Firmware upgrade from cli
execute restore image tftp <filename> 10.29.0.7
Useful commands
| Command | Notes |
|---|---|
Configuration for a dynamic client behind a NAT
NOTE: The tunnel will not come up unless there is a Policy that allows traffic on the tunnel interface to somewhere
config vpn ipsec phase1-interface
edit "VTI-1"
set type ddns
set interface "wan1"
set ike-version 2
set keylife 43200
set peertype any
set net-device disable
set proposal aes256-sha256
set localid "<ip address>"
set dhgrp 21
set nattraversal disable
set remotegw-ddns "<fqdn>"
set psksecret <password>
set comments "Server Side VTI"
next
end
config vpn ipsec phase2-interface
edit "VTI-1"
set phase1name "VTI-1"
set proposal aes256-sha256
set pfs disable
set auto-negotiate enable
set comments "Server Side"
next
end
config system interface VTI-1
edit "VTI-1"
set vdom "root"
set ip <local ip> 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip <remote ip> 255.255.255.255
set interface "wan1"
next
end
config vpn ipsec phase1-interface
edit "VTI-1"
set interface "wan1"
set ike-version 2
set keylife 43200
set peertype any
set net-device disable
set proposal aes256-sha256
set localid "<fqdn>"
set dpd on-idle
set dhgrp 21
set nattraversal disable
set remote-gw 66.37.4.14
set psksecret <password>
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "VTI-1"
set phase1name "VTI-1"
set proposal aes256-sha256
set pfs disable
set comments "Client Side"
next
end
config system interface
edit "VTI-1"
set vdom "root"
set ip <local ip> 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip <remote ip> 255.255.255.255
set interface "wan1"
next
end
config system np6xlite
edit "np6xlite_0"
set fastpath disable
next
end
Bypass NPU:
diagnose npu <xxx> fastpath-sniffer enable <port(s)_number>
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 ....
diagnose vpn ike log-filter src-addr4 ....
diagnose debug application ike -1
diagnose debug enable
IN PROGRESS
I don't have routing working as expected and there are some odd behaviors.
Kinda weird. To control routing you need to isolate interfaces in a VRF. To pass traffic back and forth use a VDOM interface, but it's only available in multi-vdom mode. So we flip over build the interface and flip back
Example assumes the isolated WAN interface in VRF 2.
Stick an AirLink devce on the “b” interface in VRF 2. Pick your poison here based on your device, break out an internalX or whatever. Add a default route via the interface to airlink's default .31 address.
config system interface
edit "b"
set vdom "root"
set vrf 2
set ip 192.168.13.1 255.255.255.0
set allowaccess ping
set type physical
set alias "ISP-3"
set lldp-reception enable
set estimated-upstream-bandwidth 1000
set estimated-downstream-bandwidth 3000
set role wan
next
end
config router static
edit 10
set gateway 192.168.13.31
set distance 100
set device "b"
set comment "Default via ISP-3"
next
end
First thing you need is to enable ip overlap so the VDOM interfaces are allowed to chat
config system settings
set allow-subnet-overlap enable
end
Then turn on multi-vdom
config system global set vdom-mode multi-vdom end
This triggers a restart of the cli, now add the vdom links config system vdom-link
edit link-199- next
end
config system interface
edit link-199-0
set vdom "root"
set vrf 0
set ip 10.29.199.1/30
set allowaccess ping
set type vdom-link
next
edit link-199-1
set vdom "root"
set vrf 2
set ip 10.29.199.2/30
set allowaccess ping
set type vdom-link
next
end
Turn off multi-vdom
config system global set vdom-mode no-vdom end
Now statically route the Airlink subnet 192.168.13.0/24 via the vdom link into VRF 2
config router static
edit 10
set dst 192.168.13.0 255.255.255.0
set gateway 10.29.199.2
set device "link-199-0"
set comment "VRF0->VRF2"
next
edit 11
set dst 10.0.0.0 255.0.0.0
set gateway 10.29.199.1
set device "link-199-1"
set comment "VRF2 -> VRF0"
next
edit 12
set gateway 10.29.13.31
set distance 100
set device "internal6"
set comment "Default via ISP-3"
next
end
</code>
Allow all reserved addresses to our interface
config firewall address
edit "VRF-2-ALL"
set subnet 192.168.13.0/24
next
edit "IANA-10"
set comment "IANA Reserved Netblock"
set subnet 10.0.0.0 255.0.0.0
next
edit "IANA-172.16"
set comment "IANA Reserved Netblock"
set subnet 172.16.0.0 255.240.0.0
next
edit "IANA-192.168"
set comment "IANA Reserved Netblock"
set subnet 192.168.0.0 255.255.0.0
next
end
config firewall addrgrp
edit IANA-ALL
set member "IANA-10" "IANA-172.16" "IANA-192.168"
next
end
config firewall policy
edit 1991
set name "VRF-2-OUT"
set srcintf "any"
set dstintf "b"
set action accept
set srcaddr "IANA-ALL"
set dstaddr "VRF-2-ALL"
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 1992
set status disable
set name "VRF-2-IN"
set srcintf "any"
set dstintf "link-199-0" "link-199-1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
Now you can set up BGP or statically route traffic between the two link interfaces as needed. Policy route for tiered failover etc.