Recovery documentation
Project network
Group 5
Autumn 2016
Lillebaelt Academy of University of applied sciences
IT Technology
Authors: Milan Vince: [email protected]
Kevin Herhold Larsen: [email protected]
Rickie Ljungberg: [email protected]
Michal Skórczewski: [email protected]
- Introduction
The document describes the steps how to create “Project Network” which has:
1 client
2 routers (internal + external)
2 servers (WEB- and DNS server)
You will not be able to follow the guideline if you don’t have installed:
VMware workstation Pro 12 click on the link to get to the homepage and start download by click on downloads on the left side, and choose your OS.
2. Overview
• Files which are needed • Level 3 Diagram • Vmware booting problems with the routers • How to create virtual machines and install • Basic configuration of the routers • Installment of the devices (e.x Web Server) • Setting up DHCP • Setting up SSH for Server • Sources • Check your DNS server • External Router Config • Configuring the virtual machines
- Files which are needed
In these section the plan shows which sources are needed to make the recover:
• Router: JunOS SRX VMWare virtual machine OVF (For EAL students, login Fronter, go in the data communication folder, go in folder called software and click on the arrow down left beside the filename and download)
• Router: JunOS SRX VMWare virtual machine VMDK (same as the previous file)
• Server: Debian net installer ISO (download)
• Client: Ubuntu 16.04.1 LTS (Client) (download)
• Ext. Router.conf file
4. Layer 3 Diagram
This level 3 diagram show the solution and giving a point of view how will the Topology looks like:
5. How to create virtual machines
When you have your VMware up and running you will do following to install a virtual machine, which can be any devices:
- When the program is running you will create a virtual machine, by pressing on that box you will get this window
2. Afterwards you will press next and now you have to choose the location to your ISO file
it’s common to have it in your download folder.
- Now you want to name your machine
- Choose amount of diskspace is you allow the machine to use
5. Here you have you have to press on the customize hardware button, and setup what how much memory you want the machine to run with.
- be careful not to give the machine too much power if your machine cant handle it!
- Finish, repeat the steps from 1 to 5 for the other devices you want to implement in your topology.
5.1 Vmware booting problems with the routers
here is a small guide what to do then SRX router does not want to start.
To start with you will setup your router by doing the advanced option, and after doing the recommended settings you follow the small guide below.
- Open your settings in vmware srx:
-
If you do not have any serial ports click to:
-
Scroll down until add Serial port and click to ”Next >”
- Select”Output to file”
- When you need to add your file location, write”test”.
- There he goes if you have everything done it should show the following:
- Finally, you just check your Router is booting as well:
6. Basic configuration of the routers The router has some general setup, like giving it a name and password. First you start with login on the internal router, with “root login”.
Then you want to make your own password by go in the edit mode by typing:”cli”
Now you want to set the hostname for the router.
Note: how the router host name now has become a part of the routers prompt.
Next step is to setup the interfaces on your router by typing the following lines.
Type then: “show interfaces” to see what interfaces you have now.
The external router use the same steps but in this case the topology only needs 1 interface for the WEB-server therefore should the last step only be:
- Installment of the devices The devices being described here is the client and the servers.
7.1 Client
Now you simply install the Client double clicking on the machine and you will just follow the steps which the guide in the disk will ask you to do. Please don’t install more devices at once, because that could overheat your pc.
note: remember the passwords!
7.2 WEB server Now you run the disk like before, and following the steps on the disk itself.
When you are setup the different servers you must name the servers different to not make any confusion.
Under setup on the WEB server you should apply SSH which helps you controlling the devices from the client later in the configuration. 7.3 DNS server
Yet again you will install the server by the disk but, when you meet the section with packages to install you must stop and don’t apply anything. Because you will be able to install the correct things later.
8. Configure Debian Webserver
After you launch your WEB or DNS server it will ask you for a login. The Login is “root” , and the password you typed in the setup.
Type: “ifconfig”
User can the information about addresses. Check the address you get in browser. (192.168.0.102)
If everything went good the user will get this page.
- Setting up DHCP
Login the server and type the following.
Then type this to install dhcp server.
When the server finishes the installation.
Scroll down here and change subnet, netmask and range addresses as the server has.
Save it by pressing CTRL + X and restart your device
- Configure SSH for Servers
Type: “apt-get install openssh-server”.
Go into the following folder:” nano /etc/ssh/sshd_config “
In this folde you need to look for the following: “PermitRootLogin” and change it to: “yes “
Log out with pressing CTRL + X and save the modifications.
- Configure the DNS Server with dnsmasq
Type this to get install dnsmasq into your servers.
Enable dnsmasq
Type and going to this location:
Change you dhcp-range for the following:
DHCP-Option
Set your dhcp-option for the following: ( your address)
up
Delete the hashtag(#) from “log-dhcp”
Do the same with “dhcp-authoritative”
Press CTRL + X and save modifications of your folder. Sources
Group 7
https://github.com/deadbok/project_network
Juniper vSRX Router Installation
- What will be included in this document in next version. • Set static ips on the servers
Check your DNS server
In the following steps you will learn how to check if your DNS server working. You will need the following devices to run: • Internal Router • External Router • Client (Ubuntu) • DNS
- Open terminal in your Client
- Type the following: ping router-int-srvlan (With this command you are trying to get the connection
If it is able to ping it means DNS Server is working.
External Router Config In the following step you will see the Guide how to configure your External router from the beginning:
Step 1:Get SSH for your Ext. Router
#Enter the cli cli
#Enter edit mode edit
set system root-authentication plain-text-password New Password: type password here Retype new password: retype password here
set interfaces ge-0/0/3 unit 0 family inet dhcp
set security zones security-zone trust interfaces ge-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/3.0 host-inbound-traffic protocols all
commit Step 2: Download WinSCP: https://winscp.net/eng/download.php
• Get to install it.
• Open your External Router in Vmware
• Type the following: 
• Then need to fine Local address of the Ext. Router:
• Open WinSCP
• Following on next page •
The program needs to get your Local IP, username and password
After Login here is the external router root folder.
• Open Notepad++:
Import file: router-ext.conf
Search on:
Type into the search:206
Its crucially important to switch that Ip address into your one.
After you have done. (In every single line where’s needed )
Copy your file into your ext. Router //root folder
Overwrite it.
Then go back into Vmware/Ext router
Type in: load override
Then commit.
Afterwards you can try to ping another router and Let’s see if it is working or not.
- Configuring the virtual machines
To connect the devices together you need click right to your servers, routers or your client, open the settings.
Open LAN Segments:
Add your Globan LAN Segments.
Add your SVRLAN,USRLAN and DMZ and the Connection of the Routers.
Change your Network Adapter from NAT to LAN Segment. (It depends on your server,router or the client)
(See the connections in our Topology)
Open your Servers and Routers
Ping your DNS Server to check the quality of connection.
Check your IP address by type the following: ifconfig.
Than try to ping it inside your browser:
Set up username and password for your router
At week 51 we were take part with some presentation, and it went well. If you don’t remember how to setup usrname and password here is one small guide:
- Log in to the switch with existing user or default user (root with no password) and enter configuration mode:
root@switch> configure [edit] root@switch#
The prompt in brackets ([edit]), also known as a banner, shows that you are in configuration edit mode, at the top of the hierarchy.
2. Change to the [edit system login] section of the configuration:
[edit]
root@host# edit system login
[edit system login]
root@switch#
The prompt in brackets changes to [edit system login] to show you are at a new level in the hierarchy. 3. Now add a new user account: [edit system login] root@switch# edit user michael
This example adds an account michael, but you can use any account name. 4. Configure a full name for the account. If the name includes spaces, enclose the entire name in quotation marks ( " " ): [edit system login user michael] root@switch# set full-name "Michael Mike"
- Configure an account class. The account class sets the user access privileges for the account. [edit system login user michael] root@switch# set class super-user
The following access privileges are available for the account operator permissions [ clear network reset trace view ] read-only permissions [ view ] super-user permissions [ all ] unauthorized permissions [ none ] 6. Configure an authentication method and password for the account: [edit system login user michael] root@switch# set authentication plain-text-password New password: Retype new password:
When the new password prompt appears, enter a clear-text password that the system will encrypt, and then confirm the new password. 7. Commit the configuration: [edit system login user michael] root@switch# commit commit complete
Configuration changes are not activated until you commit the configuration. If the commit is successful, a commit complete message appears.
8. Return to the top level of the configuration, and then exit:
[edit system login user michael]
root@switch# top
[edit]
root@switch# exit
Exiting configuration mode
9. Log out of the switch:
root@switch> exit
% logout Connection closed.
- To test your changes, log back in with the user account and password you just configured: login: michael Password: --- JUNOS 9.0-R1.1 built 2008-01-15 22:42:19 UTC michael@switch>
When you log in, you should see the new username at the command prompt.
Moving forward to VPN: Back to School we had a meeting and decided to get IPSEC and a VPN connection with our choosed group, which is Group 7. Early stages we tried to do on the internal router, a week later that’s change for the external, that guy makes mach more sense for IPSEC. The following diagram may will give you more clear:
Group 5 Group 7
• For the first IPSEC: IPsec (Internet Protocol Security) is a framework for a set of protocols for security at the network or packet processing layer of network communication. With other words: IPSEC gives you the protection to sending packages in your VPN connection.
Here is one guide:
SRX1
[edit]
fridim@srx-1# edit interfaces
[edit interfaces]
fridim@srx-1# set st0 unit 0 family inet address 192.168.100.1/30
fridim@srx-1# top edit security zones
[edit security zones]
fridim@srx-1# set security-zone untrust interfaces st0.0
fridim@srx-1# set security-zone untrust interfaces st0.0 host-inbound-traffic system-services ike
fridim@srx-1# top edit security ike
[edit security ike]
fridim@srx-1# set proposal phase1 authentication-method pre-shared-keys
fridim@srx-1# set proposal phase1 dh-group group2
fridim@srx-1# set proposal phase1 authentication-algorithm md5
fridim@srx-1# set proposal phase1 encryption-algorithm 3des-cbc
fridim@srx-1# set proposal phase1 lifetime-seconds 86400
fridim@srx-1# set policy phase1-policy mode main
fridim@srx-1# set policy phase1-policy proposals phase1
fridim@srx-1# set policy phase1-policy pre-shared-key ascii-text juniper
fridim@srx-1# set gateway phase1-gateway ike-policy phase1-policy
fridim@srx-1# set gateway phase1-gateway address 20.20.20.2
fridim@srx-1# set gateway phase1-gateway dead-peer-detection interval 20
fridim@srx-1# set gateway phase1-gateway dead-peer-detection threshold 5
fridim@srx-1# set gateway phase1-gateway external-interface ge-0/0/0.0
fridim@srx-1# top edit security ipsec
[edit security ipsec]
fridim@srx-1# set proposal phase2 protocol esp
fridim@srx-1# set proposal phase2 authentication-algorithm hmac-md5-96
fridim@srx-1# set proposal phase2 encryption-algorithm 3des-cbc
fridim@srx-1# set proposal phase2 lifetime-seconds 3200
fridim@srx-1# set policy phase2-policy perfect-forward-secrecy keys group2
fridim@srx-1# set policy phase2-policy proposals phase2
fridim@srx-1# set vpn to-remote-SRX bind-interface st0.0
fridim@srx-1# set vpn to-remote-SRX ike gateway phase1-gateway
fridim@srx-1# set vpn to-remote-SRX ike ipsec-policy phase2-policy
fridim@srx-1# set vpn to-remote-SRX establish-tunnels immediately
fridim@srx-1# top edit routing-options
[edit routing-options]
fridim@srx-1# set static route all next-hop 20.20.20.2
fridim@srx-1# set static route 10.2.2.0/24 next-hop st0.0
fridim@srx-1# top edit security
[edit security]
fridim@srx-1# set address-book global address network-a 10.1.1.0/24
fridim@srx-1# set address-book global address network-b 10.2.2.0/24
fridim@srx-1# edit policies
[edit security policies]
fridim@srx-1# set from-zone trust to-zone vpn policy trust-to-vpn match source-address network-a destination-address network-b application any
fridim@srx-1# set from-zone trust to-zone vpn policy trust-to-vpn then permit
fridim@srx-1# set from-zone vpn to-zone trust policy vpn-to-trust match source-address network-b destination-address network-a application any
fridim@srx-1# set from-zone vpn to-zone trust policy vpn-to-trust then permit
SRX2
[edit]
fridim@srx-2# edit interfaces
[edit interfaces]
fridim@srx-2# set st0 unit 0 family inet address 192.168.100.2/30
fridim@srx-2# top edit security zones
[edit security zones]
fridim@srx-2# set security-zone untrust interfaces st0.0
fridim@srx-2# set security-zone untrust interfaces st0.0 host-inbound-traffic system-services ike
fridim@srx-2# top edit security ike
[edit security ike]
fridim@srx-2# set proposal phase1 authentication-method pre-shared-keys
fridim@srx-2# set proposal phase1 dh-group group2
fridim@srx-2# set proposal phase1 authentication-algorithm md5
fridim@srx-2# set proposal phase1 encryption-algorithm 3des-cbc
fridim@srx-2# set proposal phase1 lifetime-seconds 86400
fridim@srx-2# set policy phase1-policy mode main
fridim@srx-2# set policy phase1-policy proposals phase1
fridim@srx-2# set policy phase1-policy pre-shared-key ascii-text juniper
fridim@srx-2# set gateway phase1-gateway ike-policy phase1-policy
fridim@srx-2# set gateway phase1-gateway address 20.20.20.1
fridim@srx-2# set gateway phase1-gateway dead-peer-detection interval 20
fridim@srx-2# set gateway phase1-gateway dead-peer-detection threshold 5
fridim@srx-2# set gateway phase1-gateway external-interface ge-0/0/0.0
fridim@srx-2# top edit security ipsec
[edit security ipsec]
fridim@srx-2# set proposal phase2 protocol esp
fridim@srx-2# set proposal phase2 authentication-algorithm hmac-md5-96
fridim@srx-2# set proposal phase2 encryption-algorithm 3des-cbc
fridim@srx-2# set proposal phase2 lifetime-seconds 3200
fridim@srx-2# set policy phase2-policy perfect-forward-secrecy keys group2
fridim@srx-2# set policy phase2-policy proposals phase2
fridim@srx-2# set vpn to-remote-SRX bind-interface st0.0
fridim@srx-2# set vpn to-remote-SRX ike gateway phase1-gateway
fridim@srx-2# set vpn to-remote-SRX ike ipsec-policy phase2-policy
fridim@srx-2# set vpn to-remote-SRX establish-tunnels immediately
fridim@srx-2# top edit routing-options
[edit routing-options]
fridim@srx-2# set static route all next-hop 20.20.20.1
fridim@srx-2# set static route 10.1.1.0/24 next-hop st0.0
fridim@srx-2# top edit security
[edit security]
fridim@srx-2# set address-book global address network-a 10.1.1.0/24
fridim@srx-2# set address-book global address network-b 10.2.2.0/24
fridim@srx-2# edit policies
[edit security policies]
fridim@srx-2# set from-zone trust to-zone vpn policy trust-to-vpn match source-address network-b destination-address network-a application any
fridim@srx-2# set from-zone trust to-zone vpn policy trust-to-vpn then permit
fridim@srx-2# set from-zone vpn to-zone trust policy vpn-to-trust match source-address network-a destination-address network-b application any
fridim@srx-2# set from-zone vpn to-zone trust policy vpn-to-trust then permit
1.1 Introduction
The Topology in our project has 2 servers, 2 routers, 1 client, 1 vpn and a guest network.
Layer 2:
Layer 3:
1.2 Description of the devices 2x Juniper vSRX Routers which run Junos V12.1x 47-D15.4 and they must be configured as an internal and an external and each router has 3 interfaces.
The internal router has 3 interfaces. The ge-0/0/0 is connected to the client, the ge-0/0/1 is connected to the dns server and the ge-0/0/2 is connected to the external router.
The external router has 3 interfaces. The ge-0/0/0 is connected to the internal router, the ge-0/0/1 is connected to the webserver and the ge-0/0/2 is connected to the vpn tunnel.
The dns server runs Debian (Jessie) it translates the ip’s into names.
The webserver also runs Debian (Jessie)
The client runs Ubuntu Desktop 64-bit
The VPN IPsec
1.3 Protocols and Standards
IEEE 802.3: Ethernet standard protocol. A collection of standards which define physical layer and datalink layers mac of Ethernet
SSH: Secure shell is used in tcp/ip computer networks
DHCP: Dynamically distributes network configuration parameters such as ip addresses
DNS: It translates the domain name to an ip address
DMZ: Is physical or logical subnet work. The purpose of dmz is to add additional layer of security to lan
VPN: It allows the user to create a secure connection to another network over the internet.
1.4 End Result of the project
After configuring each device in our network the client are able to use the internet and also to connect to the guest network and is able to ping every devices in that network. the others groups network.