junos-pbvpn.py

1. #!/usr/bin/env python
2. #############################################################################
3. ## andkorn Sept 21 2012
4. ## This script is free to use under the BSD 3-clause license.
5. ## this script reads in a few options and creates a juniper config for a policy-based vpn that will work with Cisco's access-list-based vpn.
6. # see also why policy-based VPNs are a pain:
7. # http://forums.juniper.net/t5/SRX-Services-Gateway/srx-route-mode-ipsec-vpn-with-sonicwall-gen3-gen4-standard-and/td-p/33658
8. # http://kb.juniper.net/InfoCenter/index?page=content&id=KB15745&smlogin=true
9. ## version 1.1
10. ##
11. import sys, re
12.  
13. print("---Configuring VPN Blocks")
14. gateway = raw_input("Enter 'ike gateway' object name:")
15. ipsec_policy = raw_input("Enter 'ipsec-policy' object name:")
16. print("---Configuring network Blocks")
17. trustzone = raw_input("Enter trust zone name (usually 'trust'):")
18. untrustzone = raw_input("Enter untrust zone name (usually 'untrust'):")
19. localprefix = raw_input("Enter local name prefix for objects (anything that makes sense):")
20. remoteprefix = raw_input("Enter remote name prefix for objects (anything that makes sense):")
21. print("Enter local networks in 192.168.1.0/24 format, one per line. Enter Ctrl+Z to end:")
22. localnetworkstxt = sys.stdin.read()
23. localnetworks = localnetworkstxt.split("\n")
24. print("Enter remote networks in 192.168.1.0/24 format, one per line. Enter Ctrl+Z to end:")
25. remotenetworkstxt = sys.stdin.read()
26. remotenetworks = remotenetworkstxt.split("\n")
27.  
28.  
29. #Clean up the inputted networks; remove invalid IP addresses
30. localnetworkstmp = localnetworks
31. localnetworks = filter(lambda x: re.search(r'((2[0-5]|1[0-9]|[0-9])?[0-9]\.){3}((2[0-5]|1[0-9]|[0-9])?[0-9])\/[0-3]?[0-9]', x), localnetworkstmp)
32. remotenetworkstmp = remotenetworks
33. remotenetworks = filter(lambda x: re.search(r'((2[0-5]|1[0-9]|[0-9])?[0-9]\.){3}((2[0-5]|1[0-9]|[0-9])?[0-9])\/[0-3]?[0-9]', x), remotenetworkstmp)
34.  
35.  
36. fsock = open(raw_input("Enter file to save to:"), 'w')
37. origstdout = sys.stdout
38. sys.stdout = fsock
39.  
40. print("##########Below is your config. Load this with 'load merge terminal' in JunOS")
41. print("##junos-pbvpn.py by andkorn Sept 21 2012")
42.  
43. print("security {")
44. print("    ipsec {")
45.  
46. networkcount = 1
47. for localnetwork in localnetworks[:]:
48.     for remotenetwork in remotenetworks[:]:
49.         print("        vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+" {")
50.         print("            ike {")
51.         print("                gateway "+ gateway +";")
52.         print("                ipsec-policy "+ ipsec_policy+";")
53.         print("            }")
54.         print("            establish-tunnels immediately;")
55.         print("        }")
56.         networkcount += 1
57.  
58. print(" }")
59. print("    policies {")
60.  
61. networkcount = 1
62. print("        from-zone "+ trustzone+" to-zone "+ untrustzone+" {")
63. for localnetwork in localnetworks[:]:
64.     for remotenetwork in remotenetworks[:]:
65.         print("            policy vpn-out-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+" {")
66.         print("                match {")
67.         print("                    source-address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+";")
68.         print("                    destination-address "+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
69.         print("                    application any;")
70.         print("                }")
71.         print("                then {")
72.         print("                    permit {")
73.         print("                        tunnel {")
74.         print("                            ipsec-vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+";")
75.         print("                            pair-policy vpn-in-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
76.         print("                        }")
77.         print("                    }")
78.         print("                }")
79.         print("            }")
80.         networkcount += 1
81. print("        }")
82.  
83. networkcount = 1
84. print("        from-zone "+ untrustzone+" to-zone "+ trustzone+" {")
85. for localnetwork in localnetworks[:]:
86.     for remotenetwork in remotenetworks[:]:
87.         print("            policy vpn-in-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+" {")
88.         print("                match {")
89.         print("                    source-address "+ remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
90.         print("                    destination-address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+";")
91.         print("                    application any;")
92.         print("                }")
93.         print("                then {")
94.         print("                    permit {")
95.         print("                        tunnel {")
96.         print("                            ipsec-vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+";")
97.         print("                            pair-policy vpn-out-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
98.         print("                        }")
99.         print("                    }")
100.         print("                }")
101.         print("            }")
102.         networkcount += 1
103. print("        }")
104. print("    }")
105.  
106. print("    zones {")
107. print("        security-zone "+ trustzone+" {")
108. print("            address-book {")
109. for localnetwork in localnetworks[:]:
110.     print("                address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-") +" "+localnetwork+";")
111. print("            }")
112. print("        }")
113. print("        security-zone "+ untrustzone+" {")
114. print("            address-book {")
115. for remotenetwork in remotenetworks[:]:
116.     print("                address "+ remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-") +" "+remotenetwork+";")
117. print("            }")
118. print("            host-inbound-traffic {")
119. print("                system-services {")
120. print("                    ike;")
121. print("                }")
122. print("            }")
123. print("         }")
124. print("    }")
125. print("}")
126. print("####END")
127.  
128. sys.stdout = origstdout
129. fsock.close()