daily pastebin goal
19%
SHARE
TWEET

junos-pbvpn.py

a guest Sep 24th, 2012 92 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #############################################################################
  3. ## andkorn Sept 21 2012
  4. ## This script is free to use under the BSD 3-clause license.
  5. ## this script reads in a few options and creates a juniper config for a policy-based vpn that will work with Cisco's access-list-based vpn.
  6. # see also why policy-based VPNs are a pain:
  7. # http://forums.juniper.net/t5/SRX-Services-Gateway/srx-route-mode-ipsec-vpn-with-sonicwall-gen3-gen4-standard-and/td-p/33658
  8. # http://kb.juniper.net/InfoCenter/index?page=content&id=KB15745&smlogin=true
  9. ## version 1.1
  10. ##
  11. import sys, re
  12.  
  13. print("---Configuring VPN Blocks")
  14. gateway = raw_input("Enter 'ike gateway' object name:")
  15. ipsec_policy = raw_input("Enter 'ipsec-policy' object name:")
  16. print("---Configuring network Blocks")
  17. trustzone = raw_input("Enter trust zone name (usually 'trust'):")
  18. untrustzone = raw_input("Enter untrust zone name (usually 'untrust'):")
  19. localprefix = raw_input("Enter local name prefix for objects (anything that makes sense):")
  20. remoteprefix = raw_input("Enter remote name prefix for objects (anything that makes sense):")
  21. print("Enter local networks in 192.168.1.0/24 format, one per line. Enter Ctrl+Z to end:")
  22. localnetworkstxt = sys.stdin.read()
  23. localnetworks = localnetworkstxt.split("\n")
  24. print("Enter remote networks in 192.168.1.0/24 format, one per line. Enter Ctrl+Z to end:")
  25. remotenetworkstxt = sys.stdin.read()
  26. remotenetworks = remotenetworkstxt.split("\n")
  27.  
  28.  
  29. #Clean up the inputted networks; remove invalid IP addresses
  30. localnetworkstmp = localnetworks
  31. localnetworks = filter(lambda x: re.search(r'((2[0-5]|1[0-9]|[0-9])?[0-9]\.){3}((2[0-5]|1[0-9]|[0-9])?[0-9])\/[0-3]?[0-9]', x), localnetworkstmp)
  32. remotenetworkstmp = remotenetworks
  33. remotenetworks = filter(lambda x: re.search(r'((2[0-5]|1[0-9]|[0-9])?[0-9]\.){3}((2[0-5]|1[0-9]|[0-9])?[0-9])\/[0-3]?[0-9]', x), remotenetworkstmp)
  34.  
  35.  
  36. fsock = open(raw_input("Enter file to save to:"), 'w')
  37. origstdout = sys.stdout
  38. sys.stdout = fsock
  39.  
  40. print("##########Below is your config. Load this with 'load merge terminal' in JunOS")
  41. print("##junos-pbvpn.py by andkorn Sept 21 2012")
  42.  
  43. print("security {")
  44. print("    ipsec {")
  45.  
  46. networkcount = 1
  47. for localnetwork in localnetworks[:]:
  48.         for remotenetwork in remotenetworks[:]:
  49.                 print("        vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+" {")
  50.                 print("            ike {")
  51.                 print("                gateway "+ gateway +";")
  52.                 print("                ipsec-policy "+ ipsec_policy+";")
  53.                 print("            }")
  54.                 print("            establish-tunnels immediately;")
  55.                 print("        }")
  56.                 networkcount += 1
  57.  
  58. print(" }")
  59. print("    policies {")
  60.  
  61. networkcount = 1
  62. print("        from-zone "+ trustzone+" to-zone "+ untrustzone+" {")
  63. for localnetwork in localnetworks[:]:
  64.         for remotenetwork in remotenetworks[:]:
  65.                 print("            policy vpn-out-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+" {")
  66.                 print("                match {")
  67.                 print("                    source-address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+";")
  68.                 print("                    destination-address "+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
  69.                 print("                    application any;")
  70.                 print("                }")
  71.                 print("                then {")
  72.                 print("                    permit {")
  73.                 print("                        tunnel {")
  74.                 print("                            ipsec-vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+";")
  75.                 print("                            pair-policy vpn-in-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
  76.                 print("                        }")
  77.                 print("                    }")
  78.                 print("                }")
  79.                 print("            }")
  80.                 networkcount += 1
  81. print("        }")
  82.  
  83. networkcount = 1
  84. print("        from-zone "+ untrustzone+" to-zone "+ trustzone+" {")
  85. for localnetwork in localnetworks[:]:
  86.         for remotenetwork in remotenetworks[:]:
  87.                 print("            policy vpn-in-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+" {")
  88.                 print("                match {")
  89.                 print("                    source-address "+ remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
  90.                 print("                    destination-address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+";")
  91.                 print("                    application any;")
  92.                 print("                }")
  93.                 print("                then {")
  94.                 print("                    permit {")
  95.                 print("                        tunnel {")
  96.                 print("                            ipsec-vpn vpn"+ localprefix+ "-to-"+remoteprefix+ "-"+str(networkcount)+";")
  97.                 print("                            pair-policy vpn-out-"+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-")+"-to-"+remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-")+";")
  98.                 print("                        }")
  99.                 print("                    }")
  100.                 print("                }")
  101.                 print("            }")
  102.                 networkcount += 1
  103. print("        }")
  104. print("    }")
  105.  
  106. print("    zones {")
  107. print("        security-zone "+ trustzone+" {")
  108. print("            address-book {")
  109. for localnetwork in localnetworks[:]:
  110.         print("                address "+ localprefix+ "-"+localnetwork.replace("/","-").replace(".","-") +" "+localnetwork+";")
  111. print("            }")
  112. print("        }")
  113. print("        security-zone "+ untrustzone+" {")
  114. print("            address-book {")
  115. for remotenetwork in remotenetworks[:]:
  116.         print("                address "+ remoteprefix+ "-"+remotenetwork.replace("/","-").replace(".","-") +" "+remotenetwork+";")
  117. print("            }")
  118. print("            host-inbound-traffic {")
  119. print("                system-services {")
  120. print("                    ike;")
  121. print("                }")
  122. print("            }")
  123. print("         }")
  124. print("    }")
  125. print("}")
  126. print("####END")
  127.  
  128. sys.stdout = origstdout
  129. fsock.close()
RAW Paste Data
Top