Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- #############################################################################
- ## andkorn Sept 21 2012
- ## This script is free to use under the BSD 3-clause license.
- ## this script reads in a few options and creates a juniper config for a policy-based vpn that will work with Cisco's access-list-based vpn.
- # see also why policy-based VPNs are a pain:
- # http://forums.juniper.net/t5/SRX-Services-Gateway/srx-route-mode-ipsec-vpn-with-sonicwall-gen3-gen4-standard-and/td-p/33658
- # http://kb.juniper.net/InfoCenter/index?page=content&id=KB15745&smlogin=true
- ## version 1.1
- ##
- import sys, re
- print("---Configuring VPN Blocks")
- gateway = raw_input("Enter 'ike gateway' object name:")
- ipsec_policy = raw_input("Enter 'ipsec-policy' object name:")
- print("---Configuring network Blocks")
- trustzone = raw_input("Enter trust zone name (usually 'trust'):")
- untrustzone = raw_input("Enter untrust zone name (usually 'untrust'):")
- localprefix = raw_input("Enter local name prefix for objects (anything that makes sense):")
- remoteprefix = raw_input("Enter remote name prefix for objects (anything that makes sense):")
- print("Enter local networks in 192.168.1.0/24 format, one per line. Enter Ctrl+Z to end:")
- localnetworkstxt = sys.stdin.read()
- localnetworks = localnetworkstxt.split("\n")
- print("Enter remote networks in 192.168.1.0/24 format, one per line. Enter Ctrl+Z to end:")
- remotenetworkstxt = sys.stdin.read()
- remotenetworks = remotenetworkstxt.split("\n")
- #Clean up the inputted networks; remove invalid IP addresses
- localnetworkstmp = localnetworks
- localnetworks = filter(lambda x: re.search(r'((2[0-5]|1[0-9]|[0-9])?[0-9]\.){3}((2[0-5]|1[0-9]|[0-9])?[0-9])\/[0-3]?[0-9]', x), localnetworkstmp)
- remotenetworkstmp = remotenetworks
- remotenetworks = filter(lambda x: re.search(r'((2[0-5]|1[0-9]|[0-9])?[0-9]\.){3}((2[0-5]|1[0-9]|[0-9])?[0-9])\/[0-3]?[0-9]', x), remotenetworkstmp)
- fsock = open(raw_input("Enter file to save to:"), 'w')
- origstdout = sys.stdout
- sys.stdout = fsock
- print("##########Below is your config. Load this with 'load merge terminal' in JunOS")
- print("##junos-pbvpn.py by andkorn Sept 21 2012")
- print("security {")
- print(" ipsec {")
- networkcount = 1
- for localnetwork in localnetworks[:]:
- for remotenetwork in remotenetworks[:]:
- print(" vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+" {")
- print(" ike {")
- print(" gateway "+ gateway +";")
- print(" ipsec-policy "+ ipsec_policy+";")
- print(" }")
- print(" establish-tunnels immediately;")
- print(" }")
- networkcount += 1
- print(" }")
- print(" policies {")
- networkcount = 1
- print(" from-zone "+ trustzone+" to-zone "+ untrustzone+" {")
- for localnetwork in localnetworks[:]:
- for remotenetwork in remotenetworks[:]:
- print(" policy vpn-out-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+" {")
- print(" match {")
- print(" source-address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+";")
- print(" destination-address "+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
- print(" application any;")
- print(" }")
- print(" then {")
- print(" permit {")
- print(" tunnel {")
- print(" ipsec-vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+";")
- print(" pair-policy vpn-in-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
- print(" }")
- print(" }")
- print(" }")
- print(" }")
- networkcount += 1
- print(" }")
- networkcount = 1
- print(" from-zone "+ untrustzone+" to-zone "+ trustzone+" {")
- for localnetwork in localnetworks[:]:
- for remotenetwork in remotenetworks[:]:
- print(" policy vpn-in-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+" {")
- print(" match {")
- print(" source-address "+ remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
- print(" destination-address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+";")
- print(" application any;")
- print(" }")
- print(" then {")
- print(" permit {")
- print(" tunnel {")
- print(" ipsec-vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+";")
- print(" pair-policy vpn-out-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
- print(" }")
- print(" }")
- print(" }")
- print(" }")
- networkcount += 1
- print(" }")
- print(" }")
- print(" zones {")
- print(" security-zone "+ trustzone+" {")
- print(" address-book {")
- for localnetwork in localnetworks[:]:
- print(" address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-") +" "+localnetwork+";")
- print(" }")
- print(" }")
- print(" security-zone "+ untrustzone+" {")
- print(" address-book {")
- for remotenetwork in remotenetworks[:]:
- print(" address "+ remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-") +" "+remotenetwork+";")
- print(" }")
- print(" host-inbound-traffic {")
- print(" system-services {")
- print(" ike;")
- print(" }")
- print(" }")
- print(" }")
- print(" }")
- print("}")
- print("####END")
- sys.stdout = origstdout
- fsock.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement