cred ca tot gatitul ramane de baza – NS 5200

Posted: June 4, 2009 in technical
Tags: ,

Pentru ca networking-ul e vai mama lui…

Dynamic IKE Gateway Using FQDN – asa cum zice la ND52_Complete_Guide. Una bucata initiator cu IP-uri dinamice, dar certificate valide si FQDN stiut, si NetScreen 5200 cu Gateway static.

Gateway-ul definit cu Static IP/Hostname: test. (FQDN)

vpn1 vpn21

Iar cand rulez testul: 

## 2009-06-04 13:14:31 : IKE<157.10.1.1> ike packet, len 112, action 1

## 2009-06-04 13:14:31 : IKE<157.10.1.1> Catcher: received 84 bytes from socket.

## 2009-06-04 13:14:31 : IKE<157.10.1.1> ****** Recv packet if <ethernet2/2> of vsys <Root> ******

## 2009-06-04 13:14:31 : IKE<157.10.1.1> Catcher: get 84 bytes. src port 500

## 2009-06-04 13:14:31 : IKE<0.0.0.0        >   ISAKMP msg: len 84, nxp 1[SA], exch 2[MM], flag 00

## 2009-06-04 13:14:31 : IKE<157.10.1.1     > Recv : [SA]

## 2009-06-04 13:14:31 : IKE<157.10.1.1> Found peer entry (1s2sRNAT) from 157.10.1.1.

## 2009-06-04 13:14:31 : IKE<157.10.1.1> Peer Gateway 1s2sRNAT is disabled, packet discarded

## 2009-06-04 13:14:31 : IKE<157.10.1.1> Rejected an initial Phase 1 packet from an unrecognized peer gateway.

Si pe buna dreptate. Dar de ce e disabled? Daca in loc de FQDN pun un IP static, gateway-ul devine activ…

unset key protection enable

set hardware wdt-reset

set clock timezone 0

set vrouter trust-vr sharable

set vrouter “untrust-vr”

exit

set vrouter “trust-vr”

unset auto-route-export

exit

unset alg sip enable

unset alg mgcp enable

unset alg sccp enable

unset alg sunrpc enable

unset alg msrpc enable

unset alg sql enable

unset alg appleichat enable

unset alg appleichat re-assembly enable

unset alg p2p enable

unset alg h323 enable

unset alg sctp enable

set auth-server “Local” id 0

set auth-server “Local” server-name “Local”

set auth-server “Local” timeout 0

set auth default auth server “Local”

set auth radius accounting port 1646

set admin name “netscreen”

set admin password “nKVUM2rwMUzPcrkG5sWIHdCtqkAibn”

set admin auth web timeout 0

set admin auth server “Local”

set admin format dos

set zone “Trust” vrouter “trust-vr”

set zone “Untrust” vrouter “trust-vr”

set zone “DMZ” vrouter “trust-vr”

set zone “VLAN” vrouter “trust-vr”

set zone “Untrust-Tun” vrouter “trust-vr”

set zone “Trust” tcp-rst

set zone “Untrust” block

unset zone “Untrust” tcp-rst

unset zone “V1-Trust” tcp-rst

unset zone “V1-Untrust” tcp-rst

set zone “DMZ” tcp-rst

unset zone “V1-DMZ” tcp-rst

unset zone “VLAN” tcp-rst

set zone “Untrust” screen tear-drop

set zone “Untrust” screen syn-flood

set zone “Untrust” screen ping-death

set zone “Untrust” screen ip-filter-src

set zone “Untrust” screen land

set zone “V1-Untrust” screen tear-drop

set zone “V1-Untrust” screen syn-flood

set zone “V1-Untrust” screen ping-death

set zone “V1-Untrust” screen ip-filter-src

set zone “V1-Untrust” screen land

set interface “ethernet2/1” zone “Trust”

set interface “ethernet2/2” zone “Untrust”

set interface “tunnel.1” zone “Untrust”

unset interface vlan1 ip

set interface mgt ip 10.205.17.233/24

set interface ethernet2/1 ip 171.253.253.1/24

set interface “ethernet2/1” ipv6 mode “router”

set interface “ethernet2/1” ipv6 interface-id 0000000000000001

set interface “ethernet2/1” ipv6 ip 5171::/32

set interface “ethernet2/1” ipv6 enable

set interface ethernet2/1 route

set interface ethernet2/2 ip 170.2.0.1/24

set interface “ethernet2/2” ipv6 mode “router”

set interface “ethernet2/2” ipv6 interface-id 0000000000000001

set interface “ethernet2/2” ipv6 ip 2001::/32

set interface “ethernet2/2” ipv6 enable

set interface ethernet2/2 route

set interface tunnel.1 ip unnumbered interface ethernet2/2

set interface “tunnel.1” ipv6 mode “router”

set interface “tunnel.1” ipv6 enable

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

unset interface vlan1 bypass-ipv6-others-ipsec

set interface vlan1 bypass-icmpv6-ndp

set interface vlan1 bypass-icmpv6-mld

unset interface vlan1 bypass-icmpv6-mrd

unset interface vlan1 bypass-icmpv6-msp

set interface vlan1 bypass-icmpv6-snd

set interface ethernet2/1 ip manageable

set interface ethernet2/2 ip manageable

unset interface ethernet2/1 manage ssh

unset interface ethernet2/1 manage telnet

unset interface ethernet2/1 manage snmp

unset interface ethernet2/1 manage ssl

unset interface ethernet2/1 manage web

set interface ethernet2/2 manage ping

set interface ethernet2/1 ipv6 ra link-address

set interface ethernet2/2 ipv6 ra link-address

unset interface tunnel.1 ipv6 ra link-address

set interface ethernet2/1 ipv6 nd nud

set interface ethernet2/2 ipv6 nd nud

set interface tunnel.1 ipv6 nd nud

set interface tunnel.1 ipv6 nd dad-count 0

unset flow no-tcp-seq-check

unset flow tcp-syn-check

set flow tcp-syn-bit-check

set flow reverse-route clear-text prefer

set flow reverse-route tunnel always

set console timeout 0

set dbuf size 4096

set dbuf usb filesize 0

set pki authority default cert-status revocation-check none

set pki authority default scep ca-cgi “http://10.205.17.185/certsrv/mscep/mscep.dll&#8221;

set pki authority default scep ra-cgi “http://10.205.17.185/certsrv/mscep/mscep.dll&#8221;

set pki authority default scep ca-id “IxVPN-CA”

set pki authority default scep mode “auto”

set pki x509 default cert-path partial

set pki x509 dn name “ns5200.”

set dns host dns1 0.0.0.0

set dns host dns2 0.0.0.0

set dns host dns3 0.0.0.0

set address “Trust” “1_6_tr” 6101::/16

set address “Trust” “1_tr” 61.0.0.0 255.0.0.0

set address “Untrust” “1UN_RNAT” 158.10.1.0 255.255.255.0

set ike gateway “1s2sRNAT” address test. Main outgoing-interface “ethernet2/2” preshare “DQA5YPdeNmwBLSs4dIC9Og7JA4naYzYizg==” proposal “rsa-g14-aes256-sha-360”

set ike gateway “1s2sRNAT” cert my-cert-hash BC1D04E0E20D4D05F776E30C34830ED9844DC79C

set ike gateway “1s2sRNAT” cert peer-ca-hash 7B236EFB192B6B5360CA7ECDE252191495E9A36B

set ike respond-bad-spi 1

set vpn “1-s2s-rnat” gateway “1s2sRNAT” no-replay tunnel idletime 0 proposal “g5-esp-aes256-sha-300”

set policy id 14001 name “1-TUs2s-rnat” from “Untrust” to “Trust”  “1UN_RNAT” “1_tr” “ANY” tunnel vpn “1-s2s-rnat” id 0x1773 pair-policy 14002

set policy id 14001

exit

set policy id 14002 name “1-TUs2s-rnat” from “Trust” to “Untrust”  “1_tr” “1UN_RNAT” “ANY” tunnel vpn “1-s2s-rnat” id 0x1773 pair-policy 14001

set policy id 14002

exit

set vrouter “untrust-vr”

exit

set vrouter “trust-vr”

unset add-default-route

set route 158.0.0.0/8 interface tunnel.1

set route 157.0.0.0/8 interface ethernet2/2 gateway 170.2.0.2

set route 61.10.0.0/16 interface ethernet2/1 gateway 171.253.253.3

exit

set vrouter “untrust-vr”

exit

set vrouter “trust-vr”

exit

Advertisements
Comments
  1. vmp says:

    Well, does the name resolve?

  2. si eu says:

    Nu imi place cand scrii chestii tehnice :p

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s