Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Mon Oct 16, 2017 7:29 pm


News News of VPN / Dynamic VPN / Ipsec

Site map of VPN / Dynamic VPN / Ipsec » Forum : VPN / Dynamic VPN / Ipsec


 [ Total topics 12 Go to page 1, 2

Message
 Post subject: Site2Site Ipsec/Dialup/ike v2
PostPosted: Wed Sep 16, 2015 9:07 am 
Hello
I have gotten a couple of requierments from the infrastructure architects at my job, for the site2site vpn to our small offices.

- Cert authentication
- Ike V2

There are some offices that have a dynamic ip, when i did some googling i found this two articels that seems to contradict eachother.

https://kb.juniper.net/InfoCenter/index ... login=true here they are using aggressive mode (so i guess it wont work in ...

Read more : Site2Site Ipsec/Dialup/ike v2 | Views : 649 | Replies : 0

Top
 Post subject: Linux site to site GRE over IPSEC VPN tunnels using racoon & kame ipsec-tools
PostPosted: Tue Jan 13, 2015 6:26 am 
Before reading my article, the reader needs to get familiarized with ipsec concepts. Here is a good starting point: IPSEC Illustrated http://www.unixwiz.net/techtips/iguide-ipsec.html

Securing communication over public internet between two Linux endpoints can be performed in multiple ways via encryption at layer 3 or at layer 4/7. I'm using IPSEC wherever it is possible. This is layer 3/4 encryption (if NAT-T is performed).

With IPSEC there are two modes for phase 2 encapsulation: transport mode and ...

Read more : Linux site to site GRE over IPSEC VPN tunnels using racoon & kame ipsec-tools | Views : 10404 | Replies : 0

Top
 Post subject: Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed
PostPosted: Fri Jan 09, 2015 11:41 am 
Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed

Juniper SRX acting as an SRX hub complains when a dynamic IP address spoke is configured using preshared-key authentication and main mode (as per KB http://kb.juniper.net/InfoCenter/index?page=content&id=KB5622).

Why is that ? Looking at ipsec ike phase 1 main mode, the standard states there are 6 messages (3 pairs):
Pair 1 of main mode (messages 1 and 2 - unencrypted): First isakmp ...

Read more : Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed | Views : 1546 | Replies : 0

Top
 Post subject: error: Failed to encode the certificate request in PKCS-10 format - Juniper SRX PKI error
PostPosted: Fri Dec 12, 2014 10:32 am 
error: Failed to encode the certificate request in PKCS-10 format

This post is related to another error appearing in Juniper SRX firewalls when certificates are loaded. Please read
http://forum.ivorde.ro/error-error-load-certid-test-when-attempting-to-import-signed-certificate-in-juniper-srx-firewall-t19311.html and http://forum.ivorde.ro/pki-how-to-import-openssl-private-key-and-public-certificate-in-juniper-srx-t19301.html before going further.

Here, I will generate a private key on the Juniper SRX firewall, then I will overwrite it with one that is generated in a linux system with Openssl. One thing that needs to be known is that private key on the ...

Read more : error: Failed to encode the certificate request in PKCS-10 format - Juniper SRX PKI error | Views : 1090 | Replies : 0

Top
 Post subject: error: error load certid<test> when attempting to import signed certificate in Juniper SRX Firewall
PostPosted: Fri Dec 12, 2014 10:21 am 
Code:
request security pki local-certificate load filename /var/tmp/cert.crt key /var/tmp/priv.key certificate-id test               
error: error load certid<test>


99% of the cases when this error appears in Juniper SRX firewall is when the user attempts to load a public/signed certificate generated with a different private key than the one that SRX is aware of.

In many of these cases, users generate private key on the SRX, then they copy another key file generated on an external system ...

Read more : error: error load certid<test> when attempting to import signed certificate in Juniper SRX Firewall | Views : 2073 | Replies : 0

Top
 Post subject: PKI: How to import OpenSSL private key and public certificate in Juniper SRX
PostPosted: Fri Dec 12, 2014 10:07 am 
PKI: How to import OpenSSL private key and public certificate in Juniper SRX

One of SSL/TLS key/certificate pair usages is for authenticating IPSEC peers. How does it work ?

Each IPsec VPN endpoint posesses a private key and a public certificate. The public certificate was born from a certificate signing request (refered to as "csr" by many people) generated from the public key containing a public modulus.

The steps are:
- using private key with ...

Read more : PKI: How to import OpenSSL private key and public certificate in Juniper SRX | Views : 26536 | Replies : 0

Top
 Post subject: Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"
PostPosted: Thu Oct 31, 2013 5:00 am 
The Juniper SRX firwewall is performs an IKE Phase 1 identity validation based on the "remote-identity" set for the specific ike gateway.

If upgrading from 10.4 where by default a default identity is used or if the remote host isn't sending one and the SRX, under Junos 11.4, fails to bring up IKE phase 1 due to id validation failure, it can be changed to accept generic ike ID, bypassing IKE ID validation in the ...

Read more : Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity" | Views : 2068 | Replies : 0

Top
 Post subject: Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT.
PostPosted: Tue Oct 29, 2013 11:25 am 
Since there are not many scenarios when the HUB is behind NAT, I've created an article that describes situations when two spokes are behind NAT and only one has a static NAT.

Most of the hub-and-spoke ipsec VPN environments have the HUB configured with a public IP address, but sometimes the HUB is behind static NAT (all packets to a public IP address on the NAT device are forwarded to the Ipsec HUB SRX device ...

Read more : Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT. | Views : 1310 | Replies : 0

Top
 Post subject: Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.
PostPosted: Tue Oct 29, 2013 9:22 am 
Juniper SRX Spoke-to-Spoke IPSEC VPN when both spokes are behind NAT.
Attachment:
srx-ipsec-vpn-spoke-behind-nat.png

While researching on the Juniper SRX IPSEC VPN documentation and all the diverse scenarios, I noticed there is no documentation/kb article that describe the situation when one needs to connect two SRX spokes, two endpoints when both of them are behind NAT as in the above test diagram.

As a dependency, one of the spokes needs to be behind ...

Read more : Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT. | Views : 2130 | Replies : 0

Top
 Post subject: Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs
PostPosted: Wed Apr 10, 2013 5:42 am 
While other browsers / OSes support PEM formatted SSL certificates for establishing Ipsec VPN authentication, IOS for Ipad and Iphone support pkcs12 certificate format.


Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

Step1: Generate SSL private key:
Code:
# openssl genrsa -aes128 -out private/iphone.key 1024


Step2: Create a CSR (Certificate Signing Request) using previous private key:
Code:
# openssl req -days 3650 -out iphone.csr -key private/iphone.key -new


Step3: Sign ...

Read more : Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs | Views : 2949 | Replies : 0

Top
 [ Total topics 12 Go to page 1, 2


Last 10 active topics


Memory, Storage, Backup and Filesystems

No new posts FreeBSD: List disk drives and re-scan after adding hot-add disk (in virtual environments)
View the latest post

Routing and dynamic routing protocols

No new posts JUNOS BGP: How to drain a BGP peering router gracefully without bgp session reset
View the latest post

Apache, Nginx, Lighttpd and other web server software

No new posts NGINX: 413 Request Entity Too Large
View the latest post

System administration

No new posts MAC OS X: read image/jpeg EXIF information on command line
View the latest post

Shell Scripting and Programming

No new posts Shell scripting
View the latest post
No new posts AWK: How to replace a newline with actual \n
View the latest post
No new posts How to use $variable in conditional sentences?
View the latest post
No new posts Scan IP range using nmap
View the latest post

Virtualization

No new posts SSH Login to Vmware ESXi with ssh keys
View the latest post
No new posts How to retrieve Vmware ESXi license from ssh shell command line
View the latest post

Login

Username:   Password:   Log me on automatically each visit  

Statistics

Statistics

Total posts 607 | Total topics 977 | Total members 1193



News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO