Security | Packet Corner

In this lab, we are going to configure a simple IPSec tunnel in the main mode (which requires fixed IP at both ends) between two firewalls SRX1 for OAM network, and SRX2 for CORP network.

Below are parameters for the IPSec tunnel.

Phase 1:

Authentication method: Pre-shared Key
dh-group: group2
Authentication algorithm: md5
encryption algorithm: 3des-cbc
lifetime: 86400

Phase 2:

ESP protocol
Authentication algorithm: hmac-md5-96
Encryption algorithm: 3des-cbc
Lifetime: 3600

Firewall policy is configured to allow 2x CORP subnets (VLAN 200 and 201) to access pre-defined applications on VLAN100 in OAM network. OAM network can access Internet except FTP.

Topology

Configuration

Base config (interface, routing)

interfaces {                            
    protect: ge-0/0/0 {
        description "MGMT Interface - DO NOT DELETE";
        unit 0 {
            family inet {
                address 10.210.14.135/27;
            }
        }
    }
    ge-0/0/3 {
        description "Link to Internet Router";
        vlan-tagging;
        unit 1 {
            vlan-id 1;
            family inet {
                address 123.1.1.2/30;
            }
        }
    }
    ge-0/0/4 {
        description "Link to OAM Virtual Router";
        vlan-tagging;
        unit 100 {
            vlan-id 100;
            family inet {
                /* Limitation of running Junos on VM. 
                 * Reduce MTU to match the other end
                 */
                mtu 1496;
                address 10.10.100.1/24;
            }
        }
    }                                   
    lo0 {
        unit 1 {
            family inet {
                address 192.168.1.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            description "IPSec Tunnel to SRX2 CORP Firewall";
            family inet {
                address 10.10.1.1/30;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 123.1.1.1;
    }
}
protocols {
    ospf {
        traceoptions {
            file ospf;
            flag error;
            flag event;
            flag hello;
        }
        area 0.0.0.0 {
            interface st0.0;
            interface ge-0/0/4.100 {    
                interface-type p2p;
            }
        }
    }
    lldp {
        interface all;
    }
}

IPSec configuration

lab@SRX1# show security 
ike {
    proposal phase1 {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm md5;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 86400;
    }
    policy phase1-policy {
        mode main;
        proposals phase1;
        pre-shared-key ascii-text "$9$zyG8F9t0BEcyKCtLNbwJZF369Cu1RSeMX"; ## SECRET-DATA
    }
    gateway phase1-gateway {
        ike-policy phase1-policy;
        address 123.1.2.2;
        dead-peer-detection {
            interval 20;
            threshold 5;
        }
        external-interface ge-0/0/3.1;
    }
}
ipsec {
    proposal phase2 {
        protocol esp;
        authentication-algorithm hmac-md5-96;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 3600;
    }
    policy phase2-policy {
        perfect-forward-secrecy {
            keys group2;                
        }
        proposals phase2;
    }
    vpn to-remote-SRX {
        bind-interface st0.0;
        ike {
            gateway phase1-gateway;
            ipsec-policy phase2-policy;
        }
        establish-tunnels immediately;
    }
}

Security Policy configuration

[edit]
lab@SRX1# show applications 
application Custom-Defined {
    protocol udp;
    source-port 50000;
    destination-port 50001;
}
application-set OAM-Apps {
    application Custom-Defined;
    application junos-telnet;
    application junos-ping;
}

[edit]
lab@SRX1# show security | find policies 

policies {
    /* Sample policy to deny FTP from OAM to Internet */
    from-zone OAM to-zone Untrust {
        policy deny-ftp {
            match {
                source-address any;
                destination-address any;
                application junos-ftp;
            }
            then {
                reject;
            }
        }
        policy allow-all {
            match {
                source-address [ OAM_VL100 OAM_VL101 ];
                destination-address any;
                application any;
            }
            then {
                permit;                 
            }
        }
    }
    from-zone CORP to-zone OAM {
        policy CORP-to-OAM {
            match {
                source-address [ CORP_VL200 CORP_VL201 ];
                /* This sample policy only allow CORP to access VLAN100 in OAM */
                destination-address OAM_VL100;
                application OAM-Apps;
            }
            then {
                permit;
                log {
                    session-init;
                    session-close;
                }
            }
        }
    }
}
zones {
    protect: functional-zone management {
        interfaces {
            ge-0/0/0.0;
        }
        host-inbound-traffic {
            system-services {
                all;
            }
        }
    }
    security-zone OAM {                 
        address-book {
            address OAM_VL101 10.10.101.0/24;
            address OAM_VL100 10.10.100.0/24;
        }
        interfaces {
            ge-0/0/4.100 {
                host-inbound-traffic {
                    protocols {
                        ospf;
                    }
                }
            }
        }
    }
    security-zone Untrust {
        address-book {
            address SRX2 123.1.2.0/30;
            address internet-host 88.88.88.88/32;
        }
        interfaces {
            ge-0/0/3.1;
        }
    }
    security-zone CORP {
        address-book {
            address CORP_VL200 10.10.200.0/24;
            address CORP_VL201 10.10.201.0/24;
        }
        interfaces {
            st0.0 {
                host-inbound-traffic {
                    system-services {   
                        ike;
                    }
                    protocols {
                        ospf;
                    }
                }
            }
        }
    }
}

Verification

lab@SRX1> show interfaces st0 terse 
Interface               Admin Link Proto    Local                 Remote
st0                     up    up  
st0.0                   up    up   inet     10.10.1.1/30    

lab@SRX1> show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
3501187 UP     b1dc0e544d88f7bb  d1a0f576f6215442  Main           123.1.2.2       

lab@SRX1> show security ipsec security-associations 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  131073 ESP:3des/md5  a88a5f9e 3184/ unlim   -   root 500   123.1.2.2       

lab@SRX1> show security ipsec security-associations index 131073 
  ID: 131073 Virtual-system: root, VPN Name: to-remote-SRX
  Local Gateway: 123.1.1.2, Remote Gateway: 123.1.2.2
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 4, Fail#: 0, Def-Del#: 0 Flag: 600a29 
  Tunnel Down Reason: Lifetime expired
    Direction: inbound, SPI: cb8e80ee, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3162 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2524 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: a88a5f9e, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3162 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2524 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

Try accessing Telnet from CORP to VLAN100

ab@SRX1> clear security ipsec statistics    

lab@VR> telnet 10.10.100.10 routing-instance CORP 
Trying 10.10.100.10...
Connected to 10.10.100.10.
Escape character is '^]'.

VR (ttyp1)

login: lab
Password:

lab@SRX1> show security ipsec statistics     
ESP Statistics:
  Encrypted bytes:              584
  Decrypted bytes:              344
  Encrypted packets:              5
  Decrypted packets:              6
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0


lab@SRX1> show security flow session 
Session ID: 14, Policy name: N/A, Timeout: N/A, Valid
  In: 123.1.2.2/52110 --> 123.1.1.2/33006;esp, If: ge-0/0/3.1, Pkts: 0, Bytes: 0

Session ID: 15, Policy name: N/A, Timeout: N/A, Valid
  In: 123.1.2.2/0 --> 123.1.1.2/0;esp, If: ge-0/0/3.1, Pkts: 0, Bytes: 0

Session ID: 17, Policy name: self-traffic-policy/1, Timeout: 60, Valid
  In: 10.10.1.2/1 --> 224.0.0.5/1;ospf, If: st0.0, Pkts: 933, Bytes: 75116
  Out: 224.0.0.5/1 --> 10.10.1.2/1;ospf, If: .local..0, Pkts: 0, Bytes: 0

Session ID: 32, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
  In: 10.210.14.130/49727 --> 10.210.14.135/23;tcp, If: ge-0/0/0.0, Pkts: 4432, Bytes: 233490
  Out: 10.210.14.135/23 --> 10.210.14.130/49727;tcp, If: .local..0, Pkts: 2400, Bytes: 294899

Session ID: 127, Policy name: self-traffic-policy/1, Timeout: 60, Valid
  In: 10.10.100.10/1 --> 224.0.0.5/1;ospf, If: ge-0/0/4.100, Pkts: 359, Bytes: 24536
  Out: 224.0.0.5/1 --> 10.10.100.10/1;ospf, If: .local..0, Pkts: 0, Bytes: 0

Session ID: 150, Policy name: CORP-to-OAM/6, Timeout: 1764, Valid
  In: 10.10.200.10/56606 --> 10.10.100.10/23;tcp, If: st0.0, Pkts: 50, Bytes: 2779
  Out: 10.10.100.10/23 --> 10.10.200.10/56606;tcp, If: ge-0/0/4.100, Pkts: 36, Bytes: 2191

Session ID: 152, Policy name: self-traffic-policy/1, Timeout: 52, Valid
  In: 123.1.1.2/500 --> 123.1.2.2/500;udp, If: .local..0, Pkts: 3, Bytes: 336
  Out: 123.1.2.2/500 --> 123.1.1.2/500;udp, If: ge-0/0/3.1, Pkts: 3, Bytes: 336
Total sessions: 7

Configuration

Classification

lab@Junos3# show firewall family inet filter classify-traffic { term sip { from { protocol [ tcp udp ]; port 5060; } then { forwarding-class voip; accept; } } term rtp { from { protocol udp; port 16384-32767; } then { forwarding-class voip; accept; } } term telnet { from { protocol tcp; port 23; } then { forwarding-class admin; accept; } } term ping { from { protocol icmp; } then { forwarding-class admin; accept; } } term accept-all { then accept; } }

Queues and Scheduler Maps

lab@Junos3# show class-of-service forwarding-classes { queue 1 admin; queue 2 voip; } schedulers { best-effort-sched { transmit-rate percent 40; buffer-size percent 40; priority low; } admin-sched { transmit-rate percent 45; buffer-size percent 45; priority medium-low; } voip-sched { transmit-rate percent 10; buffer-size percent 10; priority high; } network-control-sched { transmit-rate percent 5; buffer-size percent 5; priority medium-high; } } scheduler-maps { my-sched-map { forwarding-class best-effort scheduler best-effort-sched; forwarding-class admin scheduler admin-sched; forwarding-class voip scheduler voip-sched; forwarding-class network-control scheduler network-control-sched; } } interfaces { ge-0/0/1 { scheduler-map my-sched-map; } ge-1/0/1 { scheduler-map my-sched-map; } }

SET CONFIG

lab@Junos3# show firewall family inet | display set set firewall family inet filter classify-traffic term sip from protocol tcp set firewall family inet filter classify-traffic term sip from protocol udp set firewall family inet filter classify-traffic term sip from port 5060 set firewall family inet filter classify-traffic term sip then forwarding-class voip set firewall family inet filter classify-traffic term sip then accept set firewall family inet filter classify-traffic term rtp from protocol udp set firewall family inet filter classify-traffic term rtp from port 16384-32767 set firewall family inet filter classify-traffic term rtp then forwarding-class voip set firewall family inet filter classify-traffic term rtp then accept set firewall family inet filter classify-traffic term telnet from protocol tcp set firewall family inet filter classify-traffic term telnet from port 23 set firewall family inet filter classify-traffic term telnet then forwarding-class admin set firewall family inet filter classify-traffic term telnet then accept set firewall family inet filter classify-traffic term ping from protocol icmp set firewall family inet filter classify-traffic term ping then forwarding-class admin set firewall family inet filter classify-traffic term ping then accept set firewall family inet filter classify-traffic term accept-all then accept lab@Junos3# show class-of-service | display set set class-of-service forwarding-classes queue 1 admin set class-of-service forwarding-classes queue 2 voip set class-of-service interfaces ge-0/0/1 scheduler-map my-sched-map set class-of-service interfaces ge-1/0/1 scheduler-map my-sched-map set class-of-service scheduler-maps my-sched-map forwarding-class best-effort scheduler best-effort-sched set class-of-service scheduler-maps my-sched-map forwarding-class admin scheduler admin-sched set class-of-service scheduler-maps my-sched-map forwarding-class voip scheduler voip-sched set class-of-service scheduler-maps my-sched-map forwarding-class network-control scheduler network-control-sched set class-of-service schedulers best-effort-sched transmit-rate percent 40 set class-of-service schedulers best-effort-sched buffer-size percent 40 set class-of-service schedulers best-effort-sched priority low set class-of-service schedulers admin-sched transmit-rate percent 45 set class-of-service schedulers admin-sched buffer-size percent 45 set class-of-service schedulers admin-sched priority medium-low set class-of-service schedulers voip-sched transmit-rate percent 10 set class-of-service schedulers voip-sched buffer-size percent 10 set class-of-service schedulers voip-sched priority high set class-of-service schedulers network-control-sched transmit-rate percent 5 set class-of-service schedulers network-control-sched buffer-size percent 5 set class-of-service schedulers network-control-sched priority medium-high

VERIFICATION

Clear interface queue statistic with the following command

lab@Junos3> clear interfaces statistics all lab@Junos3> show interfaces queue ge-0/0/1 Physical interface: ge-0/0/1, Enabled, Physical link is Up Interface index: 134, SNMP ifIndex: 508 Description: DEVNET-R6-6509 GE1/21 Forwarding classes: 8 supported, 4 in use Egress queues: 8 supported, 4 in use Queue: 0, Forwarding classes: best-effort Queued: Packets : 0 0 pps Bytes : 0 0 bps Transmitted: Packets : 0 0 pps Bytes : 0 0 bps Tail-dropped packets : 0 0 pps RED-dropped packets : 0 0 pps Low : 0 0 pps Medium-low : 0 0 pps Medium-high : 0 0 pps High : 0 0 pps RED-dropped bytes : 0 0 bps Low : 0 0 bps Medium-low : 0 0 bps Medium-high : 0 0 bps High : 0 0 bps ...

Generating VOIP traffic from R2 to R1 with SIP signalling by telnetting to R1 port TCP=5060, and confirm that the the traffic get queued on the Junos3 outbound interface to R1.

R2#telnet 13.0.0.1 5060 Trying 13.0.0.1, 5060 ... % Connection refused by remote host lab@Junos3> show interfaces queue ge-0/0/1 | find voip Queue: 2, Forwarding classes: voip Queued: Packets : 3 0 pps Bytes : 180 0 bps Transmitted: Packets : 3 0 pps Bytes : 180 0 bps Tail-dropped packets : 0 0 pps RED-dropped packets : 0 0 pps Low : 0 0 pps Medium-low : 0 0 pps Medium-high : 0 0 pps High : 0 0 pps RED-dropped bytes : 0 0 bps Low : 0 0 bps Medium-low : 0 0 bps Medium-high : 0 0 bps High : 0 0 bps

Generating admin traffic by telnetting from R2 to R1 via normal telnet TCP port=23, and confirm the same:

R2#telnet 13.0.0.1 Trying 13.0.0.1 ... Open ================================================== Cisco Router R1 ================================================== lab@Junos3> show interfaces queue ge-0/0/1 | find admin Queue: 1, Forwarding classes: admin Queued: Packets : 51 0 pps Bytes : 3066 0 bps Transmitted: Packets : 51 0 pps Bytes : 3066 0 bps Tail-dropped packets : 0 0 pps RED-dropped packets : 0 0 pps Low : 0 0 pps Medium-low : 0 0 pps Medium-high : 0 0 pps High : 0 0 pps RED-dropped bytes : 0 0 bps Low : 0 0 bps Medium-low : 0 0 bps Medium-high : 0 0 bps High : 0 0 bps

For the demonstration purpose, ICMP is classified into the admin, so we can generate a lot of admin traffic with extended ping packets from R2 to R1 as well. In practice, surely ICMP should not be part of admin traffic.

Packet Corner

Think like a router!

Category Archives: Security

IPSec Tunnel on SRX

Topology

Configuration

Verification

Junos QoS Simple Configuration

Topology

Configuration

Classification

Queues and Scheduler Maps

VERIFICATION

Note: