반응형
SRX IPSec Tunnel Sample
root@SRX_Test# show | display set | no-more
set version 15.1X49-D90.7
set system host-name SRX_Test
set system root-authentication encrypted-password "$5$ZZrR8Xx5$ZPpG6X5ugNL7s0dHqj.URP4v6YhfzLqkDk3TrtfWHh8"
set system name-server 8.8.8.8
set system login user isd uid 2001
set system login user isd class super-user
set system login user isd authentication encrypted-password "$5$7i/tv6W2$eU0ilDNMbZQhZHff4gUFbtqTFIwigO3SiY8yqpD/.n0"
set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group5
set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$-nd4aJGiqPQdbmTQ3tp0BIhlM7Nbg4Z8L2aZU.mcylvNd"
set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY
set security ike gateway VPN-GATEWAY address 10.1.2.201
set security ike gateway VPN-GATEWAY dead-peer-detection interval 10
set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1
set security ike gateway VPN-GATEWAY nat-keepalive 10
set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0
set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
set security ipsec vpn IPSEC-VPN bind-interface st0.1
set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY
set security ipsec vpn IPSEC-VPN ike proxy-identity local 172.15.0.0/24
set security ipsec vpn IPSEC-VPN ike proxy-identity remote 172.15.1.0/24
set security ipsec vpn IPSEC-VPN ike proxy-identity service any
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn IPSEC-VPN establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone untrust
set security nat source rule-set src-nat rule r1 match source-address 0.0.0.0/0
set security nat source rule-set src-nat rule r1 then source-nat interface
set security forwarding-process enhanced-services-mode
set security policies from-zone trust to-zone untrust policy permit-all match source-address any
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any
set security policies from-zone trust to-zone untrust policy permit-all match application any
set security policies from-zone trust to-zone untrust policy permit-all then permit
set security policies from-zone trust to-zone vpn policy permit-all match source-address any
set security policies from-zone trust to-zone vpn policy permit-all match destination-address any
set security policies from-zone trust to-zone vpn policy permit-all match application any
set security policies from-zone trust to-zone vpn policy permit-all then permit
set security policies from-zone vpn to-zone trust policy permit-all match source-address any
set security policies from-zone vpn to-zone trust policy permit-all match destination-address any
set security policies from-zone vpn to-zone trust policy permit-all match application any
set security policies from-zone vpn to-zone trust policy permit-all then permit
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.1
set interfaces ge-0/0/0 unit 0 family inet address 10.1.2.115/24
set interfaces ge-0/0/1 unit 0 family inet address 172.15.0.1/24
set interfaces st0 unit 1 family inet
set routing-options static route 0.0.0.0/0 next-hop 10.1.2.1
set routing-options static route 172.15.1.0/24 next-hop st0.1
[edit]
root@SRX_Test# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
6299423 UP f51982a09b260851 3fcd24f6bec6f419 Main 10.1.2.201
6299424 UP 25885c239e958271 92d1dde980db90c8 Main 10.1.2.201
[edit]
root@SRX_Test# run show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 44d00f02 84435/unlim - root 500 10.1.2.201
>131073 ESP:3des/sha1 46f0dfb7 84435/unlim - root 500 10.1.2.201
[edit]
root@SRX_Test#
======================================================================================================================================================
FWF90D3Z13006231 # get vpn ipsec tunnel details
gateway
name: 'VPN-GW'
type: route-based
local-gateway: 10.1.2.201:0 (static)
remote-gateway: 10.1.2.115:0 (static)
mode: ike-v1
interface: 'wan1' (6)
rx packets: 0 bytes: 0 errors: 0
tx packets: 0 bytes: 0 errors: 7870
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'VPN-TUNNEL'
auto-negotiate: disable
mode: tunnel
src: 0:172.15.1.0/255.255.255.0:0
dst: 0:172.15.0.0/255.255.255.0:0
SA
lifetime/rekey: 86400/79426
mtu: 1446
tx-esp-seq: 1
replay: enabled
inbound
spi: 46f0dfb7
enc: 3des 6b1ddb0ba8c46a879e22dd055ae0c5b643983f4d68d72ff1
auth: sha1 ce45021dbfac556674600ff9cb08faf7d942d48f
outbound
spi: 44d00f02
enc: 3des aa81515e22c7e8eefce24d6ff740b1b3c4cec463d6dd15b5
auth: sha1 69dff90febd00f5d4e64637c73dec32527ddbba7
NPU acceleration: none
FWF90D3Z13006231 #
FWF90D3Z13006231 # get vpn ip tunnel summary
'VPN-GW' 10.1.2.115:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/7902
FWF90D3Z13006231 # get ipsec tunnel list
NAME REMOTE-GW PROXY-ID-SOURCE PROXY-ID-DESTINATION STATUS TIMEOUT
VPN-GW 10.1.2.115:0 172.15.1.0/255.255.255.0 172.15.0.0/255.255.255.0 up 79367
반응형

'업무이야기 > Security' 카테고리의 다른 글

DeepFinder (웹방화벽)  (6) 2024.10.23
FortiGate SIP Debug  (1) 2023.05.02
AhnLab Network Solutions  (0) 2022.11.21
FortiGate FSSO 설정  (0) 2022.08.10
Juniper SRX Cluster configuration  (2) 2021.08.26
반응형

Commands used to install default packages required and user created for installing stack.

=========================================================================================          1. vi /etc/netplan/......yaml  ===> Modify your NIC settings

    3  sudo add-apt-repository universe

    4  sudo apt install -y net-tools python3-pip socat python3-dev

    9  sudo reboot

   10  sudo apt update

   11  sudo apt upgrade

   12  ifconfig

   13  sudo useradd -s /bin/bash -d /opt/stack -m stack

   14  echo "stack ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/stack

   15  sudo su - stack

Commands used to download devstack packages and add local.conf.

===============================================================

    1  git clone https://git.openstack.org/openstack-dev/devstack

    2  cd devstack/

    3  vi local.conf                    ====>  Please refer local.conf file below

    4  ./stack.sh                   ===> Which does openstack installation

Commands used to add network configurations:

============================================

   12  source admin-openrc.sh

   13  neutron net-create --provider:network_type flat --provider:physical_network public --router:external --shared public

   14  neutron subnet-create --name public_subnet --enable_dhcp=False --allocation-pool start=172.24.4.101,end=172.24.4.200 --gateway=172.24.4.1 public 172.24.4.0/24

          neutron subnet-create --name public_subnet --enable_dhcp=False --allocation-pool start=172.24.4.101,end=172.24.4.200 --gateway=172.24.4.254 public 172.24.4.0/24

   15  neutron net-create mgmt

   16  neutron subnet-create --name mgmt_subnet --gateway=192.168.89.1 mgmt 192.168.89.0/24

   17  neutron router-create router1

   18  neutron router-interface-add router1 mgmt_subnet

   19  neutron router-gateway-set router1 public

Local.conf

==========

stack@gigamon:~/devstack$ cat local.conf

[[local|localrc]]

ADMIN_PASSWORD=openstack

HOST_IP=10.10.10.100

SERVICE_HOST=$HOST_IP

MYSQL_HOST=$HOST_IP

RABBIT_HOST=$HOST_IP

GLANCE_HOSTPORT=10.10.10.100:9292

#GLANCE_LIMIT_IMAGE_SIZE_TOTAL=32768

GLANCE_LIMIT_IMAGE_SIZE_TOTAL=102400

ADMIN_PASSWORD=$ADMIN_PASSWORD

SERVICE_TOKEN=$ADMIN_PASSWORD

DATABASE_PASSWORD=$ADMIN_PASSWORD

RABBIT_PASSWORD=$ADMIN_PASSWORD

SERVICE_PASSWORD=$ADMIN_PASSWORD

ENABLE_HTTPD_MOD_WSGI_SERVICES=True

KEYSTONE_USE_MOD_WSGI=True

## Neutron options

Q_USE_SECGROUP=True

PUBLIC_INTERFACE=enx00e04e3bc05f

# Open vSwitch provider networking configuration

Q_USE_PROVIDERNET_FOR_PUBLIC=True

OVS_PHYSICAL_BRIDGE=br-ex

PUBLIC_BRIDGE=br-ex

OVS_BRIDGE_MAPPINGS=public:br-ex

LOGFILE=$DEST/logs/stack.sh.log

VERBOSE=True

ENABLE_DEBUG_LOG_LEVEL=True

ENABLE_VERBOSE_LOG_LEVEL=True

GIT_BASE=${GIT_BASE:-https://git.openstack.org}

MULTI_HOST=1

[[post-config|$NOVA_CONF]]

[DEFAULT]

firewall_driver=nova.virt.firewall.NoopFirewallDriver

novncproxy_host=0.0.0.0

novncproxy_port=6080

scheduler_default_filters=RamFilter,ComputeFilter,AvailabilityZoneFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,PciPassthroughFilter,NUMATopologyFilter

#[libvirt]

#live_migration_uri = qemu+ssh://stack@%s/system

##cpu_mode = none

#cpu_mode = host-passthrough

#virt_type = kvm

 

This is your host IP address: 10.10.10.100

This is your host IPv6 address: ::1

Horizon is now available at http://10.10.10.100/dashboard

Keystone is serving at http://10.10.10.100/identity/

The default users are: admin and demo

The password: gigamon

 

Services are running under systemd unit files.

For more information see:

https://docs.openstack.org/devstack/latest/systemd.html

DevStack Version: 2023.1

Change: 48af5d4b1bf5332c879ee52fb4686874b212697f Make rockylinux job non-voting 2023-02-14 17:11:24 +0100

OS Version: Ubuntu 20.04 focal

Nova.conf & Nova-cpu.conf

=========================

[libvirt]

live_migration_uri = qemu+ssh://stack@%s/system

#cpu_model = Nehalem

#cpu_mode = custom

cpu_mode = host-model

cpu_model_extra_flags = vmx

virt_type = kvm

 

glance usage

V-Series Image Settings

========================

kt@openstack:~$ openstack image set --property hw_vif_multiqueue_enabled=true b0181c20-d192-4006-b681-09fd2df65c5d

kt@openstack:~$ openstack image show b0181c20-d192-4006-b681-09fd2df65c5d

Next Step Create flavor for V-Series

=====================================

Configure flavor for V-series settings

=======================================

 (?)openstack flavor set vseries --property dpdk=true --property hw:cpu_policy=dedicated --property hw:mem_page_size=1GB --property hw:emulator_threads_policy=isolate

FM SSH credentials: admin/***********

===============================

Commands to get the default FM GUI Password:  wget -q -O - http://169.254.169.254/latest/meta-data/instance-id

 

Above one could be used for first time FM Login

 

FM http credentials: admin/openstack123A!!

 

===================================================

 

If you're not using DNS server edit the file "/etc/hosts" and add the openstack server ip.

 

This will help in resolving the URL during monitoring domain creation.

 

G-vTAP Agent

===================================================

download files

- strongSwan TAR Files

- gtap-agent_xxx.rpm

- gvtap.te file

 

# checkmodule -M -m -o gvtap.mod gvtap.te

# semodule_package -o gvtap.pp -m gvtap.mod

# semodule -i gvtap.pp

# yum install python3

# yum install python-urllib3

# yum install iproute-tc

# pip3 install urllib3

# pip3 install requests

# pip3 install netifaces

 

https://www.tecmint.com/disable-selinux-on-centos-8/

https://www.psychz.net/client/question/ko/turn-off-firewall-centos-7.html

 

 

# rpm -ivh gvtap-agent_xxx.rpm

# vi /etc/gvtap/gvtap-agent.conf

  eth0 mirror-src-ingress mirror-src-egress mirror-dst

# /etc/init.d/gvtap-agent restart

# tar -xvfpz strongswan-xxx.tar.gz

# cd strongswan-xxx

# sh ./swan-install.sh

 

[root@centos1 ~]# setenforce 0

[root@centos1 ~]# setenforce Permissive

[root@centos1 ~]# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             targeted

Current mode:                   permissive

Mode from config file:          enforcing

Policy MLS status:              enabled

Policy deny_unknown status:     allowed

Max kernel policy version:      31

[root@centos1 ~]#

 

 

Tools vxlan 설정

 

ip link add vxlan199 type vxlan id 1005 dev eth0 dstport 4789

sudo ip link set vxlan199 up

tcpdump -nvi vxlan199

 

sudo gvtapl mirror-list

 

Vseries

apiv /stats

apiv /stats/teps

 

/var/log/로그

 

 sudo ovs-vsctl del-port vxlan0

  sudo ovs-vsctl del-port vxlan1

 

 sudo ovs-tcpdump -i tapd3eaa48f-ba

 

=========================================================

Use ip from iproute2. (You need to also specify the prefix length though.)

ip addr del 10.22.30.44/16 dev eth0

To remove all addresses (in case you have multiple):

ip addr flush dev eth0

========================================================

 

 

반응형
반응형

 

 

 

 

 

상세설명 --->>>>  http://blog.naver.com/uctTrusGuard - Firewall, IPS, Application Control, VPN, Anti-Virus/Spam​,C&C 탐지 및 차단 등 다양한 보안 기능을 제공하는차세대 네트워크 통합 보안 시스템입니다.

 

 

Ucontech : 네이버 블로그

제품 문의 & 기술 문의 Tel: 02-780-6002 Fax: 02-6008-6111 ucontech@ucontech.com www.ucontech.com

blog.naver.com

 

TrusGuard IPX - 안랩의 강력한 보안 위협 대응 기술력과 독보적인 인프라가 응집된 최고의 네트워크 침입방지 솔루션입니다.

TrusGuard DPX - 안랩의 특별한 DDoS 방어 프로세스로 DDoS 공격 패러다임의 변화에 종합적으로 대응합니다.

TMS - 빅데이터 이벤트 처리 기반 심층적인 위협분석과 네트워크 보안 제품의 효율적인 통합 정책 관리를 제공하는 차세대 네트워크 통합 보안 관리 솔루션입니다.

TSM - 다수의 네트워크 보안 관리 장비에 대한 정책 설정 및 통합 모니터링 환경을 제공하는 차세대 네트워크보안 통합 관리 솔루션입니다.

반응형

'업무이야기 > Security' 카테고리의 다른 글

FortiGate SIP Debug  (1) 2023.05.02
SRX IPSec Tunnel Sample  (0) 2023.05.02
FortiGate FSSO 설정  (0) 2022.08.10
Juniper SRX Cluster configuration  (2) 2021.08.26
Juniper SRX Policy-Based IPSec VPN  (0) 2021.08.26
반응형

# Windows Server 2016의 AD를 사용

# FortiGate 200D v6.0.14build0457(GA) 사용

# Security Fabric/Fabric Connectors

# 사용자 또는 그룹을 선택

# User & Device\User Group 추가

# FortiGate Policy

# Client OS에서 도메인을 통한 로그인 설정

# FortiGate에서 도메인을 통한 로그인 확인

# 정책 테스트

반응형

'업무이야기 > Security' 카테고리의 다른 글

SRX IPSec Tunnel Sample  (0) 2023.05.02
AhnLab Network Solutions  (0) 2022.11.21
Juniper SRX Cluster configuration  (2) 2021.08.26
Juniper SRX Policy-Based IPSec VPN  (0) 2021.08.26
Juniper SRX Routed-Based IPSec VPN  (0) 2021.08.26
반응형

반응형
반응형

반응형
반응형

반응형
반응형

반응형

+ Recent posts