| Verifying the IKE Phase 1 Status | show security ike security-associations | |
| show security ike security-associations index (number) detail | ||
| Verifying the IPsec Phase 2 Status | show security ipsec security-associations | |
| show security ipsec security-associations index (number) detail | ||
| show security ipsec statistics index (number) | ||
Vistas de página en total
lunes, 3 de noviembre de 2014
vpn juniper parte 3
Verificando el estado de la VPN
VPN JUNIPER PARTE 2
Tomando como referencia un ejemplo de jumiper.
VPN Juniper
VPN Juniper
| Requirements | Policy-Based VPN |
| Configuring Interface, Static Route, Security Zone, and Address Book Information |
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24 |
| set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30 | |
| set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1 | |
| set security zones security-zone untrust interfaces ge-0/0/3.0 | |
| set security zones security-zone untrust host-inbound-traffic system-services ike | |
| set security zones security-zone trust interfaces ge-0/0/0.0 | |
| set security zones security-zone trust host-inbound-traffic system-services all | |
| set security address-book book1 address sunnyvale 10.10.10.0/24 | |
| set security address-book book1 attach zone trust | |
| set security address-book book2 address chicago 192.168.168.0/24 | |
| set security address-book book2 attach zone untrust | |
| Configuring IKE | set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys |
| set security ike proposal ike-phase1-proposal dh-group group2 | |
| set security ike proposal ike-phase1-proposal authentication-algorithm sha1 | |
| set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc | |
| set security ike policy ike-phase1-policy mode main | |
| set security ike policy ike-phase1-policy proposals ike-phase1-proposal | |
| set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t | |
| set security ike gateway gw-chicago external-interface ge-0/0/3.0 | |
| set security ike gateway gw-chicago ike-policy ike-phase1-policy | |
| set security ike gateway gw-chicago address 2.2.2.2 | |
| Configuring IPsec | set security ipsec proposal ipsec-phase2-proposal protocol esp |
| set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 | |
| set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc | |
| set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal | |
| set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2 | |
| set security ipsec vpn ike-vpn-chicago ike gateway gw-chicago | |
| set security ipsec vpn ike-vpn-chicago ike ipsec-policy ipsec-phase2-policy | |
| Configuring Security Policies | set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address sunnyvale |
| set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address chicago | |
| set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any | |
| set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-chicago | |
| set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel pair-policy vpn-untr-tr | |
| set security policies from-zone untrust to-zone trust policy vpn-untr-tr match source-address chicago | |
| set security policies from-zone untrust to-zone trust policy vpn-untr-tr match destination-address sunnyvale | |
| set security policies from-zone untrust to-zone trust policy vpn-untr-tr match application any | |
| set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpn-chicago | |
| set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel pair-policy vpn-tr-untr | |
| set security policies from-zone trust to-zone untrust policy permit-any match source-address any | |
| set security policies from-zone trust to-zone untrust policy permit-any match destination-address any | |
| set security policies from-zone trust to-zone untrust policy permit-any match application any | |
| set security policies from-zone trust to-zone untrust policy permit-any then permit | |
| insert security policies from-zone trust to-zone untrust policy vpn-tr-untr before policy permit-any | |
| Requirements | Route-Based VPN |
| Configuring Interface, Static Route, Security Zone, and Address Book Information |
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24 |
| set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30 | |
| set interfaces st0 unit 0 family inet address 10.11.11.10/24 | |
| set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1 | |
| set routing-options static route 192.168.168.0/24 next-hop st0.0 | |
| set security zones security-zone untrust interfaces ge-0/0/3.0 | |
| set security zones security-zone untrust host-inbound-traffic system-services ike | |
| set security zones security-zone trust interfaces ge-0/0/0.0 | |
| set security zones security-zone trust host-inbound-traffic system-services all | |
| set security zones security-zone vpn-chicago interfaces st0.0 | |
| set security address-book book1 address sunnyvale 10.10.10.0/24 | |
| set security address-book book1 attach zone trust | |
| set security address-book book2 address chicago 192.168.168.0/24 | |
| set security address-book book2 attach zone untrust | |
| Configuring IKE | set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys |
| set security ike proposal ike-phase1-proposal dh-group group2 | |
| set security ike proposal ike-phase1-proposal authentication-algorithm sha1 | |
| set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc | |
| set security ike policy ike-phase1-policy mode main | |
| set security ike policy ike-phase1-policy proposals ike-phase1-proposal | |
| set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t | |
| set security ike gateway gw-chicago external-interface ge-0/0/3.0 | |
| set security ike gateway gw-chicago ike-policy ike-phase1-policy | |
| set security ike gateway gw-chicago address 2.2.2.2 | |
| Configuring IPsec | set security ipsec proposal ipsec-phase2-proposal protocol esp |
| set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 | |
| set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc | |
| set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal | |
| set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2 | |
| set security ipsec vpn ike-vpn-chicago ike gateway gw-chicago | |
| set security ipsec vpn ike-vpn-chicago ike ipsec-policy ipsec-phase2-policy | |
| set security ipsec vpn ike-vpn-chicago bind-interface st0.0 | |
| Configuring Security Policies | set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match source-address sunnyvale |
| set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match destination-address chicago | |
| set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match application any | |
| set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi then permit | |
| set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match source-address chicago | |
| set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match destination-address sunnyvale | |
| set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match application any | |
| set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr then permit | |
miércoles, 29 de octubre de 2014
miércoles, 23 de julio de 2014
VBSCRIPT: COPIA DE CONFIGURACIONES A UN TFTP
VBSCRIPT: COPIA DE
CONFIGURACIONES A UN TFTP
Automatización
para copiar el archivo de configuración de varios switch dell ,en este caso a
un servidor tftp utilizando un script
.vbs y el Secure crt.
Como
material de referencia tome información de los siguientes enlaces:
http://foro.elhacker.net/scripting/tutorial_vbscript-t229032.0.html
http://loquehayenmedio.blogspot.com/search/label/VBScript
Para la ejecución dl script inicio sesión
en un router utilizando el secureCRT y busco el scritp previa mente guardado.
Acá dejo el
archivo el cual se edita en un archivo de texto y se guarda con la extensión
.vbs :
Básicamente explico las variables
para poder ejecutar el script, en lo enlaces anteriores esta la información de
las características de programación.
*************************************************************************
#$language =
"VBScript"
#$interface =
"1.0"
Sub Main
Const
username = "USUARIO" ' Usuario que utilizara para conectarse al
switch
Const password = "CONTRASEÑA" ' Contraseña válida
para el USUARIO
Const passenable = "CONT-ENABLE" ' Contraseña
enable de ser requerido
const yes =
"y"
Const
DEVICE_FILE_PATH = "E:\IP.TXT" 'Archivo con direccionamiento IP
Const
DEVICE_FILE_PATH2 = "E:\CONFIGURACION.TXT" 'Archivo nombres para guardar las
configuraciones.
Dim fso
Set
fso = CreateObject("Scripting.FileSystemObject") 'Creacion de objeto para el archivo IP.
Dim fso2
Set
fso2 = CreateObject("Scripting.FileSystemObject") 'Creacion de objeto
para el archivo CONFIGURACION
Dim
fil
Set
fil = fso.OpenTextFile(DEVICE_FILE_PATH) 'Variable
Dim
fil2
Set
fil2 = fso.OpenTextFile(DEVICE_FILE_PATH2)
Dim
ip ' variable para llamar la ip del switch
Dim ip2 'variable para llamar el nombre del archivo (como
va a quedare guardado en el tftp)
Dim line
Dim line2
Dim
cnxnString
While Not fil.AtEndOfStream
line
= fil.ReadLine ' forma como se leera el archivo
line2 = fil2.readline
ip = Split(line, ";")(0) 'sintaxis para llamar la ip
ip2 = Split(line2,
";")(0) 'sintaxis para llamar el nombre del archivo
cnxnString = "TELNET " & ip &
"23"
crt.Screen.Send "telnet " & ip & chr(13) 'formato para ejecutar las sentencias cli
crt.Screen.WaitForString "User:"
crt.Screen.Send username
crt.Screen.Send vbCr
crt.Screen.WaitForString
"Password:"
crt.Screen.Send password
crt.Screen.Send vbCr
crt.Screen.WaitForString
">"
crt.Screen.Send
vbCr
crt.Screen.Send
" enable" & chr(13)
crt.Screen.Send passenable
crt.Screen.Send
vbCr
crt.Screen.Send
"copy running-config startup-config" & chr(13) ´comando a enviar
crt.Screen.WaitForString
"(y/n)" 'lo que esperamos que salga
crt.Screen.Send yes 'la respuesta que damos
crt.Screen.Send vbCr 'espera para enviar el siguiente comando
crt.Screen.Send "copy
running-config backup-config" & chr(13)
crt.Screen.WaitForString "(y/n)"
crt.Screen.Send
yes
crt.Screen.Send
vbCr
crt.Screen.Send
"copy running-config tftp://192.168.5.55/" & ip2 & chr(13)
crt.Screen.WaitForString
"(y/n)"
crt.Screen.Send
yes
crt.Screen.Send
vbCr
crt.Screen.Send
"q" & chr(13)
crt.Screen.Send
vbCr
crt.Screen.WaitForString
"closed by foreign host]"
Wend
fil.Close
End Sub
*****************************************************************************
IP.TXT
192.168.1.1;
192.168.2.1;
192.168.3.1;
****************************************************************************
CONFIGURACION.TXT
SWITCH1;
SWITCH2;
SWITCH3;
*****************************************************************************
jueves, 17 de julio de 2014
Configuración de SSH en switch del 6248
Configuración de SSH en switch del 6248
!System
Description "PowerConnect 6248, 3.3.11.2, VxWorks 6.5"
Para
habilitar el servicio SSH en los switch 6248 debemos generar las llaves sobre
RSA y DSA, si es necesario que las dos estén activadas
de los contrario no nos deja establecer la conexión.
Como lo
vamos hacer, primero intentaremos
activar el servicio
console(config)#ip ssh server
SSH could not be enabled.
Como se observa no deja activar el servicio, para lograr lo generamos las llaves asi:
console(config)#crypto key generate ?
dsa Generate DSA key pairs.
rsa Generate RSA key pairs.
console(config)#crypto
key generate rsa
RSA key generation started, this may take a few
minutes........
RSA key generation complete.
console(config)#crypto key generate dsa
DSA key generation started, this may take a few
minutes..........................................
DSA key generation complete.
Una vez generadas las llaves ya podemos activar el servicio y ssh
console(config)#ip
ssh protocol 2
console(config)#ip
ssh server
Ya conectados validamos si esta activo el servicio
Connection Host Address Port
----------
------------------------ ------------------------ -----------
0 10.1.1.2 10.15.15.25 Telnet
1
10.1.1.2 10.15.15.25 SSH
Para terminar y como seria obvio deshabilitamos el servicio telnet
console(config)#ip telnet server disableconsole(config)#*** CONNECTION CLOSED BY ADMIN ***Sorry, new remote sessions are disallowed by
current switch configuration.
Para verificar si las llaves estan generadas utilizamos el siguiente comando:
console#show crypto key mypubkey
RSA key data:
ssh-rsa AAAAB3NzaC1yc2EAAA
DSA key data:
ssh-dss AAAAB3NzaC1kc3MAA
Suscribirse a:
Entradas
(
Atom
)