lunes, 3 de noviembre de 2014

vpn juniper parte 3

Verificando el estado de la VPN
Verifying the IKE Phase 1 Status show security ike security-associations
show security ike security-associations index (number) detail
Verifying the IPsec Phase 2 Status show security ipsec security-associations
show security ipsec security-associations index (number) detail
show security ipsec statistics index (number)

VPN JUNIPER PARTE 2

Tomando como referencia un ejemplo de jumiper.

VPN Juniper


Requirements Policy-Based VPN
Configuring Interface,
Static Route,
Security Zone,
and Address Book Information
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24
set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set security zones security-zone untrust interfaces ge-0/0/3.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services all
set security address-book book1 address sunnyvale 10.10.10.0/24
set security address-book book1 attach zone trust
set security address-book book2 address chicago 192.168.168.0/24
set security address-book book2 attach zone untrust
Configuring IKE set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t
set security ike gateway gw-chicago external-interface ge-0/0/3.0
set security ike gateway gw-chicago ike-policy ike-phase1-policy
set security ike gateway gw-chicago address 2.2.2.2
Configuring IPsec set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec vpn ike-vpn-chicago ike gateway gw-chicago
set security ipsec vpn ike-vpn-chicago ike ipsec-policy ipsec-phase2-policy
Configuring Security Policies set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address sunnyvale
set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address chicago
set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any
set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-chicago
set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel pair-policy vpn-untr-tr
set security policies from-zone untrust to-zone trust policy vpn-untr-tr match source-address chicago
set security policies from-zone untrust to-zone trust policy vpn-untr-tr match destination-address sunnyvale
set security policies from-zone untrust to-zone trust policy vpn-untr-tr match application any
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpn-chicago
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel pair-policy vpn-tr-untr
set security policies from-zone trust to-zone untrust policy permit-any match source-address any
set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
set security policies from-zone trust to-zone untrust policy permit-any match application any
set security policies from-zone trust to-zone untrust policy permit-any then permit
insert security policies from-zone trust to-zone untrust policy vpn-tr-untr before policy permit-any
Requirements Route-Based VPN
Configuring Interface,
Static Route,
Security Zone,
and Address Book Information
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24
set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30
set interfaces st0 unit 0 family inet address 10.11.11.10/24
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set routing-options static route 192.168.168.0/24 next-hop st0.0
set security zones security-zone untrust interfaces ge-0/0/3.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone vpn-chicago interfaces st0.0
set security address-book book1 address sunnyvale 10.10.10.0/24
set security address-book book1 attach zone trust
set security address-book book2 address chicago 192.168.168.0/24
set security address-book book2 attach zone untrust
Configuring IKE set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t
set security ike gateway gw-chicago external-interface ge-0/0/3.0
set security ike gateway gw-chicago ike-policy ike-phase1-policy
set security ike gateway gw-chicago address 2.2.2.2
Configuring IPsec set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec vpn ike-vpn-chicago ike gateway gw-chicago
set security ipsec vpn ike-vpn-chicago ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn ike-vpn-chicago bind-interface st0.0
Configuring Security Policies set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match source-address sunnyvale
set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match destination-address chicago
set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match application any
set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi then permit
set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match source-address chicago
set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match destination-address sunnyvale
set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match application any
set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr then permit

miércoles, 23 de julio de 2014

VBSCRIPT: COPIA DE CONFIGURACIONES A UN TFTP




VBSCRIPT: COPIA DE CONFIGURACIONES A UN TFTP

Automatización para copiar el archivo de configuración de varios switch dell ,en este caso a un servidor tftp utilizando  un script .vbs y el Secure crt.
Como material de referencia tome información de los siguientes enlaces:

http://foro.elhacker.net/scripting/tutorial_vbscript-t229032.0.html
http://loquehayenmedio.blogspot.com/search/label/VBScript

Para la ejecución dl script inicio sesión en un router utilizando el secureCRT y busco el scritp previa mente guardado.




Acá dejo el archivo el cual se edita en un archivo de texto y se guarda con la extensión .vbs :
Básicamente explico las variables para poder ejecutar el script, en lo enlaces anteriores esta la información de las características de programación.
*************************************************************************
#$language = "VBScript"
#$interface = "1.0"

                Sub Main

                Const username = "USUARIO" ' Usuario que utilizara para conectarse al switch
                Const password = "CONTRASEÑA" ' Contraseña válida para el USUARIO
                Const passenable = "CONT-ENABLE" ' Contraseña enable  de ser requerido
                const yes = "y"
                Const DEVICE_FILE_PATH = "E:\IP.TXT" 'Archivo  con direccionamiento IP
                Const DEVICE_FILE_PATH2 = "E:\CONFIGURACION.TXT"   'Archivo nombres para guardar las configuraciones.
   
                Dim fso
                Set fso = CreateObject("Scripting.FileSystemObject")  'Creacion de objeto para el archivo IP.

                Dim fso2
                Set fso2 = CreateObject("Scripting.FileSystemObject") 'Creacion de objeto para el archivo CONFIGURACION

                Dim fil
                Set fil = fso.OpenTextFile(DEVICE_FILE_PATH) 'Variable

                Dim fil2
                Set fil2 = fso.OpenTextFile(DEVICE_FILE_PATH2)

                Dim ip ' variable para llamar la ip del switch
                Dim ip2 'variable para llamar el nombre del archivo (como va a quedare guardado en el tftp)

                Dim line
                Dim line2

                Dim cnxnString
   
                While Not fil.AtEndOfStream

                line = fil.ReadLine   ' forma como se leera el archivo
                line2 = fil2.readline

                 ip = Split(line, ";")(0)  'sintaxis para llamar la ip
               
                 ip2 = Split(line2, ";")(0) 'sintaxis para llamar el nombre del archivo

                cnxnString = "TELNET " & ip & "23"

                crt.Screen.Send "telnet " & ip & chr(13)  'formato para ejecutar las sentencias cli

                crt.Screen.WaitForString "User:"
                crt.Screen.Send username
                crt.Screen.Send vbCr

                crt.Screen.WaitForString "Password:"
                 crt.Screen.Send password
                crt.Screen.Send vbCr

                crt.Screen.WaitForString ">"       
                crt.Screen.Send vbCr


                crt.Screen.Send " enable" & chr(13)
                crt.Screen.Send passenable
                crt.Screen.Send vbCr



                crt.Screen.Send "copy running-config startup-config" & chr(13) ´comando a enviar
                crt.Screen.WaitForString "(y/n)" 'lo que esperamos que salga
                crt.Screen.Send yes 'la respuesta que damos
                crt.Screen.Send vbCr 'espera para enviar el siguiente comando

                crt.Screen.Send "copy running-config backup-config" & chr(13)
                crt.Screen.WaitForString "(y/n)"
                crt.Screen.Send yes
                crt.Screen.Send vbCr

                crt.Screen.Send "copy running-config tftp://192.168.5.55/" & ip2 & chr(13)
                crt.Screen.WaitForString "(y/n)"
                crt.Screen.Send yes
                crt.Screen.Send vbCr


                crt.Screen.Send "q" & chr(13)
                crt.Screen.Send vbCr

                crt.Screen.WaitForString "closed by foreign host]"


                 Wend

    fil.Close

End Sub

*****************************************************************************
IP.TXT
192.168.1.1;
192.168.2.1;
192.168.3.1;

****************************************************************************
CONFIGURACION.TXT
SWITCH1;
SWITCH2;
SWITCH3;
*****************************************************************************

jueves, 17 de julio de 2014

Configuración de SSH en switch del 6248



Configuración de SSH en switch del 6248

!System Description "PowerConnect 6248, 3.3.11.2, VxWorks 6.5"

Para habilitar el servicio SSH en los switch 6248 debemos generar las llaves sobre RSA  y DSA,  si es necesario que las dos estén activadas de los contrario no nos deja establecer la conexión.
Como lo vamos hacer,  primero intentaremos activar el servicio

console(config)#ip ssh server   
SSH could not be enabled.

Como se observa no deja activar el servicio,  para lograr lo generamos las llaves asi:

console(config)#crypto key generate ?
dsa                      Generate DSA key pairs.
rsa                      Generate RSA key pairs.


console(config)#crypto key generate rsa

RSA key generation started, this may take a few minutes........
RSA key generation complete.

console(config)#crypto key generate dsa
DSA key generation started, this may take a few minutes..........................................
DSA key generation complete.

Una vez generadas las llaves ya podemos activar el servicio y ssh

console(config)#ip ssh protocol 2
console(config)#ip ssh server 


Ya conectados validamos si esta activo el servicio

Connection Host                     Address                  Port
---------- ------------------------ ------------------------ -----------
0          10.1.1.2                     10.15.15.25              Telnet    
1          10.1.1.2                     10.15.15.25              SSH   

Para terminar y como seria obvio  deshabilitamos el servicio telnet

console(config)#ip telnet server disable
console(config)#
*** CONNECTION CLOSED BY ADMIN ***
Sorry, new remote sessions are disallowed by current switch configuration.


Para verificar si las llaves estan generadas utilizamos el siguiente comando:

console#show crypto key mypubkey

 RSA key data:
               ssh-rsa AAAAB3NzaC1yc2EAAA

 DSA key data:
               ssh-dss AAAAB3NzaC1kc3MAA