Skip to content

Juniper SRX Backup

We recently had a srx 100 go down on site and no way to access it.
In the end we had to get the site manager to take it to another site and plug it into a console cable already plugged into a server so we could reconfigure it.

We didn’t even have a backup config of the device (epic fail!)

After this debacle I sat down to learn a lot more about Junos auto recovery and made sure I backed up all the juniper config’s we had.
Cisco and HP config’s already got backed up with Spiceworks.

1. Rescue config
You want to make sure that the juniper has a copy of your config saved in a safe place. to do this type

request system configuration rescue save

2. Auto recovery
The auto recovery saves information on licenses, config and parititioning more info can be found here.
request system autorecovery state save

3. Backup partition
SRX class devices can be dual boot so if the main partition has a problem it can boot off the second partition. You will want to ensure your two partitions are on relatively equal software versions to make sure feature set’s are the same. To copy the current partition to the backup use.
request system snapshot slice alternate

Next week I will look at backing up the router config.

Juniper SRX IPSEC MTU

We had an outage on one of our WAN links last week, (un)luckily I had a spare ADSL link to the internet on the router that had it’s link go down and had IPSEC configured back to the head office. The only problem was when we went to use ipsec over the spare link we had dropped connections left right and center.

I knew the problem was the mtu size having seen the same issues before on other connection, but I wasn’t sure if it was on the ADSL PPP connection or on the IPSEC connection that I had to set the MTU size.

Going to site and falling all traffic over to the backup connection I was quickly able to work out that the ADSL PPP MTU was ok it was IPSEC the only problem. Setting the MTU under the interfaces st0 interface did not seem to work. A bit of googling uncovered the issue, ipsec MTU is set under security flow and apply’s to all ipsec vpns.


set security flow tcp-mss ipsec-vpn mss 1350

A value between 1300 to 1350 should work depending on what kind of encryption you have set.

Juniper SRX IPSEC Part 2

Ok so continuing on from my last post, this is the config on the second side of the vpn connection (my head office).

First we need to setup the st interface (vpn endpoint interface) on this box. I am using multipoint because I am terminating a number of vpn’s at this interface


set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet address 10.3.43.1/24

Then we need a zone for this interface.


set security zones security-zone IPSECVPN host-inbound-traffic system-services all
set security zones security-zone IPSECVPN host-inbound-traffic protocols all
set security zones security-zone IPSECVPN interfaces st0.0

Then we need to allow certain traffic for that zone

set security policies from-zone trust to-zone IPSECVPN policy defaultPermit match source-address any
set security policies from-zone trust to-zone IPSECVPN policy defaultPermit match destination-address any
set security policies from-zone trust to-zone IPSECVPN policy defaultPermit match application any
set security policies from-zone trust to-zone IPSECVPN policy defaultPermit then permit
set security policies from-zone IPSECVPN to-zone trust policy defaultPermit match source-address any
set security policies from-zone IPSECVPN to-zone trust policy defaultPermit match destination-address any
set security policies from-zone IPSECVPN to-zone trust policy defaultPermit match application any
set security policies from-zone IPSECVPN to-zone trust policy defaultPermit then permit

We also need to allow vpn traffic inbound on our external connection


set security zones security-zone publicip host-inbound-traffic system-services ike

Now for the VPN part first thing is first we need ike setup correctly, so first we setup the proposal.


set security ike traceoptions flag routing-socket
set security ike proposal MTLGateway-PSK authentication-method pre-shared-keys
set security ike proposal MTLGateway-PSK dh-group group2
set security ike proposal MTLGateway-PSK authentication-algorithm sha1
set security ike proposal MTLGateway-PSK encryption-algorithm des-cbc
set security ike proposal MTLGateway-PSK lifetime-seconds 86400

Then the gateway


set security ike policy MTL-Gateway-PSK mode aggressive
set security ike policy MTL-Gateway-PSK proposals MTLGateway-PSK
set security ike policy MTL-Gateway-PSK pre-shared-key ascii-text mysecretkey # (same as the other side)

Then the gateway, note here that we use “dynamic hostname” this set’s it up for dynamic i.p. using pre shared keys. Need to make sure the other side has the same hostname more on this in another post.


set security ike gateway MTL-Gateway-PSK ike-policy MTL-Gateway-PSK
set security ike gateway MTL-Gateway-PSK dynamic hostname mtlgateway
set security ike gateway MTL-Gateway-PSK dead-peer-detection interval 60
set security ike gateway MTL-Gateway-PSK dead-peer-detection threshold 2
set security ike gateway MTL-Gateway-PSK external-interface vlan.0

Now for the ipsec guts, first the policy i reused this with all my ipsec tunnels.


set security ipsec policy MTLGateway-VPN perfect-forward-secrecy keys group2
set security ipsec policy MTLGateway-VPN proposal-set standard

And now the final ipsec stuff


set security ipsec vpn MTLGateway-VPN bind-interface st0.0
set security ipsec vpn MTLGateway-VPN vpn-monitor optimized
set security ipsec vpn MTLGateway-VPN vpn-monitor source-interface st0
set security ipsec vpn MTLGateway-VPN vpn-monitor destination-ip 10.3.43.2
set security ipsec vpn MTLGateway-VPN ike gateway MTL-Gateway-PSK
set security ipsec vpn MTLGateway-VPN ike proxy-identity local 10.3.45.0/24
set security ipsec vpn MTLGateway-VPN ike proxy-identity remote 192.168.1.0/24
set security ipsec vpn MTLGateway-VPN ike proxy-identity service any
set security ipsec vpn MTLGateway-VPN ike ipsec-policy MTLGateway-VPN
set security ipsec vpn MTLGateway-VPN establish-tunnels immediately

Finally routing! for .1.0 subnet next hop is vpn endpoint of remote box! easy…


set routing-options static route 192.168.1.0/24 next-hop 10.3.43.2

Juniper SRX IPSEC

I have setup a couple of my juniper srx unit’s with vpn’s. I spent a day or two getting it to work so I thought I would post my config to help others trying to make it work.

Once you get your head around it it’s very easy and awesome. The power of the junos cli makes it easy to reuse config and adapt it for new environment. I {> junos.

My first setup was a test between two srx210 box’s. One machine at our head office was setup with a public static i.p. the other at my house has a dynamic i.p. via a ppp (adsl) connection.

I used pre shared keys because these are site to site vpn’s and I don’t have a certificate server setup.

Box 1 setup
1. First I setup my vpn interface with a private i.p. for the vpn network. The vpn endpoints all need their own i.p’s so I gave that network the 10.3.43.0/24 subnet.

set interfaces st0 unit 0 family inet address 10.3.43.2/24

2. Then I put the vpn interface in a new zone so that I can regulate traffic to and from it via the powerful junos security policies.

set security zones security-zone VPN host-inbound-traffic system-services all
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0

3. I then setup my ike proposal

set security ike proposal HeadOffice-PSK authentication-method pre-shared-keys
set security ike proposal HeadOffice-PSK dh-group group2
set security ike proposal HeadOffice-PSK authentication-algorithm sha1
set security ike proposal HeadOffice-PSK encryption-algorithm des-cbc
set security ike proposal HeadOffice-PSK lifetime-seconds 86400

4. I then setup my ike policy, which references my proposal above.

set security ike policy HeadOffice-PSK mode aggressive
set security ike policy HeadOffice-PSK proposals HeadOffice-PSK
set security ike policy HeadOffice-PSK pre-shared-key ascii-text "$9$8Sz7b2ZGi.mTZUqf5QCA"

5. I then setup my ike gateway which references my gateway. This has dead peer detection active to pickup dead ike connections. the local-identity cannot be more than 20chars (a limitation) I initially had it set to a full tld but this was too long. The local-identity is needed because this is a dynamic connection if this enpoint was static we would configure it a little different (which I will demonstrate in a later post).

set security ike gateway HeadOffice-VPNGW ike-policy HeadOffice-PSK
set security ike gateway HeadOffice-VPNGW address xx.xx.xx.xx
set security ike gateway HeadOffice-VPNGW dead-peer-detection interval 60
set security ike gateway HeadOffice-VPNGW dead-peer-detection threshold 2
set security ike gateway HeadOffice-VPNGW local-identity hostname myhostname
set security ike gateway HeadOffice-VPNGW external-interface pp0

6. Next I setup my ipsec policy

set security ipsec policy HeadOffice-VPN perfect-forward-secrecy keys group2
set security ipsec policy HeadOffice-VPN proposal-set standard

7. Then the actual ipsec connection. There is a couple of things going on here. First I bind the interface to st0. Then I turn on vpn-monitor which checks the other side and re-init’s the connection if it drops out. Optimized is just a specy add on for monitor so it doesn’t just use icmp. Then I setup the proxy identity local and remote subnets. and tell it to establish the vpn.

set security ipsec vpn HeadOffice-VPN bind-interface st0.0
set security ipsec vpn HeadOffice-VPN vpn-monitor optimized
set security ipsec vpn HeadOffice-VPN vpn-monitor source-interface st0
set security ipsec vpn HeadOffice-VPN vpn-monitor destination-ip 10.3.43.1
set security ipsec vpn HeadOffice-VPN ike gateway HeadOffice-VPNGW
set security ipsec vpn HeadOffice-VPN ike proxy-identity local 192.168.x.x/24
set security ipsec vpn HeadOffice-VPN ike proxy-identity remote 10.3.x.x/24
set security ipsec vpn HeadOffice-VPN ike proxy-identity service any
set security ipsec vpn HeadOffice-VPN ike ipsec-policy HeadOffice-VPN
set security ipsec vpn HeadOffice-VPN establish-tunnels immediately

8. The only thing left to do is setup the routing, we need to tell the router to send the remote subnet via the other side’s vpn interface.

set routing-options static route 10.3.x.0/24 next-hop 10.3.43.1

Next post I will be setting up the other side (box 2).

Davis Weather Station

We needed to log all our weather data and in a simple way which multiple users could access.

I decided to buy a Davis Vantage Vue unit because the are cheap and have a long track record with a strong community of users. I also got the ethernet attachment for the display so I could plug it into our network.

At this point I was a bit stuck because most of the software was pretty looking windows stuff and all I wanted was a table with the actual data rather than pretty graphics of trends and such. I also wanted it to be lightweight, putting a graphic app on a windows server would be a last resort!

I then stumbled across weewx (http://www.weewx.com/) which is a simple lightweight server written in python to interrogate the Davis stations and others and download the data from them and store it in a database. 

 

I installed a ubuntu server and installed weewx and got it interrogating the station every minute and recording the data in a mysql server I setup on the same server. I then installed php and got the weewx web site working.

So now I have the weather station data being recorded every minute but the front end (web via weewx) was still more of a trend interface rather than a raw data look.

After having a look at the mysql tables I could see that the “archive” table holds the records I needed so with a bit of php, js, jquery I came up with a couple of pages that do what I need nicely.

If you interested you can download them from git hub https://github.com/mopo101/WeatherPHP

You will also need Jquery, Jquery UI (http://jquery.com/download/) and need to edit the php files to put in your db credentials. Also make sure you change weewx from sqlite which it uses as standard to mysql.

The file date1.php will show you a calender then you select your date and hit load and an ajax call will display the data in a table. you can also hit download which gets the data from csv.php as a csv file.

DISCLAIMER: these php files do not to any sanity checking and should not be placed on a public website. I am not liable for any damage these files may cause use at your own risk.

The Apple Store

I had to go into the Apple store today to get a birthday present for a family member. Every time I walk into one of these stores I get a feeling of annoyance combined with envy.

The annoyance mainly come from young hipsters in the blue shirts and in awe customers following them around and hanging off their every word. It also comes from how busy the store always is.

Then envy arises from how perfect Steve and the apple team managed to get the whole retail experience.
1. The music – it’s nice calm music that is perfect, something poppy but not too out there to make the customers want to get on the tables and dance.
2. The room – isn’t cluttered with displays shelf’s it feels light and airy and the is room to move (the only issue is the people).
3. Paying – I can walk up to any team member and pay with my credit card.
4. Invoice – no need to print something, just put my details in their mobile device and the invoice gets emailed to me! Awesome.

Today I was in and out in 5minutes and I didn’t have to pay for parking (free on a sunday in the bay I parked in) so the whole experience wasn’t tedious and was actually as easy as buying something online except for the driving bit.

Crystal Reports Bug – Auto Landscape

We have been using crystal to print some labels for a while and it has worked well up until now.

We changed our labels from 9cm high by 6cm wide to 6cm high and 10cm wide. I thought I could just change the page size in the printer driver pick that up in the crystal designer and everything would be fine…

And It was I was even able to print preview in Crystal Designer and print the preview perfectly.

Then I saved the crystal file and tried to print a report from the crystal viewer at which point crystal didn’t like my page wide being larger than the page height and auto rotated the report.

To Fix I made the width of the page in the printer driver a couple of cm smaller than the height, it doesn’t look pretty but it works.

My Crystal run time version is 12.3.0.601.

Follow

Get every new post delivered to your Inbox.