Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  host-inbound-traffic IKE

    Posted 01-04-2022 05:26
    Hello,
    I'm playing with SRX300 and I didn't find in guides so...
    I wanna have interface ge-0/0/3 in Untrusted security zone (exposed to internet).
    For this security zone, I've set host-inbound-traffic system-services ike.
    From security perspective, I want to  have whitelist for this 'ike' service, so only my "home office" public IP is able to access and connect via IPsec.
    On the other hand, I wish to disable potential port scanning to get response for that (eg. isakmp) service.
    My goal is to have ike service that will only reply when packets coming in from my "home office" public IP.

    I hope I explained enough what I wish to achieve.

    Thank you.

    ------------------------------
    VM
    ------------------------------


  • 2.  RE: host-inbound-traffic IKE

    Posted 01-04-2022 05:38
    The addition of the host inbound traffic alone is just for the protocol itself without any restrictions on the connections further than the protocol itself.

    You can add the further restrictions you want using security policies for the the default junos-host zone assigned to self traffic as outlined in this kb article.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB24227

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: host-inbound-traffic IKE

    Posted 01-05-2022 09:02
    Based on kb article from link you gave me, I did some modification but I'm not sure if applications IKE and IKE-NAT. Would this be enough to limit access to IKE (500 or 4500) only from My_Public_IP addresses or port 500 would still show up on nmap scan from anywhere on the internet?

    policies {
    from-zone Untrust to-zone junos-host {
    policy selfpolicy {
    match {
    source-address [ My_Public_IP_1 My_Public_IP_2 ];
    destination-address any;
    application [ IKE IKE-NAT ];
    }
    then {
    permit;
    }
    }



    Thank you.


    ------------------------------
    Vedran Milicevic
    ------------------------------



  • 4.  RE: host-inbound-traffic IKE

    Posted 01-09-2022 06:04
    You also need the second policy called out in the kb article after the first one to deny all for other ip addresses on these application ports.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: host-inbound-traffic IKE

    Posted 01-10-2022 06:33
    Gotcha. Thank you.
    I've added deny-all and fixed junos application names. I guess this should work now. Will give it a try and get back if i bump into issues.

    policies {
    from-zone test to-zone junos-host {
    policy selfpolicy {
    match {
    source-address [ My_Public_IP_1 My_Public_IP_2 ];
    destination-address any;
    application [ junos-ike junos-ike-nat ];
    }
    then {
    permit;
    }
    }
    policy denyall {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    reject;
    }
    }
    }
    }


    ------------------------------
    Vedran Milicevic
    ------------------------------