FreeBSD firewall with Strongswan building site to site vpn tunnel – sample

I recently has upgraded the FreeBSD version to 13 and found that the IPSec site to site between FreeBSD 13 to Juniper SRX is not working anymore. Strongswan is ditching the ipsec.conf and move to swanctl.conf. If we are moving to the vici, this requires some effort to translate the config.

I have attached the quick and dirty sample to build a Policy based site to site IPSec vpn with Strongswan. Enhancement is required for production.
The sample is suitable for the following:
– policy based VPN
– using PSK.
– source vpn termination point is NATTed and behind a internet gateway.
– dynamic public IP address for source vpn termination point.
– dynamic destination IP address for the remote IPSec VPN termination point. (required the DNS lookup for the source vpn termination point.)
– multiple VPN termination points from the same source public IP address are allowed.

Continue reading

Install FreeBSD into a headless machine using serial console cable

I have received a checkpoint firewall that has 2GB of ram and running a D525 CPU. I was thinking what can i do with it. Then i start doing the project that has been in my mind for a long time, which is to use FreeBSD as a firewall.

There is a main purpose of using FreeBSD is I want to use it as a bandwidth control device. Therefore, I start setting up the FreeBSD firewall before I get into the bandwidth control. Long story short, let s dive into the headless FreeBSD installation.

Continue reading

Convert Cisco FTD to ASA firmware

The Cisco firewall comes with the FTD firmware by default, and there are several reasons of using the ASA firmware on this Cisco new firewall. I have attached the steps below to let the Cisco firewall to run the ASA firmware by re-imaging it.

This is the same way to change from ASA firmware to FTD firmware.

Continue reading

Hping3 – Linux的仿真數據包泛洪攻擊

在針對防火牆對DoS和會話限制能力測試時,Linux 中有一個名為hping3的程序可以產生仿真數據包泛洪攻擊。它可以產生少量的數據包氾濫,同時仍然保持至少50%的CPU可用於管理。

如果我們需要測試SYNC泛洪的會話限製或閾值限製到Web服務器端口80,我們可以使用下面的命令。

Continue reading

使用TCPDUMP恢復ftp密碼

我總是把我經常使用的檔在我的 ftp 伺服器, 在同一時間, 我也會保存我的密碼在我的 ftp 用戶端在我的筆記本電腦。所以, 當我需要從另一台電腦登錄到我的 ftp 伺服器時, 我就像在說 “嗯..我的密碼是什麼?
由於 ftp 是通過純文字運行的, 因此根本沒有加密。所以我會用 tcpdump來恢復我的密碼。已我的使用者名和密碼是 “everyone“。

Continue reading

Hping3 – Flooding simulation with Linux 

When testing firewalls ability against the DoS and session limit, there is a program in Linux called hping3 to produce flooding with. It can generate a small amount of packet flood while still keeping at lease 50% of CPU free for management.
if we need to test a session limit or threshold limit for SYNC flood toward to a web server port 80, we could use the command below.

Continue reading

IPv6 over IPv4 in SRX

IPv6 is another up coming trend on the internet. Since most of the ISPs do not provide the IPv6 service, how do we enjoy or experience the IPv6 benefit??
There are some IPv6 brokers on the internet that we can use IPv6 service over the existing IPv4 service. Some of the brokers are Hurricane Electric, Hinet, and etc….
There are some sample setup guide are already included in their website already, but their guide makes the SRX to route the IPv6 packets without policy restrictions capability. So I will attach mine as a reference for using IPv6 in flow mode.
SRX-IPIP
Continue reading

MPLS VPN – option C – using bgp label exchange with cisco and Junos -part 1

It has been a while since I have done any labs after getting a new job. This time, I will be building a NNI option C using both Cisco IOS and Juniper MX. The reason I write this is because I do not find many resources on the internet about the inter AS connection using 2 different software at the same time. Hope this can be useful for anyone who is having the same struggle as i do.
(the AS# below are randomly picked!!)
lab-testing-mpls
Based on the lab diagram (dont feel like copping it up), as the internal VPN service is already running and the intra AS is running OSPF and LDP for MPLS, I will be connecting AS5052 (the green aren in middle) and AS7077 (the orange area at the bottom) together over NNIs to extend the MPLS VPN services.
Continue reading