daily pastebin goal
15%
SHARE
TWEET

junos-pbvpn.py

a guest Sep 24th, 2012 122 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #############################################################################
  3. ## andkorn Sept 21 2012
  4. ## This script is free to use under the BSD 3-clause license.
  5. ## this script reads in a few options and creates a juniper config for a policy-based vpn that will work with Cisco's access-list-based vpn.
  6. # see also why policy-based VPNs are a pain:
  7. # http://forums.juniper.net/t5/SRX-Services-Gateway/srx-route-mode-ipsec-vpn-with-sonicwall-gen3-gen4-standard-and/td-p/33658
  8. # http://kb.juniper.net/InfoCenter/index?page=content&id=KB15745&smlogin=true
  9. ## version 1.1
  10. ##
  11. import sys, re
  12.  
  13. print("---Configuring VPN Blocks")
  14. gateway = raw_input("Enter 'ike gateway' object name:")
  15. ipsec_policy = raw_input("Enter 'ipsec-policy' object name:")
  16. print("---Configuring network Blocks")
  17. trustzone = raw_input("Enter trust zone name (usually 'trust'):")
  18. untrustzone = raw_input("Enter untrust zone name (usually 'untrust'):")
  19. localprefix = raw_input("Enter local name prefix for objects (anything that makes sense):")
  20. remoteprefix = raw_input("Enter remote name prefix for objects (anything that makes sense):")
  21. print("Enter local networks in 192.168.1.0/24 format, one per line. Enter Ctrl+Z to end:")
  22. localnetworkstxt = sys.stdin.read()
  23. localnetworks = localnetworkstxt.split("\n")
  24. print("Enter remote networks in 192.168.1.0/24 format, one per line. Enter Ctrl+Z to end:")
  25. remotenetworkstxt = sys.stdin.read()
  26. remotenetworks = remotenetworkstxt.split("\n")
  27.  
  28.  
  29. #Clean up the inputted networks; remove invalid IP addresses
  30. localnetworkstmp = localnetworks
  31. localnetworks = filter(lambda x: re.search(r'((2[0-5]|1[0-9]|[0-9])?[0-9]\.){3}((2[0-5]|1[0-9]|[0-9])?[0-9])\/[0-3]?[0-9]', x), localnetworkstmp)
  32. remotenetworkstmp = remotenetworks
  33. remotenetworks = filter(lambda x: re.search(r'((2[0-5]|1[0-9]|[0-9])?[0-9]\.){3}((2[0-5]|1[0-9]|[0-9])?[0-9])\/[0-3]?[0-9]', x), remotenetworkstmp)
  34.  
  35.  
  36. fsock = open(raw_input("Enter file to save to:"), 'w')
  37. origstdout = sys.stdout
  38. sys.stdout = fsock
  39.  
  40. print("##########Below is your config. Load this with 'load merge terminal' in JunOS")
  41. print("##junos-pbvpn.py by andkorn Sept 21 2012")
  42.  
  43. print("security {")
  44. print("    ipsec {")
  45.  
  46. networkcount = 1
  47. for localnetwork in localnetworks[:]:
  48.         for remotenetwork in remotenetworks[:]:
  49.                 print("        vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+" {")
  50.                 print("            ike {")
  51.                 print("                gateway "+ gateway +";")
  52.                 print("                ipsec-policy "+ ipsec_policy+";")
  53.                 print("            }")
  54.                 print("            establish-tunnels immediately;")
  55.                 print("        }")
  56.                 networkcount += 1
  57.  
  58. print(" }")
  59. print("    policies {")
  60.  
  61. networkcount = 1
  62. print("        from-zone "+ trustzone+" to-zone "+ untrustzone+" {")
  63. for localnetwork in localnetworks[:]:
  64.         for remotenetwork in remotenetworks[:]:
  65.                 print("            policy vpn-out-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+" {")
  66.                 print("                match {")
  67.                 print("                    source-address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+";")
  68.                 print("                    destination-address "+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
  69.                 print("                    application any;")
  70.                 print("                }")
  71.                 print("                then {")
  72.                 print("                    permit {")
  73.                 print("                        tunnel {")
  74.                 print("                            ipsec-vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+";")
  75.                 print("                            pair-policy vpn-in-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
  76.                 print("                        }")
  77.                 print("                    }")
  78.                 print("                }")
  79.                 print("            }")
  80.                 networkcount += 1
  81. print("        }")
  82.  
  83. networkcount = 1
  84. print("        from-zone "+ untrustzone+" to-zone "+ trustzone+" {")
  85. for localnetwork in localnetworks[:]:
  86.         for remotenetwork in remotenetworks[:]:
  87.                 print("            policy vpn-in-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+" {")
  88.                 print("                match {")
  89.                 print("                    source-address "+ remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
  90.                 print("                    destination-address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+";")
  91.                 print("                    application any;")
  92.                 print("                }")
  93.                 print("                then {")
  94.                 print("                    permit {")
  95.                 print("                        tunnel {")
  96.                 print("                            ipsec-vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+";")
  97.                 print("                            pair-policy vpn-out-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
  98.                 print("                        }")
  99.                 print("                    }")
  100.                 print("                }")
  101.                 print("            }")
  102.                 networkcount += 1
  103. print("        }")
  104. print("    }")
  105.  
  106. print("    zones {")
  107. print("        security-zone "+ trustzone+" {")
  108. print("            address-book {")
  109. for localnetwork in localnetworks[:]:
  110.         print("                address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-") +" "+localnetwork+";")
  111. print("            }")
  112. print("        }")
  113. print("        security-zone "+ untrustzone+" {")
  114. print("            address-book {")
  115. for remotenetwork in remotenetworks[:]:
  116.         print("                address "+ remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-") +" "+remotenetwork+";")
  117. print("            }")
  118. print("            host-inbound-traffic {")
  119. print("                system-services {")
  120. print("                    ike;")
  121. print("                }")
  122. print("            }")
  123. print("         }")
  124. print("    }")
  125. print("}")
  126. print("####END")
  127.  
  128. sys.stdout = origstdout
  129. fsock.close()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top