I-BLOG » VPN

PPTP Pass-through through Juniper NS 5GT Firewall

rsivanandan — Fri, 16 Jul 2010 08:05:05 +0000

Got a question on this one in my comments page and hence thought of putting it together. Say there is a PPTP server residing on the trust side of your NS firewall (applicable to all/most of the NS firewalls running Screen OS). For simplicity, assuming that the device is in NAT mode and you want to allow connections coming from internet for PPTP VPN, follow the steps here;

First create a custom service to address the PPTP requirement (This is Microsoft windows specific);

set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048

set service CustomPPTP + tcp src 0-65535 dst 1723-1723

The first line above creates a custom service named “CustomPPTP” with protocol number 47 (GRE) with source/destination port as 2048.

The second line adds to the same service for PPTP (port 1723 TCP).

Then the next step would be to NAT the internal PPTP server to publically accessible server using a public ip address. Here we’d use the same address assigned on the untrust interface (single public ip available scenario);

set vip multi-port

set interface ethernet0/0 vip 2048 CustomPPTP 10.1.1.10

The first line above states that it is a multi-port VIP. Normally a VIP listens only on a single port, if a single ip address is used and you want to have multiple ports forwarded, multi-port VIP is needed.

The second line above sets a VIP for port 2048 for the internal server (PPTP Server) 10.1.1.10 (assuming the ip of the internal PPTP server to be this).

almost done; the only thing pending is a policy to allow traffic to pass through this condition;

set policy from untrust to trust "any" "VIP::1" "CustomPPTP" permit

The above policy allows any machine from untrust zone (internet) to connect to VIP address (trust zone) for the service “CustomPPTP”.

Just save the configuration and you should have it working just fine…

Juniper KB Link

MPLS and Loopback Address

rsivanandan — Sat, 21 Feb 2009 07:32:38 +0000

Our team just started working on technology involving MPLS and stuff, so we were talking about MPLS networks, then came a question as to why do we always see loopback addresses in examples and is it like a strict requirement? We couldn’t find a solid answer or answers, owing to the fact that we are a bunch of security experts just landed into this MPLS

So the question is, Is it a must to have Loopback addresses for MPLS to work? Well, I got the following from [Here]

"Loopback" IP address

Although not a strict requirement, it is advisable to configure routers participating in MPLS network with "loopback" IP addresses (not attached to any real network interface) to be used by LDP to establish sessions.

This serves 2 purposes:

As there is only one LDP session between any 2 routers, no matter how many links connect them, loopback IP address ensures that LDP session is not affected by interface state or address changes
Use of loopback address as LDP transport address ensures proper penultimate hop popping behaviour when multiple labels are attached to packet as in case of VPLS

Is there any other reason that you think should be there? Would appreciate if you could comment.

VPN to Juniper Firewall – using XP Client

rsivanandan — Sun, 08 Jun 2008 03:30:31 +0000

It is advisable to use the Netscreen-Remote that comes as the vpn client, however if one has to use XP client for connecting to a Juniper Firewall, here is how to do;

This example talks about L2TP over IPSEC { GO }

VPN between Cisco PIX and Juniper Netscreen Firewall

rsivanandan — Thu, 29 May 2008 13:26:27 +0000

Found out today that Cisco has a configuration guide for VPN between PIX firewall to a Juniper Netscreen Firewall

{Click to Go}

Juniper SSG-Cisco PIX VPN Configuration

rsivanandan — Tue, 18 Dec 2007 03:38:11 +0000

Its been quite some time I’m wanting to post such a configuration. I helped with one such question in Experts-Exchange and sought permission from the author to post the working configuration once the VPN was up and running. Below would be the configuration of working SSG-PIX VPN with the consent of the author. Obviously the public ip addresses are masked.

To give a background, SSG is at the main office, PIX being at remote office. The VPN is built between 10.10.12.0 network to 10.10.7.0 network in the following configuration;

SSG 140 Configuration:-

JUNIPER (MAIN OFFICE)--->
set clock timezone -5
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "XYZ123"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "DMZ-WAN"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "DMZ-WAN" block 
unset zone "DMZ-WAN" tcp-rst 
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
set zone "Trust" screen winnuke
set zone "Trust" screen port-scan
set zone "Trust" screen ip-sweep
set zone "Trust" screen tear-drop
set zone "Trust" screen ping-death
set zone "Trust" screen ip-filter-src
set zone "Trust" screen land
set zone "Trust" screen syn-frag
set zone "Trust" screen tcp-no-flag
set zone "Trust" screen unknown-protocol
set zone "Trust" screen ip-bad-option
set zone "Trust" screen ip-record-route
set zone "Trust" screen ip-timestamp-opt
set zone "Trust" screen ip-security-opt
set zone "Trust" screen ip-loose-src-route
set zone "Trust" screen ip-strict-src-route
set zone "Trust" screen ip-stream-opt
set zone "Trust" screen icmp-fragment
set zone "Trust" screen icmp-large
set zone "Trust" screen syn-fin
set zone "Trust" screen fin-no-ack
set zone "Trust" screen limit-session source-ip-based
set zone "Trust" screen syn-ack-ack-proxy
set zone "Trust" screen block-frag
set zone "Trust" screen limit-session destination-ip-based
set zone "Trust" screen component-block exe
set zone "Trust" screen icmp-id
set zone "Trust" screen ip-spoofing drop-no-rpf-route
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "DMZ-WAN"
set interface "tunnel.1" zone "Untrust"
set interface ethernet0/0 ip 10.10.7.2/24
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 10.10.9.1/24
set interface ethernet0/1 route
set interface ethernet0/2 ip X.Y.Z.98/27
set interface ethernet0/2 route
set interface ethernet0/3 ip 10.10.99.0/24
set interface ethernet0/3 route
set interface tunnel.1 ip unnumbered interface ethernet0/2
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
unset interface ethernet0/3 ip manageable
unset interface ethernet0/0 manage snmp
set interface ethernet0/0 manage mtrace
unset interface ethernet0/1 manage ping
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface ethernet0/2 manage mtrace
set interface vlan1 manage mtrace
set interface "ethernet0/2" mip X.Y.Z.106 host 10.10.7.106 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip X.Y.Z.109 host 10.10.7.200 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip X.Y.Z.100 host 10.10.7.100 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip X.Y.Z.101 host 10.10.7.206 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip X.Y.Z.103 host 10.10.7.103 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip X.Y.Z.108 host 10.10.7.208 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip X.Y.Z.121 host 10.10.7.121 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip X.Y.Z.115 host 10.10.7.115 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip X.Y.Z.125 host 10.10.7.122 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" webauth 
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain econium
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 66.153.50.66 src-interface ethernet0/2
set dns host dns2 64.80.0.162 src-interface ethernet0/2
set dns host dns3 64.80.32.128 src-interface ethernet0/2
set dns host schedule 06:28
set address "Trust" "10.10.7.0/24" 10.10.7.0 255.255.255.0
set address "Trust" "10.10.7.106/24" 10.10.7.106 255.255.255.0
set address "Trust" "10.10.7.117/24" 10.10.7.117 255.255.255.0
set address "Trust" "Office LAN" 10.10.0.0 255.255.0.0
set address "Trust" "Trust_LAN" 10.10.7.0 255.255.255.0
set address "Untrust" "10.10.12.0/24" 10.10.12.0 255.255.255.0
set address "Untrust" "X.Y.Z.117/30" X.Y.Z.117 255.255.255.252
set address "Untrust" "W-Remote" 10.10.12.0 255.255.255.0
set address "DMZ-WAN" "Wireless" 10.10.99.0 255.255.255.0 "Wireless"
set ike gateway "W-Remote GW" address A.B.C.42 Main outgoing-interface "ethernet0/2" preshare "myxlplyt" proposal "pre-g2-3des-sha"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "W-Remote VPN" gateway "W-Remote GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha" 
set vpn "W-Remote VPN" id 1 bind interface tunnel.1
set url protocol websense
exit
set anti-spam profile ns-profile
 set sbl default-server enable
 set default action tag subject "*** [SPAM] ***"
exit
set vpn "W-Remote VPN" proxy-id local-ip 10.10.7.0/24 remote-ip 10.10.12.0/24 "ANY" 
set policy id 34 from "Trust" to "Untrust"  "10.10.7.0/24" "10.10.12.0/24" "ANY" permit log 
set policy id 34
set log session-init
exit
set policy id 33 from "Untrust" to "Trust"  "10.10.12.0/24" "10.10.7.0/24" "ANY" permit log 
set policy id 33
set log session-init
exit
set policy id 21 from "Untrust" to "Trust"  "Any" "MIP(X.Y.Z.106)" "ANY" permit log 
set policy id 21
exit
set policy id 1 name "Internet Access" from "Trust" to "Untrust"  "Office LAN" "Any" "HTTP" nat src permit log url-filter 
set policy id 1
set log session-init
exit
set policy id 2 from "Trust" to "Untrust"  "Office LAN" "Any" "HTTPS" nat src permit log 
set policy id 2
exit
set policy id 5 from "Trust" to "DMZ"  "Office LAN" "Any" "ANY" nat src permit log 
set policy id 5
exit
set policy id 6 name "Deny All - DMZ" from "Untrust" to "DMZ"  "Any" "Any" "ANY" deny log 
set policy id 6
exit
set policy id 7 from "Trust" to "Untrust"  "Office LAN" "Any" "DNS" nat src permit 
set policy id 7
exit
set policy id 8 from "Trust" to "Untrust"  "Office LAN" "Any" "FTP" nat src permit 
set policy id 8
exit
set policy id 9 from "Trust" to "Untrust"  "Office LAN" "Any" "POP3" nat src permit 
set policy id 9
exit
set policy id 10 from "Trust" to "Untrust"  "Office LAN" "Any" "SMTP" nat src permit log 
set policy id 10
exit
set policy id 11 name "Wireless Access" from "DMZ-WAN" to "Untrust"  "Wireless" "Any" "DNS" nat src permit log 
set policy id 11
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "PING"
set service "POP3"
set service "SMTP"
set service "VNC"
exit
set policy id 13 name "VNC" from "Trust" to "Untrust"  "Office LAN" "Any" "VNC" nat src permit log 
set policy id 13
exit
set policy id 14 name "Ping" from "Trust" to "Untrust"  "Office LAN" "Any" "PING" nat src permit log 
set policy id 14
exit
set policy id 31 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit log 
set policy id 31
exit
set policy id 32 from "Trust" to "Untrust"  "Office LAN" "Any" "ANY" nat src permit log 
set policy id 32
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.10.12.0/24 interface tunnel.1 preference 20
set route 0.0.0.0/0 interface ethernet0/2 gateway X.Y.Z.97 preference 20 metric 10
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

PIX Configuration:-

CISCO PIX (REMOTE OFFICE) -->
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ABCDE encrypted
passwd abcde encrypted
hostname W-Remote
domain-name pix
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8080
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list 101 permit ip 10.10.12.0 255.255.255.0 10.10.7.0 255.255.255.0
access-list nonat permit ip 10.10.12.0 255.255.255.0 10.10.7.0 255.255.255.0
access-list cap permit ip host 10.10.12.112 host 10.10.7.117
access-list cap permit ip host 10.10.7.117 host 10.10.12.112
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging history errors
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.42 255.255.255.248
ip address inside 10.10.12.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.12.0 255.255.255.255 inside
pdm location 10.10.7.0 255.255.255.0 outside
pdm location 10.10.12.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.12.0 255.255.255.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 A.B.C.42 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map pie 1 ipsec-isakmp
crypto map pie 1 match address 101
crypto map pie 1 set peer X.Y.Z.98
crypto map pie 1 set transform-set ESP-3DES-SHA
crypto map pie interface outside
isakmp enable outside
isakmp key ******** address X.Y.Z.98 netmask 255.255.255.0
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
telnet 10.10.12.0 255.255.255.0 inside
telnet 10.10.7.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
: end

Split-Tunneling in PIX – How To ?

rsivanandan — Sat, 04 Aug 2007 18:25:48 +0000

There have been so many questions about how to configure split-tunneling on PIX. So right to the point;

Internal Network :: 10.0.4.0/24

VPN Pool :: 10.1.4.0/24

Config goes here;

access-list nonat permit ip 10.0.4.0 255.255.255.0 10.1.4.0 255.255.255.00

access-list split permit ip 10.0.4.0 255.255.255.0 10.1.4.0 255.255.255.0

nat(inside) 0 access-list nonat

vpngroup split-tunnel split

Now it goes into respective configuration section of nat and vpngroup configuration sections. Question is why 2 access-list ? ‘nonat’ and ‘split’

Cisco recommends it to be that way and otherwise found running into problems at times.

Site-To-Site VPN on Netscreen/Juniper Firewalls

rsivanandan — Sun, 29 Jul 2007 12:23:58 +0000

One of the amazing functionality of Juniper firewalls are the CLI easiness of creating and maintaining configurations, one such impressive example is VPN Configuration;

Say, we have 2 working Juniper firewalls and if we want to configure site to site vpn tunnels, then it would be as simple as 3 commands. Lets see how difficult it is;

First create a tunnel Interface :

set interface tunnel.1 zone

set interface tunnel.1 ip unnumbered interface

Create VPN parameters:

set ike address outgoing-interface preshare “Key” proposal

set vpn gateway sec-level compatible

set vpn bind interface

Create a route to send the traffic over VPN:

set route / interface tunnel.1

Example:

SiteA-Network———-Firewall-1————————-Firewall-2————SiteB-Network

Firewall-1 [ethernet0/1 - outside interface in zone 'untrust' , 1.1.1.1/30]

Firewall-2 [ethernet0/1 - outside interface in zone 'untrust', 2.2.2.2/30]

Firewall-1 [Internal Network is 20.20.20.0/24]

Firewall-2 [ Internal Network is 10.10.10.0/24]

So the configuration would look like this;

###################################################################

set interface tunnel.1 zone untrust

set interface tunnel.1 ip unnumbered interface ethernet0/1

set ike “ToSiteB” address 2.2.2.2 main outgoing-interface ethernet0/1 preshare PASSWORD proposal pre-g2-3des-sha

set vpn “TOSITEB-VPN” gateway “ToSiteB” sec-level compatible

set vpn “TOSITEB-VPN” bind interface tunnel.1

set route 10.10.10.0/24 interface tunnel.1

###################################################################

Split-Tunneling Good or Bad ?

rsivanandan — Thu, 19 Jul 2007 16:23:46 +0000

In the VPN configuration this seems to be a host discussion; so here we go

There are 2 options of internet traffic for the VPN users;

Split-Tunneling enabled :: This means all the corporate traffic goes through the vpn tunnel and all the internet (local browsing etc) goes through the user’s local internet connection which improves the browsing speed/experience for the end user.
Split-Tunneling disabled :: This means all the corporate traffic and local user traffic to internet traverse over the vpn tunnel and the internet traffic first goes to the vpn end-point and then exits to internet

Now, point 1 seems to be interesting to some security professionals for the reason that, while connected through VPN there is no local interaction and thus no ” security risk “. The argument being while connected to the corporate through VPN, the public internet is secluded and thus there is more security in terms of somebody/something from internet gets to the corporate!

Well, let me see; the way I see it – First of all it makes the internet browsing poor for the end user who is probably browsing more but still is *ON* VPN just for mail checking in the late evening (If that is happening ). Now security-wise, does it mean by just disabling the split-tunneling, an administrator can be assured that the user won’t harm the corporate ? I don’t think so;

How About users’ machine infected with a Virus/Trojan/Some Crap, whether you have enabled split-tunneling or not, this is going to enter corporate ???? YES.

So what security are we talking about ?

The best approach would be to have Network Access/Admission Control which is integrated with an AntiVirus/AntiSpyware/IPS and Firewall module.

Now is there something obvious I’m not seeing here? May be somebody can shed some light and I would really appreciate that!

Technorati Tags: VPN, Split-Tunneling, Security

Windows VPN Split-Tunnel

rsivanandan — Wed, 12 Jul 2006 16:46:20 +0000

To allow split-tunnel feature while connected through Windows VPN, you can enable or disable to have all the internet traffic go through VPN. Security measures is your choice.

How to do it ?

MTU settings for VPN

rsivanandan — Sun, 09 Jul 2006 08:58:08 +0000

I thought I will put this info on this here, so that everytime I answer a question, don’t have to type it all and just link to here;

Basically one of the biggest problems encountered with ExchangeServer and Outlook client when they are connected over a IPSec VPN, it doesn’t work very well. As a solution, this is what I’ve always suggested and proved to be of use too.

1. When you connect through VPN, first find out what is the best MTU size for you to talk to your corporate. How you can do this is simple; Connect to VPN and then,

ping -l 1400 -f

what we are doing here is to set the mtu to 1400 and also set ‘don’t fragment’. So if it is possible to send the packet without fragmenting then it would go through otherwise you’ll get a reply saying ‘don’t fragment bit set and so cannot proceed’. You are in-effect finding the Path MTU.

Then slow start reducing the 1400 to 1350, 1300 etc and see when you can ping without any problems and that should be your MTU.

2. Also make sure you add the servername to ip resolution in your hosts file.

That should take care of your problem in most of the scenarios. Now how to change the MTU size on the network adaptor?

The MTU for Windows 2000/XP/2003 network interfaces can be configured here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{Interface GUID}\MTU