2011-12-18
SRX 同士のルートベース VPN 設定
Junier |
SRX100 同士でルートベース VPN を設定する際のコンフィグをメモしておきます。SRX は両機ともに以下のものを使いました。
root@SRX-1> show version Hostname: SRX-1 Model: srx100b JUNOS Software Release [11.2R1.10]
構成図
SRX-1 の設定
# Step 0: Base Config set system host-name SRX-1 delete system services dhcp delete interfaces vlan unit 0 family inet address 192.168.1.1/24 set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.1/24 delete interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust delete interfaces fe-0/0/1 unit 0 family ethernet-switching set interfaces fe-0/0/1 unit 0 family inet address 172.16.10.254/24 set security zones security-zone trust interfaces fe-0/0/1.0 delete interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust delete interfaces fe-0/0/2 unit 0 family ethernet-switching set interfaces fe-0/0/2 unit 0 family inet address 192.168.253.101/24 set security zones security-zone trust interfaces fe-0/0/2.0 # Step 1: Build the secure tunnel interface set interfaces st0 unit 0 family inet set security zones security-zone VPN-ZONE interfaces st0.0 # Step 2: Create the route(s) for the remote networks going across the tunnel set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2 set routing-options static route 172.16.20.0/24 next-hop st0.0 # Step 3: Set up the IKE Proposal set security ike proposal PHASE-1 authentication-method pre-shared-keys set security ike proposal PHASE-1 dh-group group2 set security ike proposal PHASE-1 authentication-algorithm sha-256 set security ike proposal PHASE-1 encryption-algorithm aes-256-cbc # Step 4: Set up IKE Policy and define the remove VPN Gateway set security ike policy IKE-POLICY mode main set security ike policy IKE-POLICY proposals PHASE-1 set security ike policy IKE-POLICY pre-shared-key ascii-text PRE-SHARED-KEY set security ike gateway IKE-GATEWAY address 2.2.2.1 set security ike gateway IKE-GATEWAY external-interface fe-0/0/0.0 set security ike gateway IKE-GATEWAY ike-policy IKE-POLICY # Step 5: Set up IPSEC Policy set security ipsec proposal PHASE-2 protocol esp set security ipsec proposal PHASE-2 authentication-algorithm hmac-sha-256-128 set security ipsec proposal PHASE-2 encryption-algorithm aes-256-cbc set security ipsec policy IPSEC-POLICY proposals PHASE-2 set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2 # Step 6: Build the VPN and Join Everything Together set security ipsec vpn VPN ike gateway IKE-GATEWAY set security ipsec vpn VPN ike ipsec-policy IPSEC-POLICY set security ipsec vpn VPN establish-tunnels immediately set security ipsec vpn VPN bind-interface st0.02 # Step 7: Security Policy set security zones security-zone trust address-book address LOCAL-NET 172.16.10.0/24 set security zones security-zone VPN-ZONE address-book address REMOTE-NET 172.16.20.0/24 set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match source-address LOCAL-NET set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match destination-address REMOTE-NET set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match application any set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit then permit set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match source-address REMOTE-NET set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match destination-address LOCAL-NET set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match application any set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit then permit
SRX-2
# Step 0: Base Config set system host-name SRX-2 delete system services dhcp delete interfaces vlan unit 0 family inet address 192.168.1.1/24 set interfaces fe-0/0/0 unit 0 family inet address 2.2.2.1/24 delete interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust delete interfaces fe-0/0/1 unit 0 family ethernet-switching set interfaces fe-0/0/1 unit 0 family inet address 172.16.20.254/24 set security zones security-zone trust interfaces fe-0/0/1.0 delete interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust delete interfaces fe-0/0/2 unit 0 family ethernet-switching set interfaces fe-0/0/2 unit 0 family inet address 192.168.253.102/24 set security zones security-zone trust interfaces fe-0/0/2.0 # Step 1: Build the secure tunnel interface set interfaces st0 unit 0 family inet set security zones security-zone VPN-ZONE interfaces st0.0 # Step 2: Create the route(s) for the remote networks going across the tunnel set routing-options static route 0.0.0.0/0 next-hop 2.2.2.2 set routing-options static route 172.16.10.0/24 next-hop st0.0 # Step 3: Set up the IKE Proposal set security ike proposal PHASE-1 authentication-method pre-shared-keys set security ike proposal PHASE-1 dh-group group2 set security ike proposal PHASE-1 authentication-algorithm sha-256 set security ike proposal PHASE-1 encryption-algorithm aes-256-cbc # Step 4: Set up IKE Policy and define the remove VPN Gateway set security ike policy IKE-POLICY mode main set security ike policy IKE-POLICY proposals PHASE-1 set security ike policy IKE-POLICY pre-shared-key ascii-text PRE-SHARED-KEY set security ike gateway IKE-GATEWAY address 1.1.1.1 set security ike gateway IKE-GATEWAY external-interface fe-0/0/0.0 set security ike gateway IKE-GATEWAY ike-policy IKE-POLICY # Step 5: Set up IPSEC Policy set security ipsec proposal PHASE-2 protocol esp set security ipsec proposal PHASE-2 authentication-algorithm hmac-sha-256-128 set security ipsec proposal PHASE-2 encryption-algorithm aes-256-cbc set security ipsec policy IPSEC-POLICY proposals PHASE-2 set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2 # Step 6: Build the VPN and Join Everything Together set security ipsec vpn VPN ike gateway IKE-GATEWAY set security ipsec vpn VPN ike ipsec-policy IPSEC-POLICY set security ipsec vpn VPN establish-tunnels immediately set security ipsec vpn VPN bind-interface st0.0 # Step 7: Security Policy set security zones security-zone trust address-book address LOCAL-NET 172.16.20.0/24 set security zones security-zone VPN-ZONE address-book address REMOTE-NET 172.16.10.0/24 set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match source-address LOCAL-NET set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match destination-address REMOTE-NET set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit match application any set security policies from-zone trust to-zone VPN-ZONE policy OutboundVPN_Permit then permit set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match source-address REMOTE-NET set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match destination-address LOCAL-NET set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit match application any set security policies from-zone VPN-ZONE to-zone trust policy OutboundVPN_Permit then permit
参考
- ROUTE-BASED IPSEC VPN BETWEEN SRX SERIES OR J SERIES AND SSG SERIES DEVICES - IPsec VPN Interoperability Configurations and Junos OS Troubleshooting Basics
- SRX Getting Started - Configure Chassis Cluster (High Availability) on a SRX100 device
- Troubleshooting a Site to Site VPN on a SRX Series Gateway
コメントを書く
2011-12-05
JUNOS アップデート手順
Juniper |
JUNOS をアップデートするには "request system software add 〜" コマンドを使います。アップデート対象となる JUNOS を FTP サーバにアップロードしておき、このコマンドで URL を指定してやります。"show version" コマンドでアップデート前のバージョンを確認しておきます。
root> show version Model: srx100b JUNOS Software Release [10.4R3.4]
アップデートを実行します。"reboot" オプションを付与することで、アップデート作業が完了したら自動的に再起動が実施されます(再起動しないと、アップデートが反映されません)。
root> request system software add no-copy ftp://anonymous:password@192.168.253.26/junos-srxsme-11.2R1.10-domestic.tgz reboot
"show version" 出力結果を確認し、JUNOS のバージョンがアップデートされたことを確認します。
root> show version Model: srx100b JUNOS Software Release [11.2R1.10]
2011-12-04
M / MX / SRX を初期化する
Juniper |
M / MX / SRX シリーズを初期化するには "request system zeroize" を使用します。このコマンドを実行すると、/config 配下を削除して再起動が実行され、機器設定が初期状態に戻ります。
root@SRX> request system zeroize warning: System will be rebooted and may not boot without configuration Erase all data, including configuration and log files? [yes,no] (no) yes warning: zeroizing re0 Waiting (max 60 seconds) for system process `vnlru' to stop...done Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done Waiting (max 60 seconds) for system process `bufdaemon' to stop...done Waiting (max 60 seconds) for system process `syncer' to stop... Syncing disks, vnodes remaining...0 0 0 0 done syncing disks... All buffers synced. Uptime: 13h28m29s Rebooting... cpu_reset: Stopping other CPUs U-Boot 1.1.6-JNPR-2.0 (Build time: Nov 17 2010 - 07:04:52) SRX_100_LOWMEM board revision major:0, minor:0, serial #: xxxxxxxxxxxx OCTEON CN5020-SCP pass 1.1, Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate) DRAM: 512 MB Starting Memory POST... Checking datalines... OK Checking address lines... OK Checking 512K memory for U-Boot... OK. Running U-Boot CRC Test... OK. Flash: 4 MB ・ ・ ・
2011-11-28
SRX(JUNOS)と SSG / NetScreen(ScreenOS)のコマンド対比
Juniper |
JUNOS で動作する「SRX」と ScreenOS で動作する「SSG / NetScreen」のコマンドを対比した KB があったので、リンクしておきます。
ついでに SRX 入門編のリンク集 KB も貼っておきます。
2011-11-21
Thunderbird で低優先アカウントのメール受信音は無音にする
Misc |
Thunderbird は標準で全体のメール受信音を設定することは出来ますが、アカウントごとにメール受信音を変更することは出来ません。しかし、Mailbox Alert プラグインを使うことで、アカウントごとにメール受信時のサウンドやメッセージをカスタマイズすることが出来るようになります。
ただ、Mailbox Alert プラグインでサウンド設定をする際、再生音の指定を空欄にしても、システムデフォルト音になってしまうようです。そこで 1 秒の無音 .wav ファイルを用意しました。メール受信音を無音にしたいアカウントには、この無音 .wav ファイルを指定すれば OK です。
2011-11-20
Cisco ASA 8.4(1)/ ASDM 6.4(1)は Java7 で動作しない
Cisco |
Cisco ASA を ASDM から接続しようとしたのですが、Java 7 系では以下のエラーにより、ASDM は起動するものの、ASA へ接続出来ませんでした。Java 6 系であれば問題無く、接続出来ました。
Using JRE version 1.7.0_01 Java HotSpot(TM) Client VM User home directory = C:\Documents and Settings\eco ---------------------------------------------------- c: clear console window f: finalize objects on finalization queue g: garbage collect h: display this help message m: print memory usage q: hide console s: dump system properties ---------------------------------------------------- Application Logging Started at Sun Nov 13 00:50:51 KST 2011 --------------------------------------------- Local Launcher Version = 1.5.50 Local Launcher Version Display = 1.5(50) Cannot read profile file C:\Documents and Settings\eco\.asdm\data\deviceinfo.conf. OK button clicked Exception in thread "AWT-EventQueue-0" java.lang.ClassCastException: sun.security.ssl.X509TrustManagerImpl cannot be cast to com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager at com.sun.deploy.security.X509ExtendedDeployTrustManager.<init>(Unknown Source) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at java.lang.Class.newInstance0(Unknown Source) at java.lang.Class.newInstance(Unknown Source) at com.cisco.launcher.w.a(Unknown Source) at com.cisco.launcher.s.actionPerformed(Unknown Source) at javax.swing.AbstractButton.fireActionPerformed(Unknown Source) at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source) at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source) at javax.swing.DefaultButtonModel.setPressed(Unknown Source) at javax.swing.AbstractButton.doClick(Unknown Source) at javax.swing.plaf.basic.BasicRootPaneUI$Actions.actionPerformed(Unknown Source) at javax.swing.SwingUtilities.notifyAction(Unknown Source) at javax.swing.JComponent.processKeyBinding(Unknown Source) at javax.swing.KeyboardManager.fireBinding(Unknown Source) at javax.swing.KeyboardManager.fireKeyboardAction(Unknown Source) at javax.swing.JComponent.processKeyBindingsForAllComponents(Unknown Source) at javax.swing.JComponent.processKeyBindings(Unknown Source) at javax.swing.JComponent.processKeyEvent(Unknown Source) at java.awt.Component.processEvent(Unknown Source) at java.awt.Container.processEvent(Unknown Source) at java.awt.Component.dispatchEventImpl(Unknown Source) at java.awt.Container.dispatchEventImpl(Unknown Source) at java.awt.Component.dispatchEvent(Unknown Source) at java.awt.KeyboardFocusManager.redispatchEvent(Unknown Source) at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent(Unknown Source) at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent(Unknown Source) at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions(Unknown Source) at java.awt.DefaultKeyboardFocusManager.dispatchEvent(Unknown Source) at java.awt.Component.dispatchEventImpl(Unknown Source) at java.awt.Container.dispatchEventImpl(Unknown Source) at java.awt.Window.dispatchEventImpl(Unknown Source) at java.awt.Component.dispatchEvent(Unknown Source) at java.awt.EventQueue.dispatchEventImpl(Unknown Source) at java.awt.EventQueue.access$000(Unknown Source) at java.awt.EventQueue$3.run(Unknown Source) at java.awt.EventQueue$3.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source) at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source) at java.awt.EventQueue$4.run(Unknown Source) at java.awt.EventQueue$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.run(Unknown Source)
2011-11-13
Pocket WiFI GP02 は利用しながら充電可能
Misc |
イーモバイルの Pocket WiFi GP02 は以前の機種と異なり、充電しながらの利用が可能になっています。以下はよくあるご質問ページ中、「バッテリー関連」からの抜粋です。
| 33 | 充電中も機能は使えますか? | 全機能が利用できます。 |
| 34 | PC に GP02 を USB 接続した状態で、充電されますか? | 充電可能です。ただし、PC の USB ポートの仕様(給電能力)によっては、充電されないことがあります。 |
2011-11-11
複数の秘密鍵を使い分けるには
Linux |
SSH で複数のホストに接続するには、幾つかの秘密鍵を使い分ける必要が出てきます。これは ~/.ssh/config ファイル中へ以下のように定義しておくことで実現可能です。
Host host-a
HostName host-a.local
IdentityFile ~/.ssh/id_rsa.host-a
User user-a
Host host-b
HostName hoge-b.local
IdentityFile ~/.ssh/id_rsa.hoge-b
User user-b
2011-11-08
Trac で工数管理を行う
Linux |
TimingAndEstimationPlugin を使うと Trac に工数管理機能を追加することが出来ます。Trac 0.12 へ、このプラグインをインストールした際の記録をメモしておきます。Trac のプロジェクトディレクトリは /var/trac/project という前提です。
インストール
SVN からソースコードを取得した後、setup.py で egg ファイルを作成します。
$ svn export http://trac-hacks.org/svn/timingandestimationplugin/branches/trac0.12 $ cd trac0.12 $ python setup.py bdist_egg
/var/trac/project/conf/trac.ini 内、[components] セクションへ↓の一行を追記します。
timingandestimationplugin.* = enabled
trac-admin を実行し、プロジェクトをアップグレードします。
$ trac-admin /var/trac/project upgrade
最後に Apache を再起動します。
$ sudo /etc/init.d/httpd restart
2011-11-07
Trac の Wiki で文字に色を付ける
Linux |
ColorMacro を使うと Trac の Wiki 上で色を付ける Wiki 文法が使えるようになるそうです。Trac 0.12 上で、プロジェクトディレクトリは /var/trac/project とした場合のインストール履歴をメモしておきます。
インストール
ダウンロードしたソースコード(ColorMacro.py)を /var/trac/project/plugins へコピーし、Apache を再起動します。
$ sudo /etc/init.d/httpd restart
これで ColorMacro のページにあるように、↓の文法で文字に色を付けることが出来ました。
[[Color(red,This has a red background)]] [[Color(blue, green,This has a blue background and green text)]] [[Color(none,#bb0000,I'm using a hex color)]]