, NS-SM-A-CM, NS-SM-A-HA06/01/201011/29/201011/29/201111/29/201211/29/201411/29/2015

Junos Space is the next comprehensive network management solution that simplifies and automates management of Juniper’s switching, routing, and security devices. Junos Space Network Management Platform works with other management applications to deliver comprehensive management of Juniper devices including:
  • Edge Services Director
  • Security Director
  • Services Activation Director
  • Network Director
  • Service Now
  • Service Insight
  • Content Director
  • Virtual Director
In this post, detailed steps with screenshots will present you a easy guide to install a JunOS Space Virtual Appliance into Vmware ESXi 5.5.

1. Download space-14.1R2.9.ova 

Download OVA file from Juniper Website (Click Here) with your account. Remember to choose Image for Virtual Appliance.

2. In ESXi 5.5, Deploy OVA Template -> Choose downloaded ova file





3. Start Juniper JunOS Space in ESXi 5.5 and Complete basic configuration

3.1 User IDs

After you first time logged into Juniper Space with default account, you will be asked to change admin password right away.

There are three different user IDs for Juniper JunOS Space as follows:

  • admin user for CLI login  (default password: abc123)
  • super user for WebUI (default password: juniper123)
  • Maintenance user for maintenance operations. The password is set by the admin user during the initial configuration (that is, there is no default password).




3.2 Network Interfaces

By default, JunOS Space Virtual Appliance have four network interfaces:
  • eth0 -  SSH and device management if eth3 is not configured (node IP). But Secure Shell Daemon (sshd) is listening on all IP addresses.
    • eth0:0 - GUI interface with an instance of JBOSS running (GUI). The web GUI interface is only on the VIP, the same subnet as eth0.
  • eth1 - Not supported before Junos Space Network Management Platform Release 14.1R1. From 14.1R1 onwards you can configure the eth1 Ethernet interface as an administrative interface.
  • eth2 - Not supported
  • eth3 - Device management when managed devices are on a subnet and not reachable by way of eth0. Device management, outbound (discover) and inbound (post-discovery), including syslog and DMI, should be eth3, or eth0 if eth3 is not configured.

Configure Eth0:

Configure Eth3 for Device Management  and configure eth0.0 for Web GUI:

Configuration Summary:
Eth0: 192.168.2.70  Gateway: 192.168.2.1  DNS: 8.8.8.8
Eth3: 172.17.3.70
Eth0.0 : 192.168.2.72
Note: Eth0.0 IP Address has to be in same network as Eth0.

3.3 Apply Settings

 The following five screen shots are showing the system configuring process:


3.4 Web GUI 


3.5 SSH Session

SSH works on all Interfaces. Following output is SSH session on eth0 interface:



Last login: Tue Aug 18 15:55:47 2015

Welcome to the Junos Space network settings utility.

Initializing, please wait

Junos Space Settings Menu

1> Change Password
2> Change Network Settings
3> Change Time Options
4> Retrieve Logs
5> Security
6> Expand VM Drive Size
7> (Debug) run shell

A> Apply changes
Q> Quit
R> Redraw Menu

Choice [1-7,AQR]: 7

[sudo] password for admin: 
[[email protected] ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:92:00:10  
          inet addr:192.168.2.70  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe92:10/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13408 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20862 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2127342 (2.0 MiB)  TX bytes:18231701 (17.3 MiB)

eth0:0    Link encap:Ethernet  HWaddr 00:50:56:92:00:10  
          inet addr:192.168.2.72  Bcast:192.168.2.255  Mask:255.255.255.0       
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth1      Link encap:Ethernet  HWaddr 00:50:56:92:00:11  
          inet6 addr: fe80::250:56ff:fe92:11/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1134 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:87488 (85.4 KiB)  TX bytes:758 (758.0 b)

eth2      Link encap:Ethernet  HWaddr 00:50:56:92:00:12  
          inet6 addr: fe80::250:56ff:fe92:12/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1100 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:85012 (83.0 KiB)  TX bytes:758 (758.0 b)

eth3      Link encap:Ethernet  HWaddr 00:50:56:92:00:13  
          inet6 addr: fe80::250:56ff:fe92:13/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1071 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:83708 (81.7 KiB)  TX bytes:758 (758.0 b)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3085894 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3085894 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2317104090 (2.1 GiB)  TX bytes:2317104090 (2.1 GiB)

4. Log into Web UI

Before you are able to successfully see JunOS Space log in window, you may see a progress bar presenting you the process starting:


Web GUI only works on eth0.0 interface, which is ip 192.168.2.72, not on 192.168.2.70, although they are on same network. Default username and password is 'super' and 'juniper123'.



Reference:

1. Deploying a Junos Space Virtual Appliance
2. Junos Space Virtual Appliance
3. Junos ® Space Virtual Appliance Deployment and Configuration Guide








Monday, January 19, 2015

Configuration DHCP Relay in routing instance on Juniper SRX Devices

I was having DHCP Relay configured on SRX 240H Cluster devices, it was quite straightforward experience, and Juniper KB 15755 covered all points when I first configured it. It was working fine at  JUNOS version from 11.x to 12.1x44-D40.2 in cluster environment and related interfaces are in different Routing instance.

Basic topology looks like as below: DHCP Server 10.9.1.50 is in routing instance v_i on Reth2.0 interface. Three DHCP Client networks are in different routing instances, v_t and v_Def.
Global DHCP Relay configuration looks like following:
forwarding-options {
    helpers {
        traceoptions {
            file helplog;
            level all;
            flag bootp;
        }
        bootp {
            relay-agent-option;
            description DHCP-Relay-to-DHCP-server-10.9.1.50;
            server 10.9.1.50 routing-instance vr_i;
            maximum-hop-count 10;
            minimum-wait-time 300;
            client-response-ttl 20;
            interface {
                reth2.0;
                reth10.90;
                reth10.94;
                reth7.24;
            }
        }
    }
}
Although based on KB25925, DHCP is not supported on J and SRX series devices in the chassis cluster before Junos 12.1X46. The above configuration did work on my cluster environment before. Also no firewall rules are needed to allow traffic between different zones and DHCP server 10.9.1.50, which was required in KB15755.

The problem comes up when I upgraded SRX240H to SRX1400 platform. DHCP Relay completely not working.

KB 28642[SRX] Example: Configuring DHCP relay server on SRX where relay agent interface and DHCP server interfaces are in different routing-instances explained why and KB28641 [SRX] Configuring the JDHCP relay agent in Custom Routing instance provides additional set up for this feature on server side.

All steps are listed as below:

1. Forwarding Option Configuration on all related DHCP Client Routing Instance

In my environment, there are three Reth interfaces used for DHCP Clients , which is reth7.24, reth10.90 and reth10.94. Reth 7.24 is in routing instance vr_t. Both reht10.90 and reth10.94 are in routing intstance vr_def.

vr_t {
    instance-type virtual-router;
    interface reth7.24;
    routing-options {
        instance-import from_all_to_vr_t;
    }
    forwarding-options {
        dhcp-relay {
            server-group {
                DHCPSVR {
                    10.9.1.50;
                }
            }
            active-server-group DHCPSVR;
            group relay-in-vr {
                interface reth7.24;
            }
        }
    }
}
vr_def {
    instance-type virtual-router;
    interface reth10.90;
    interface reth10.94;
    routing-options {
        instance-import from_all_to_vr_def;
    }
    forwarding-options {
        dhcp-relay {
            server-group {            
                DHCPSVR {
                    10.9.1.50;
                }
            }
            active-server-group DHCPSVR;
            group relay-in-vr {
                interface reth10.90;
                interface reth10.94;
            }
        }
    }
}

2. Forward option configuration at DHCP Server Routing Instance

DHCP server 10.9.1.50 is in routing instance vr_i.
vr_i{
    instance-type virtual-router;
    interface reth2.0;
    routing-options {
        instance-import [ from_all_to_vr_i ];
    }
    forwarding-options {
        dhcp-relay {
            server-group {
                dummy-config;
            }
        }
    }
}

3. Make sure each client routing instance (vr_t and vr_def) has routes to vr_i. 

Also vr_i routing instance has routes to vr_t and vr_def. That is above instance-import configuration used for in above configuration.

Policy-statement configuration is under the policy-options:

policy-statement from_all_to_vr_t {
    term term5 {
        from instance vr_i;
        then accept;
    }
}
policy-statement from_all_to_vr_def {
    term term5 {
        from instance vr_i;
        then accept;
    }
}
policy-statement from_all_to_vr_i {
    term term4 {
        from instance vr_t;
        then accept;
    }
    term term5 {
        from instance vr_def;
        then accept;
    }
}

4. No firewall policy will be needed. But both services bootp and dhcp  have to be allowed on all DHCP client interface's host-inbound-traffic. Bootp will be needed on server side.

interfaces {
    reth2.0 {
        host-inbound-traffic {
            system-services {
                bootp;
            }
        }
    }
}
interfaces {
    reth10.90 {
        host-inbound-traffic {
            system-services {
                bootp;
                dhcp;
            }
        }
    }
}
interfaces {
    reth10.94{
        host-inbound-traffic {
            system-services {
                bootp;
                dhcp;
            }
        }
    }
}
interfaces {
    reth7.24 {
        host-inbound-traffic {
            system-services {
                bootp;
                dhcp;
            }
        }
    }
}


Reference:

Friday, January 16, 2015

Using PKI Build Route-Based IPSec VPN between Juniper SRX

There was a task to change IPSec authentication method from Pre-share key to PKI Certification based. It used on SRX240H and SRX1400 firewalls. This post records the steps and troubleshooting the errors I met during the configuration.

1. On both firewalls generate Public/Private key pair:

{primary:node0}[email protected]> request security pki generate-key-pair certificate-id PRO size 2048   
node0:
--------------------------------------------------------------------------
Generated key pair PRO, key size 2048 bits

2. Generating cert request from the key pair


[email protected]> clear security pki certificate-request ?
Possible completions:
  all                  Clear all certificate requests
  certificate-id       Certificate identifier
{primary:node1}
[email protected]> clear security pki certificate-request all      
{primary:node1}
[email protected]>request security pki generate-certificate-request certificate-id PRO subject "CN=fw-test1.51sec.org,OU=IT,O=John Yan Firm Inc.,L=Toronto,ST=ON,C=CA" email [email protected] filename ms-cert-req                                   
node1:
--------------------------------------------------------------------------
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIDCDCCAfACAQAwgZAxGjAYBgNVBAMTEWZ3LW1vbjEuZ2ktZGUuY29tMQswCQYD
VQQLEwJJVDE4MDYGA1UEChMvR2llc2Vja2UgJiBEZXZyaWVudCBNb2JpbGUgU2Vj
dXJpdHkgQ2FuYWRhIEluYy4xETAPBgNVBAcTCE1vbnRyZWFsMQswCQYDVQQIEwJP
TjELMAkGA1UEBhMCW0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDn
YzYl6u9H9KtGiyR3GZuZt8Wc7L0co6v8RuclNr5+lMdjvKFsMHhWZD1QRkUw/tl5
YlXrFA6a7PtT8O7ji8qvyC6qwiioJjjZ0NhI8d/y0u21NIEawhu2XcY5oSL2aqOX
WYex7jVGT/JLSRz7h5MH5EZ1mOC08Ubu5Bicf+8C6XpR0CICt4BogFPHHMxQ2V2t
JPoaPk3KvTaIIsRhDNoUb6ryFcPsXEGmTrOCP0nBYJ3LByr/4uBS0phhQeco6s/i
U+oVfd4pcDOYA1q/F/s9tdeQyS6iDGftZog6zQdUN+agK2xV9NE8e+awklEP09Z9
YnCw8wVrF7Mjilz6uuZTAgMBAAGgMjAwBgkqhkiG9w0BCQ4xIzAhMB8GA1UdEQQY
MBaBFCJqb2huLnlhbkBnaS1kZS5jb20iMA0GCSqGSIb3DQEBBQUAA4IBAQCZI8H0
qoGG8ybRSt9/hIPvdfO/f1bFWMu6I1Y2wp7tpbILx12/wC03Lvh94DspwIXfyZ+2
gHB55wPFIvEnYO87uBzYqnd0JZ0pZTKs4Rqmj9sqJoVEqdhvV0cB0TV0FNw5rZ/1
C/tgg5a171p57U0LktBErrp3FWbzkhhWEiEBbQMCXi7vAgbsCna/m6XQUqC+JGlG
OIzcC71HeDx9iX8lpswHzE85iTyVGhQieUg6ykfKOlJRu2G7TRsVyUJJURCs0rjG
kWF+zdrRJMic+RbJuNkNmE/4kCeNrHQGx+sVA9qLSbayizN02D5yeO2T7fyglWkW
8bikAgE9LLri1NCV
-----END CERTIFICATE REQUEST-----
Fingerprint:
18:fc:10:eb:f8:8f:b9:08:25:64:02:9c:c0:12:56:74:3b:fb:f5:3d (sha1)
5b:8e:40:5c:68:21:51:ea:bf:42:f9:d4:c7:2c:2d:15 (md5)



3. Submit Cert Request to the CA and Retrieve Certs