more /igateway/policy/current/ham  !! View firewall's current HA status
grep -i "failover" /var/log/messages  !! Search for failover logs

[ # ]

firewall-dump

[ # ]

update-control -f  !! Find Update
update-control -d  !! Download Update
update-control -i fw  !! Install Update

Notes:

  • Use at your own risk, unverified

[ # ]

service iss-spa doheartbeat; tail -f /var/log/messages | egrep -i 'cfg|iss-spa|error'

[ # ]

issasApache -a si   !! View Licenses
iss-licinst --licfile <filename>.isslicense  !! Manually update license from file

Notes:

  • 'true' next to dates indicates expired license

[ # ]

ifconfig <interface> <ip> netmask <netmask> up

Notes:

  • Useful for modifying IP without updating via Site Protector

[ # ]

wget -c https://<url>/<file>.pkg
hotfix-install <file>.pkg

[ # ]

cat /etc/crm/policies/cml/NetworkObjects/* | grep <object name>
cat /etc/crm/policies/cml/NetworkProtector/fwm/* | grep <rule specifics>
more /igateway/policy/current/ham  !! Firewall's current failover status

[ # ]

SUMMARY: This article explains how to use multiple traffic selectors on a route-based VPN. A traffic selector (also known as a proxy ID in IKEv1), is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. Only traffic that conforms to a traffic selector is permitted through the associated IPsec SA.

Note: Multiple traffic selectors on a route-based VPN was introduced in Junos OS Release 12.1X46; see the Junos OS 12.1X46 Release Notes.

PROBLEM OR GOAL: If you want to establish a VPN for two or more remote private networks, you must dedicate a VPN for each such network. In prior versions of Junos OS (prior to Junos OS Release 12.1X46), you had to create separate st0 interfaces for each remote private network or route-based VPN; and for a policy-based VPN, you had to create a separate security policy binding tunnel calling each remote private network as the destination. The effort to configure each new IPsec VPN in Junos OS Release 12.1X46 and earlier increased significantly with every additional VPN. This article provides an alternative to avoid this situation.

SOLUTION:

Topology:

Local SRX: 2.2.2.2

Local Networks: 10.1.0.0/16 10.2.0.0/16

VPN Peer: 3.3.3.3

Remote Networks 192.168.1.0/24 192.168.2.0/24

Define multiple subnets using a single route-based VPN:

interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 2.2.2.2/24;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 10.1.0.0/16;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family inet {
                address 10.2.0.0/16;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 172.27.199.0/24 next-hop 172.27.201.3;
        route 3.3.3.0/24 next-hop 2.2.2.1;
        route 192.168.1.0/24 next-hop st0.0;
        route 192.168.2.0/24 next-hop st0.0;
    }
}
security {
    ike {
        policy p1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "KEY"; ## SECRET-DATA
        }
        gateway g1 {
            ike-policy p1;
            address 3.3.3.3;
            external-interface fe-0/0/0;
        }
    }
    ipsec {
        policy p1 {
            proposal-set standard;
        }
        vpn v1 {
            bind-interface st0.0;
            ike {
                gateway g1;
                ipsec-policy p1;
            }
            traffic-selector t1 {
                local-ip 10.1.0.0/16;
                remote-ip 192.168.1.0/24;
            }
            traffic-selector t2 {
                local-ip 10.2.0.0/16;
                remote-ip 192.168.2.0/24;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        from-zone trust to-zone vpn {
            policy test {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy test {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/1.0;
                fe-0/0/2.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/0.0;
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
}

Verify each traffic selector:

[edit]
root@100-5# run show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
8262    UP     708f2fb601773e78  43cde54a81b6fd58  Main           3.3.3.3         

[edit]
root@100-5# run show security ipsec sa 
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <268173314 ESP:3des/sha1 fa00cf7f 3476/ unlim -  root 500   3.3.3.3         
  >268173314 ESP:3des/sha1 726f8591 3476/ unlim -  root 500   3.3.3.3         
  <268173313 ESP:3des/sha1 69385788 3501/ unlim -  root 500   3.3.3.3         
  >268173313 ESP:3des/sha1 4897cca3 3501/ unlim -  root 500   3.3.3.3         

two sa for each traffic selector

root@100-5# run show security ipsec security-associations detail 
  ID: 268173314 Virtual-system: root, VPN Name: v1
  Local Gateway: 2.2.2.2, Remote Gateway: 3.3.3.3
  Traffic Selector Name: t1 <<<<<<<<<<<<<<<<<<<< corresponding traffic selector
  Local Identity: ipv4(10.1.0.0-10.1.255.255)
  Remote Identity: ipv4(192.168.1.0-192.168.1.255)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 
  Last Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: fa00cf7f, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3469 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2905 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 726f8591, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3469 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2905 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

  ID: 268173313 Virtual-system: root, VPN Name: v1
  Local Gateway: 2.2.2.2, Remote Gateway: 3.3.3.3
  Traffic Selector Name: t2 <<<<<<<<<<<<<<<<<<<< corresponding traffic selector
  Local Identity: ipv4(10.2.0.0-10.2.255.255)
  Remote Identity: ipv4(192.168.2.0-192.168.2.255)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 
  Last Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 69385788, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3494 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2892 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 4897cca3, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3494 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2892 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

[ # ]

set interface "tunnel.<#>" ip unnumbered interface <outgoing-interface>  !! If not using NHTB routes
set interface "tunnel.<#>" ip <ip>/<cidr>  !! If NHTB route is needed - A random IP such as 172.16.255.1/25 will work
set interface "tunnel.<#>" zone "<zone>"
set interface "tunnel.<#>" mip <Mapped-IP> host <real-ip> netmask 255.255.255.255 vr "trust-vr"  !! If Needed

set ike p1-proposal "pre-g2-aes265-sha" preshare group2 esp aes256 sha-1 second 28800
set ike p2-proposal "nopfs-esp-aes256-sha" no-pfs esp aes256 sha-1 second 28800

set ike gateway "<gateway-name>" address <gateway-ip> Main outgoing-interface "<outgoing-interface>" preshare "<psk>" proposal "<p1-proposal>"
set vpn "<vpn_name-#>" gateway "<gateway-name>" no-replay tunnel idletime 0 proposal "<p2-proposal>" 
set vpn "<vpn_name-#>" bind interface tunnel.<#>
set vpn "<vpn_name-#>" proxy-id local-ip <ip/cidr> remote-ip <ip/cidr> "ANY"   !! Only necessary if you NEED to define proxy-ids, for instance to Cisco devices

!! Create the security rules as 'accept' rules

set route <remote-ip/cidr> interface tunnel.<#>  !! Without NHTB

set interface tunnel.<#> nhtb <IP-on-tunnel-interface-network> vpn "<vpn_name-1>"  !! With NHTB
set route <remote-ip/cidr> interface tunnel.<#> gateway <nhtb-ip>  !! With NHTB

Notes:

  • Rules should use accept action
  • Create more vpns (like vpn_name-1) for each proxy-id combination needed
  • NHTB routes are necessary if binding multiple VPNs to the same tunnel interface (for instance, when multiple proxy-IDs are required)

Documentation

[ # ]