Juniper SRX DHCP configuration – Dynamic and Static Binding

Make your SRX as a DHCP Server for your local network

Commit following rules to configure your SRX device to act as a DHCP Server.

set system services dhcp pool 10.102.100.0/24 address-range low 10.102.100.100
set system services dhcp pool 10.102.100.0/24 address-range high 10.102.100.200
set system services dhcp pool 10.102.100.0/24 default-lease-time 3600
set system services dhcp pool 10.102.100.0/24 domain-name lab-network.net
set system services dhcp pool 10.102.100.0/24 router 10.102.100.1

address-range low        : First IP address in your DHCP reserve pool
address-range high       : Last IP address in your DHCP reserve pool
default-lease-time         : Local domain name
router                              : Gateway IP for your local network

Now you’ve to enable dhcp under host-inbound-traffic rules for your SRX’s private network zone interface

set security zones security-zone PRIVATE_NETWORK interfaces reth1.0 host-inbound-traffic system-services dhcp

Run show system services dhcp binding to see your DHCP bindings

In case if you need to bind an IP Address statically to particular server,

set system services dhcp static-binding 00:xx:xx:xx:xx:x fixed-address 10.102.100.xxx

 

 

IPSec VPN between Amazon VPC and Juniper SRX

In this article I would like to share my experience in configuring a secure IPSec VPN tunnel between Juniper SRX firewalls and Amazon VPC.

 

Here is the diagram of my lab cluster.

bi

 

Phase 1 : Configure AWS VPC – VPN


Create Customer Gateway

Screen Shot 2016-08-14 at 11.25.42 AM
You should have a static IP address assigned for your on-prem gateway. This can’t be behind NAT ( Network Address Translation.

You can either use static routing or dynamic routing. In this scenario, to make it simple from SRX’s part I would like to setup static routing. I’m not interested in running BGP in my firewalls for dynamic routing

Create Virtual Private Gateway

Screen Shot 2016-08-14 at 9.16.04 PM

Now create a Virtual Private Gateway, this will be handling your IPsec connections in / out in AWS end. Make sure to attach Virtual Private Gateway to the VPC to which you’re trying to setup VPN connection.

Configure VPN Connections

Create a VPN connection, make sure to select the Customer Gateway and Virtual Private Gateway you have created in previous steps. Here also you may select static routing and mention your private IP subnets in on-premise network.  Once you Create the VPN connection, AWS will automatically generates the configurations to be committed on remote end. You may download the configuration file to your local machine [ Vendor : Juniper Networks, Platform : J-series Routers ].

Just verify VPN connections, Virtual Private Gateway and Customer Gateway. Make sure it’s attached to the VPC to which you’re trying to configure VPN connection.

Verify the Tunnel Details  [ VPC > VPN Connections > Select VPN Connection > Tunnel Details ], here you can see two tunnels currently in Down status. This will be turned up once you commit the configuration on SRX end.

 

Phase 2 Configure Juniper SRX – IPSec VPN Connection

Verify Interfaces and Zones

As you can see in my lab diagram, I’ve two Juniper SRX units configured as a chassis cluster and I have 2 internal security zones and one Public zone. Just note down your Public Interface, in my case it’s reth2.0.

Draft and commit SRX Rules

Hope you’ve already downloaded the configuration to be committed on SRX Devices. If you have not done this, please go to VPC > VPN Connections > Select VPN Connection and click Download Configuration. [ Vendor : Juniper Networks, Platform : J-series Routers ].

As you can see from the configurations, you’ll need to configure two IPSec tunnels. Here is the SRX config I’ve used

First IPSec Tunnel

#IKE Proposal
set security ike proposal ike-prop-vpn-to-aws-1 authentication-method pre-shared-keys

set security ike proposal ike-prop-vpn-to-aws-1 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-to-aws-1 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-to-aws-1 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-to-aws-1 dh-group group2

#IKE Policy
set security ike policy ike-pol-vpn-to-aws-1 mode main
set security ike policy ike-pol-vpn-to-aws-1 proposals ike-prop-vpn-to-aws-1
set security ike policy ike-pol-vpn-to-aws-1 pre-shared-key ascii-text xxxxxx

#IKE Gateway

set security ike gateway gw-vpn-to-aws-1 ike-policy ike-pol-vpn-to-aws-1
set security ike gateway gw-vpn-to-aws-1 external-interface reth2.0
set security ike gateway gw-vpn-to-aws-1 address x.x.x.x

#IPSec Proposal
set security ipsec proposal ipsec-prop-vpn-to-aws-1 protocol esp
set security ipsec proposal ipsec-prop-vpn-to-aws-1 authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-prop-vpn-to-aws-1 encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec-prop-vpn-to-aws-1 lifetime-seconds 3600

#IPSec Policy
set security ipsec policy ipsec-pol-vpn-to-aws-1 perfect-forward-secrecy keys group2
set security ipsec policy ipsec-pol-vpn-to-aws-1 proposals ipsec-prop-vpn-to-aws-1

#IPSec VPN
set security ipsec vpn vpn-to-aws-1 bind-interface st0.1

set security ipsec vpn vpn-to-aws-1 ike gateway gw-vpn-to-aws-1
set security ipsec vpn vpn-to-aws-1 ike ipsec-policy ipsec-pol-vpn-to-aws-1
set security ipsec vpn vpn-to-aws-1 df-bit clear

#IPSec VPN Monitoring and DPD
set security ike gateway gw-vpn-to-aws-1 dead-peer-detection
set security ipsec vpn vpn-to-aws-1 vpn-monitor source-interface st0.1
set security ipsec vpn vpn-to-aws-1 vpn-monitor destination-ip 169.254.45.225

#Tunnel Interface and Security Zone Configuration
set interfaces st0.1 family inet address 169.254.45.226/30
set interfaces st0.1 family inet mtu 1436
set security zones security-zone AWC_VPC interfaces st0.1

Second  IPSec Tunnel

#IKE Proposal
set security ike proposal ike-prop-vpn-to-aws-2 authentication-method pre-shared-keys

set security ike proposal ike-prop-vpn-to-aws-2 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-to-aws-2 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-to-aws-2 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-to-aws-2 dh-group group2

#IKE Policy
set security ike policy ike-pol-vpn-to-aws-2 mode main
set security ike policy ike-pol-vpn-to-aws-2 proposals ike-prop-vpn-to-aws-2
set security ike policy ike-pol-vpn-to-aws-2 pre-shared-key ascii-text xxxx

#IKE Gateway
set security ike gateway gw-vpn-to-aws-2 ike-policy ike-pol-vpn-to-aws-2

set security ike gateway gw-vpn-to-aws-2 external-interface reth2.0
set security ike gateway gw-vpn-to-aws-2 address x.x.x.x

#IPSec Proposal
set security ipsec proposal ipsec-prop-vpn-to-aws-2 protocol esp
set security ipsec proposal ipsec-prop-vpn-to-aws-2 authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-prop-vpn-to-aws-2 encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec-prop-vpn-to-aws-2 lifetime-seconds 3600

#IPSec Policy
set security ipsec policy ipsec-pol-vpn-to-aws-2 perfect-forward-secrecy keys group2
set security ipsec policy ipsec-pol-vpn-to-aws-2 proposals ipsec-prop-vpn-to-aws-2

#IPSec VPN
set security ipsec vpn vpn-to-aws-2 bind-interface st0.2
set security ipsec vpn vpn-to-aws-2 ike gateway gw-vpn-to-aws-2
set security ipsec vpn vpn-to-aws-2 ike ipsec-policy ipsec-pol-vpn-to-aws-2
set security ipsec vpn vpn-to-aws-2 df-bit clear

#IPSec VPN Monitoring and DPD
set security ike gateway gw-vpn-to-aws-2 dead-peer-detection
set security ipsec vpn vpn-to-aws-2 vpn-monitor source-interface st0.2
set security ipsec vpn vpn-to-aws-2 vpn-monitor destination-ip 169.254.44.161

#Enable host Inbound Traffic – IKE
set interfaces st0.2 family inet address 169.254.44.162/30
set interfaces st0.2 family inet mtu 1436
set security zones security-zone AWC_VPC interfaces st0.2

Additional Configuration

#Enable host Inbound Traffic – IKE
set security zones security-zone Public host-inbound-traffic system-services ike

#Configure TCP Maximum Segmentation Size
set security flow tcp-mss ipsec-vpn mss 1387

#Static Routes
set routing-options static route 172.31.0.0/16 next-hop st0.1  
set routing-options static route 172.31.0.0/16 next-hop st0.2 preference 10

#To enable IKE error logging – Troubleshooting IKE connectivity
set security ike traceoptions file kmd
set security ike traceoptions file size 1024768
set security ike traceoptions file files 10
set security ike traceoptions flag all

 

Note : Enable traceoptions only for debugging VPN connections.

At this point your VPN tunnel should be up. Verify IPSec tunnels from SRX and AWS Console.

Verify IPSec Tunnels

Juniper SRX # show security ike security-associations
Shows active IKE associations
# show security ipsec security-associations
Shows active IPSec associations
# show log kmd
Shows VPN Logs
AWS Services > VPC > VPN Connections > Select VPN Connections > Click Tunnel Details. You’ll see UP if the connection is working fine.

 

Phase 3 Firewall rules and Static Routing

Now the IPSec tunnels should be up, you’ll need to update static routing details in AWS and write security policies on both end to enable data traffic through IPSec Tunnels.

Update Routing Table

VPC > Routing Table > Select Routing Table associated
to your VPC
Screen Shot 2016-08-15 at 5.57.20 PM
Edit Routes  : And add your remote networks Screen Shot 2016-08-15 at 5.59.03 PM
Edit Route Propagation and enable route propagation for your Virtual Private Gateway Screen Shot 2016-08-15 at 5.57.20 PM


Update / Create Security Groups rules
Create an inbound rule to allow traffic from 10.102.20.0/24 and make sure to associate this security group the VMs in VPC.


Add SRX Security policies

# Address book entries
set security zones security-zone internal-1 address-book address 10_102_20_0_24 10.102.20.0/24
set security zones security-zone AWS_VPC address-book address 172_31_0_0_16 172.31.0.0/16# Security Policies
set security policies from-zone internal-1 to-zone AWS_VPC policy DMZ_TO_AWS_VPC match source-address 10_102_20_0_24
set security policies from-zone internal-1 to-zone AWS_VPC policy DMZ_TO_AWS_VPC match destination-address 172_31_0_0_16
set security policies from-zone internal-1 to-zone AWS_VPC policy DMZ_TO_AWS_VPC match application any
set security policies from-zone internal-1 to-zone AWS_VPC policy DMZ_TO_AWS_VPC then permitset security policies from-zone AWS_VPC to-zone internal-1 policy AWS_VPC_TO_DMZ match source-address 172_31_0_0_16
set security policies from-zone AWS_VPC to-zone internal-1 policy AWS_VPC_TO_DMZ match destination-address 10_102_20_0_24
set security policies from-zone AWS_VPC to-zone internal-1 policy AWS_VPC_TO_DMZ match application any
set security policies from-zone AWS_VPC to-zone internal-1 policy AWS_VPC_TO_DMZ then permit

Now you should be able to communicate between AWS VPC and on-premises cluster securely though the IPSec Tunnel.

 

SRX Rules can be downloaded from here  : https://gist.github.com/dijeesh/3e1f5526ca06846a715142b82fdf53c0

Please let me know if you have any questions 🙂

XenServer 6 to 7 upgrade

XenServer 7 (aka “Dundee”)  has been released and it’s one of the major release with xen 4.6.1, CentOS 7 dom0 and advanced partitioning scheme. You can upgrade all XenServer 6.x versions directly to 7. You should plan the upgrade process very carefully, changes in partition scheme will make the upgrade process little bit confusing and complicated. Continue reading

Applying XenServer Patches

For better performance and security it’s recommended to install all patches released by XenServer. In this article I would like to share the steps for applying patches on XenServer and XenServer pool

 

This article URL contains list of recommended patches for your XenServer Version.

Single XenServer Host

If you’re running XenServer on a single hardware node, following steps can be used to install patches.

1. Download Hotfix from Citrix Downloads Portal

2. Unzip Hotfix

    unzip patchxxx.zip

 3. Get Host UUID by running

   xe host-list

4. Upload hotfix

   xe patch-upload file-name=<patchxxx.xsupdate>   

5. Apply patch

   xe patch-apply uuid=<patch UUID from step 4>  host-uuid=<host UUID from step 3>

 

 XenServer pool

If you’re running a XenServer Pool with shared storage, maintenance for a hardware node will not affect the running VMs, you can migrate the VMs to other hardware nodes when you’re rebooting one XenServer to apply patches.

In this case, you should download patches to your pool master and apply patches to the entire pool using patch-pool-apply command. Then evacuate and reboot hosts starting from pool master.

Steps for Installing patches in XenServer pool are as follows.

1. Take pool database backup
xe pool-dump-database file-name=pool-database-backup_DATE

2. Disable pool HA
xe pool-ha-disable

3. Eject all CD Drives (mounted to the VMs)

xe vm-cd-eject –multiple

4. Download hotfixes to pool master /root/hotfix/

5. Apply Hotfixes

6. Reboot Hosts / restart tool-stack based on the guidelines provided while applying patch.

 

Applying patches

You can either use xe patch-pool-apply from the Pool master or use following script to upload and apply patches.

Script usage :-

1. Download the script and save /root/hotfix/apply-hotfix.sh
2. Set permissions for the script chmod +x /root/hotfix/apply-hotfix.sh
3. Apply Patches ./apply-hotfix.sh <patch.xsupdate>

This will upload and apply patches on all pool members. Once finished, you may evacuate and reboot pool members starting from the pool master or restart tool-stack as instructed while applying the patch.

Happy Upgrade 🙂

Getting started with LXC Containers

Getting started with LXC Containers

LXC (Linux Containers) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel.. In this article I will provide 10 simple steps required for getting started with LXC containers on a CentOS based system.

Continue reading