Hatena::ブログ(Diary)

えこ日記

2011-12-18

SRX 同士のルートベース VPN 設定

| 21:43

SRX100 同士でルートベース VPN を設定する際のコンフィグをメモしておきます。SRX は両機ともに以下のものを使いました。

root@SRX-1> show version
Hostname: SRX-1
Model: srx100b
JUNOS Software Release [11.2R1.10]

構成図

f:id:eco31:20111218213318p:image

SRX-1 の設定


# Step 0: Base Config

set system host-name SRX-1
delete system services dhcp

delete interfaces vlan unit 0 family inet address 192.168.1.1/24

set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.1/24

delete interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
delete interfaces fe-0/0/1 unit 0 family ethernet-switching
set interfaces fe-0/0/1 unit 0 family inet address 172.16.10.254/24
set security zones security-zone trust interfaces fe-0/0/1.0

delete interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
delete interfaces fe-0/0/2 unit 0 family ethernet-switching
set interfaces fe-0/0/2 unit 0 family inet address 192.168.253.101/24
set security zones security-zone trust interfaces fe-0/0/2.0

# Step 1:  Build the secure tunnel interface

set interfaces st0 unit 0 family inet
set security zones security-zone VPN-ZONE interfaces st0.0

# Step 2: Create the route(s) for the remote networks going across the tunnel

set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2
set routing-options static route 172.16.20.0/24 next-hop st0.0

# Step 3: Set up the IKE Proposal

set security ike proposal PHASE-1 authentication-method pre-shared-keys
set security ike proposal PHASE-1 dh-group group2
set security ike proposal PHASE-1 authentication-algorithm sha-256
set security ike proposal PHASE-1 encryption-algorithm aes-256-cbc

# Step 4: Set up IKE Policy and define the remove VPN Gateway

set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals PHASE-1
set security ike policy IKE-POLICY pre-shared-key ascii-text PRE-SHARED-KEY
set security ike gateway IKE-GATEWAY address 2.2.2.1
set security ike gateway IKE-GATEWAY external-interface fe-0/0/0.0
set security ike gateway IKE-GATEWAY ike-policy IKE-POLICY

# Step 5:  Set up IPSEC Policy

set security ipsec proposal PHASE-2 protocol esp
set security ipsec proposal PHASE-2 authentication-algorithm hmac-sha-256-128
set security ipsec proposal PHASE-2 encryption-algorithm aes-256-cbc
set security ipsec policy IPSEC-POLICY proposals PHASE-2
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2

# Step 6: Build the VPN and Join Everything Together

set security ipsec vpn VPN ike gateway IKE-GATEWAY
set security ipsec vpn VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn VPN establish-tunnels immediately
set security ipsec vpn VPN bind-interface st0.02

# Step 7: Security Policy

set security zones security-zone trust address-book address LOCAL-NET 172.16.10.0/24
set security zones security-zone VPN-ZONE address-book address REMOTE-NET 172.16.20.0/24

set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match source-address LOCAL-NET
set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match destination-address REMOTE-NET
set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match application any
set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit then permit

set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match source-address REMOTE-NET
set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match destination-address LOCAL-NET
set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match application any
set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit then permit

SRX-2


# Step 0: Base Config

set system host-name SRX-2
delete system services dhcp

delete interfaces vlan unit 0 family inet address 192.168.1.1/24

set interfaces fe-0/0/0 unit 0 family inet address 2.2.2.1/24

delete interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
delete interfaces fe-0/0/1 unit 0 family ethernet-switching
set interfaces fe-0/0/1 unit 0 family inet address 172.16.20.254/24
set security zones security-zone trust interfaces fe-0/0/1.0

delete interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
delete interfaces fe-0/0/2 unit 0 family ethernet-switching
set interfaces fe-0/0/2 unit 0 family inet address 192.168.253.102/24
set security zones security-zone trust interfaces fe-0/0/2.0

# Step 1:  Build the secure tunnel interface

set interfaces st0 unit 0 family inet
set security zones security-zone VPN-ZONE interfaces st0.0

# Step 2: Create the route(s) for the remote networks going across the tunnel

set routing-options static route 0.0.0.0/0 next-hop 2.2.2.2
set routing-options static route 172.16.10.0/24 next-hop st0.0

# Step 3: Set up the IKE Proposal

set security ike proposal PHASE-1 authentication-method pre-shared-keys
set security ike proposal PHASE-1 dh-group group2
set security ike proposal PHASE-1 authentication-algorithm sha-256
set security ike proposal PHASE-1 encryption-algorithm aes-256-cbc

# Step 4: Set up IKE Policy and define the remove VPN Gateway

set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals PHASE-1
set security ike policy IKE-POLICY pre-shared-key ascii-text PRE-SHARED-KEY
set security ike gateway IKE-GATEWAY address 1.1.1.1
set security ike gateway IKE-GATEWAY external-interface fe-0/0/0.0
set security ike gateway IKE-GATEWAY ike-policy IKE-POLICY

# Step 5:  Set up IPSEC Policy

set security ipsec proposal PHASE-2 protocol esp
set security ipsec proposal PHASE-2 authentication-algorithm hmac-sha-256-128
set security ipsec proposal PHASE-2 encryption-algorithm aes-256-cbc
set security ipsec policy IPSEC-POLICY proposals PHASE-2
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2

# Step 6: Build the VPN and Join Everything Together

set security ipsec vpn VPN ike gateway IKE-GATEWAY
set security ipsec vpn VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn VPN establish-tunnels immediately
set security ipsec vpn VPN bind-interface st0.0

# Step 7: Security Policy

set security zones security-zone trust address-book address LOCAL-NET 172.16.20.0/24
set security zones security-zone VPN-ZONE address-book address REMOTE-NET 172.16.10.0/24

set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match source-address LOCAL-NET
set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match destination-address REMOTE-NET
set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match application any
set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit then permit

set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match source-address REMOTE-NET
set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match destination-address LOCAL-NET
set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match application any
set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit then permit

参考

2011-12-05

JUNOS アップデート手順

| 22:28

JUNOS をアップデートするには "request system software add 〜" コマンドを使います。アップデート対象となる JUNOS を FTP サーバにアップロードしておき、このコマンドで URL を指定してやります。"show version" コマンドでアップデート前のバージョンを確認しておきます。

root> show version
Model: srx100b
JUNOS Software Release [10.4R3.4]

アップデートを実行します。"reboot" オプションを付与することで、アップデート作業が完了したら自動的に再起動が実施されます(再起動しないと、アップデートが反映されません)。

root> request system software add no-copy ftp://anonymous:password@192.168.253.26/junos-srxsme-11.2R1.10-domestic.tgz reboot

"show version" 出力結果を確認し、JUNOS のバージョンがアップデートされたことを確認します。

root> show version 
Model: srx100b
JUNOS Software Release [11.2R1.10]

2011-12-04

M / MX / SRX を初期化する

| 11:58

M / MX / SRX シリーズを初期化するには "request system zeroize" を使用します。このコマンドを実行すると、/config 配下を削除して再起動が実行され、機器設定が初期状態に戻ります。

root@SRX> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes

warning: zeroizing re0

Waiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...0 0 0 0 done

syncing disks... All buffers synced.
Uptime: 13h28m29s
Rebooting...
cpu_reset: Stopping other CPUs


U-Boot 1.1.6-JNPR-2.0 (Build time: Nov 17 2010 - 07:04:52)

SRX_100_LOWMEM board revision major:0, minor:0, serial #: xxxxxxxxxxxx
OCTEON CN5020-SCP pass 1.1, Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
DRAM:  512 MB
Starting Memory POST...
Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash:  4 MB
    ・
    ・
    ・

2011-11-28

SRX(JUNOS)と SSG / NetScreen(ScreenOS)のコマンド対比

| 22:02

JUNOS で動作する「SRX」と ScreenOS で動作する「SSG / NetScreen」のコマンドを対比した KB があったので、リンクしておきます。

ついでに SRX 入門編のリンク集 KB も貼っておきます。

2011-11-21

Thunderbird で低優先アカウントのメール受信音は無音にする

| 08:52

Thunderbird は標準で全体のメール受信音を設定することは出来ますが、アカウントごとにメール受信音を変更することは出来ません。しかし、Mailbox Alert プラグインを使うことで、アカウントごとにメール受信時のサウンドやメッセージをカスタマイズすることが出来るようになります。

f:id:eco31:20111120122912p:image:w800

ただ、Mailbox Alert プラグインでサウンド設定をする際、再生音の指定を空欄にしても、システムデフォルト音になってしまうようです。そこで 1 秒の無音 .wav ファイルを用意しました。メール受信音を無音にしたいアカウントには、この無音 .wav ファイルを指定すれば OK です。

2011-11-20

Cisco ASA 8.4(1)/ ASDM 6.4(1)は Java7 で動作しない

| 12:11

Cisco ASA を ASDM から接続しようとしたのですが、Java 7 系では以下のエラーにより、ASDM は起動するものの、ASA へ接続出来ませんでした。Java 6 系であれば問題無く、接続出来ました。

Using JRE version 1.7.0_01 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\eco
----------------------------------------------------
c:   clear console window
f:   finalize objects on finalization queue
g:   garbage collect
h:   display this help message
m:   print memory usage
q:   hide console
s:   dump system properties
----------------------------------------------------
Application Logging Started at Sun Nov 13 00:50:51 KST 2011
---------------------------------------------
Local Launcher Version = 1.5.50
Local Launcher Version Display = 1.5(50)
Cannot read profile file C:\Documents and Settings\eco\.asdm\data\deviceinfo.conf.
OK button clicked
Exception in thread "AWT-EventQueue-0" java.lang.ClassCastException: sun.security.ssl.X509TrustManagerImpl cannot be cast to com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager
	at com.sun.deploy.security.X509ExtendedDeployTrustManager.<init>(Unknown Source)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
	at java.lang.reflect.Constructor.newInstance(Unknown Source)
	at java.lang.Class.newInstance0(Unknown Source)
	at java.lang.Class.newInstance(Unknown Source)
	at com.cisco.launcher.w.a(Unknown Source)
	at com.cisco.launcher.s.actionPerformed(Unknown Source)
	at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
	at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
	at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
	at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
	at javax.swing.AbstractButton.doClick(Unknown Source)
	at javax.swing.plaf.basic.BasicRootPaneUI$Actions.actionPerformed(Unknown Source)
	at javax.swing.SwingUtilities.notifyAction(Unknown Source)
	at javax.swing.JComponent.processKeyBinding(Unknown Source)
	at javax.swing.KeyboardManager.fireBinding(Unknown Source)
	at javax.swing.KeyboardManager.fireKeyboardAction(Unknown Source)
	at javax.swing.JComponent.processKeyBindingsForAllComponents(Unknown Source)
	at javax.swing.JComponent.processKeyBindings(Unknown Source)
	at javax.swing.JComponent.processKeyEvent(Unknown Source)
	at java.awt.Component.processEvent(Unknown Source)
	at java.awt.Container.processEvent(Unknown Source)
	at java.awt.Component.dispatchEventImpl(Unknown Source)
	at java.awt.Container.dispatchEventImpl(Unknown Source)
	at java.awt.Component.dispatchEvent(Unknown Source)
	at java.awt.KeyboardFocusManager.redispatchEvent(Unknown Source)
	at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent(Unknown Source)
	at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent(Unknown Source)
	at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions(Unknown Source)
	at java.awt.DefaultKeyboardFocusManager.dispatchEvent(Unknown Source)
	at java.awt.Component.dispatchEventImpl(Unknown Source)
	at java.awt.Container.dispatchEventImpl(Unknown Source)
	at java.awt.Window.dispatchEventImpl(Unknown Source)
	at java.awt.Component.dispatchEvent(Unknown Source)
	at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
	at java.awt.EventQueue.access$000(Unknown Source)
	at java.awt.EventQueue$3.run(Unknown Source)
	at java.awt.EventQueue$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
	at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
	at java.awt.EventQueue$4.run(Unknown Source)
	at java.awt.EventQueue$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
	at java.awt.EventQueue.dispatchEvent(Unknown Source)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
	at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
	at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
	at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
	at java.awt.EventDispatchThread.run(Unknown Source)

2011-11-13

Pocket WiFI GP02 は利用しながら充電可能

| 00:16

f:id:eco31:20110616201730j:image

イーモバイルの Pocket WiFi GP02 は以前の機種と異なり、充電しながらの利用が可能になっています。以下はよくあるご質問ページ中、「バッテリー関連」からの抜粋です。

33充電中も機能は使えますか?全機能が利用できます。
34PC に GP02 を USB 接続した状態で、充電されますか?充電可能です。ただし、PC の USB ポートの仕様(給電能力)によっては、充電されないことがあります。

2011-11-11

複数の秘密鍵を使い分けるには

| 22:20

SSH で複数のホストに接続するには、幾つかの秘密鍵を使い分ける必要が出てきます。これは ~/.ssh/config ファイル中へ以下のように定義しておくことで実現可能です。

Host host-a
    HostName        host-a.local
    IdentityFile    ~/.ssh/id_rsa.host-a
    User            user-a
Host host-b
    HostName        hoge-b.local
    IdentityFile    ~/.ssh/id_rsa.hoge-b
    User            user-b

2011-11-08

Trac で工数管理を行う

| 23:59

TimingAndEstimationPlugin を使うと Trac に工数管理機能を追加することが出来ます。Trac 0.12 へ、このプラグインをインストールした際の記録をメモしておきます。Trac のプロジェクトディレクトリは /var/trac/project という前提です。

インストール

SVN からソースコードを取得した後、setup.py で egg ファイルを作成します。

$ svn export http://trac-hacks.org/svn/timingandestimationplugin/branches/trac0.12
$ cd trac0.12
$ python setup.py bdist_egg

/var/trac/project/conf/trac.ini 内、[components] セクションへ↓の一行を追記します。

timingandestimationplugin.* = enabled

trac-admin を実行し、プロジェクトをアップグレードします。

$ trac-admin /var/trac/project upgrade

最後に Apache を再起動します。

$ sudo /etc/init.d/httpd restart

2011-11-07

Trac の Wiki で文字に色を付ける

| 00:54

ColorMacro を使うと Trac の Wiki 上で色を付ける Wiki 文法が使えるようになるそうです。Trac 0.12 上で、プロジェクトディレクトリは /var/trac/project とした場合のインストール履歴をメモしておきます。

インストール

ダウンロードしたソースコード(ColorMacro.py)を /var/trac/project/plugins へコピーし、Apache を再起動します。

$ sudo /etc/init.d/httpd restart

これで ColorMacro のページにあるように、↓の文法で文字に色を付けることが出来ました。

[[Color(red,This has a red background)]]
[[Color(blue, green,This has a blue background and green text)]]
[[Color(none,#bb0000,I'm using a hex color)]]