Juniper SSG VPN with FIPS

Time for my tale of configuring a pair of Juniper SSG routers to use FIPS mode and create a point to point VPN. (see my other post for the background for this)

First, I found a good resource and you should get it also:

Concepts & Examples ScreenOS Reference Guide
Volume 5: Virtual Private Networks
Release 6.1.0, Rev. 01
Chapter 4: Site-to-Site Virtual Private Networks
“Route-Based Site-to-Site VPN, AutoKey IKE” on page 96

NOTE ScreenOS 5.4.0r4 is the only version FIPS certified. ScreenOS 6.1 supports FIPS mode, but has not been tested by NIST.

You must use a console cable to configure the routers. FIBS mode disables Telnet and HTTP management.

To keep this post short and readable, I’ll have to ask you to refer the the “Route-Based Site-to-Site VPN, AutoKey IKE” on page 96 of the resource I listed above.

The first order of business is to upgrade or downgrade the ScreenOS if desired. Use a tftp server to load the ScreenOS.

Next, the FIPS mode must do a checksum on the ScreenOS on boot up, so you must install the Authentication Certificate from http://www.juniper.net/techpubs/software/screenos/mibs.html to the router using a tftp server.
save image-key tftp tftp_srv_ip_addr imagekey.cer from bgroup0

Then enable FIPS mode
set FIPS-mode enable

The device will reboot and erase the configuration.

Configure the basic administration and interface information. Change the admin account’s name and password. The FIPS password must have Upper, Lower, Number and Punctuation.

The most important part is configuring VPN with a Preshared Key.
First, we have to define our own phase 1 group because FIPS-mode deleted them (it requires a more stringent phase 1) Use Group5 , ESP, Tripple DES, and SHA-1
set ike p1-proposal pre-g5-esp-3des-sha-1 group5 esp 3des sha-1

Assign the Phase One to the remote gateway. Put in your remote gateway’s IP address. h1p8A24nG5 is my preshared key. This is a long command.
set ike gateway To_Remote address remote_ip_addr main outgoing-interface ethernet0/0 preshare h1p8A24nG5 proposal pre-g5-esp-3des-sha-1

Next, the phase 2 group
set ike p2-proposal g5-esp-3des-sha-1 group5 esp 3des sha-1

Set the VPN tunnel with our phase two and bind
set vpn New_Tunnel gateway To_Remote proposal g5-esp-3des-sha-1 set vpn New_Tunnel bind interface tunnel.1

Define the IP address at the end of the tunnel (1.0 is local, 2.0 is remote)
set vpn New_Tunnel proxy-id local-ip 192.168.1.0/24 remote-ip 192.168.2.0/24 any

Setup a route to the other network
set vrouter trust-vr route 192.168.2.0/24 interface tunnel.1

Define names for your LANs
set address “Trust” Local_LAN 192.168.1.0/24
set address “Untrust” Remote_Office 192.168.2.0/24

And then setup policies to allow the traffic. (these are 2 lines)
set policy top name “To Remote” from “Trust” to “Untrust” Local_LAN Remote_Office any permit
set policy top name “From Remote” from “Untrust” to “Trust” Remote_Office Local_LAN any permit

save

This should help you get a VPN tunnel setup on your FIPS mode Juniper. If you have any questions, leave a comment, and I’ll get back with you.

Happy networking!

Advertisements

SAN Switch Configuration Made Easy

Well, I’m still on the same project cutting though the jungle of new and mysterious technologies. Today, I find myself face to face with a HP StorageWorks 4/16 Brocade SAN switch. This switch is a Storage Area Network switch with 16 4Gb fibre channel ports.

I’ve not worked with SAN switches before, so when I set this up the first time, I used the defaults from the “Easy” Set-up. Little did I know it wasn’t easy.

But first some background on SAN switches. They work like Ethernet switches directing data, but use different terms for familiar concepts. The switches have a WWN – World Wide Number, A MAC address for the switch. (In fact the last digits of the WWN was the same as the MAC for the Ethernet management port). The server’s fibre ports have a WWPN – World Wide Port Number. It’s like a MAC address for the fibre channel port. The SAN uses Zones, which are just like VLANs in that they isolate segments of traffic and devices must be in the same Zone to communicate.

Thus my problem. I configured the default, ‘typical’ settings and the switch set each port in it’s own zone. Therefore, the servers could not see the storage array (NetApp Filer). After the client’s expert looked at the Filer, Servers and Switch configurations and couldn’t figure out why it was not working , I started doing research and found out about the zone issue. I guess they default to the most secure configuration when you don’t know to change things. 😦

To correct the ‘every port a zone’ issue is easy, once you know the why and how. First bring up the web interface for the switch and go to Zone Admin. Near the top of that page is a button to “Clear Config”. Click it and clear the Zone configuration. Then click the tab for Zones and create a new zone. At this point the window on the right shows all of your Ports and WWPNs and the left is empty. Select all of your ports and WWPNs and click “Add >>”. Now all of your ports and devices are in the same zone and they can all share data. If you need to segment your SAN network, then create multiple zones and ‘Add’ accordingly.

Once you’re done adding the ports and devices, click Save Config to save your configuration.

Ta Da! You now have a working SAN Switch!

I had 3 techs waiting for this to be fixed, so I was a hero. Network Jones saves the day!

-=-=-=-=-=-

BTW – I’m still working on the Juniper config posting. I hope to have it up this weekend.