■2台目のSSG5をシリアル接続で遊ぶ
「bgroup0にIP設定したら、Webでつなげれば良いのでは?」と
思った人はそうした方が良いです。
今日のメニュー。
※初期化作業があるので、オモチャ用です。
3種類のバージョン、S/N情報を収集
Debian Wheezyにatftpdサーバを構築
工場出荷状態までリセット
SSG5のbgroup0のデフォルトIPを変更
「config」をシリアルコンソール上に流して取得
「config」の保存(flash -> tftp server)
「config」の初期化
「config」のリストアと再起動(tftp -> flash)
tftpでDebian Wheezyにsoftwareの保存(flash -> tftp server)
※tftpからのアップデートがあるので、文鎮になっても良いオモチャ用です。
BOOT LOADER
ScreenOS
imagekey.cer
■SSG5の設定やバックアップ等はWebコンソールで簡単に設定出来ます。
通常は下記のマニュアルで充分です。
はじめてのSSG5
http://www.juniper.net/jp/jp/local/pdf/others/fsssg5-jp.pdf
SSG5 マニュアル
http://www.juniper.net/support/downloads/?p=ssg5#docs
NetScreen/SSGの設定
http://www.viva-netscreen.net/
■3種類のバージョン、S/N情報を収集。
Boot Loader Version ,1.3.2
ScreenOS Version , 5.4.0.1.0.0.0.0
Slot 0 S/N , XXXXXXXXXXXXXXXX
Juniper Networks SSG5-ISDN Boot Loader Version 1.3.2 (Checksum: XXXXXXXX)
Copyright (c) 1997-2006 Juniper Networks, Inc.
...
login:netscreen
Password:
ssg5-isdn->
ssg5-isdn-> get system version | include version
Version: 5.4.0.1.0.0.0.0
DM Version: 1
ssg5-isdn->
sg5-isdn-> get chassis
Slot Name S/N HW Rev Status
0 Built-in: 7-10/100 ports XXXXXXXXXXXXXXXX 0710 Online
sg5-isdn-> get envar
last_reset=2008-05-15 14:35:04 by netscreen
default_image=screenos_image
■Debian Wheezyにatftpdサーバを構築。
$ sudo apt-get install -y atftpd tftp
$ sed s/" \-"/"\n&"/g /etc/default/atftpd
USE_INETD=true
OPTIONS="--tftpd-timeout 300
--retry-timeout 5
--mcast-port 1758
--mcast-addr 239.239.239.0-255
--mcast-ttl 1
--maxthread 100
--verbose=5 /srv/tftp"
$ netstat -an | grep :69
udp 0 0 0.0.0.0:69 0.0.0.0:*
$ ls /srv/tftp/
$ tftp localhost
tftp> status
Connected to localhost.
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> quit
■工場出荷状態までリセット。
「get chassis」で調べたマザーボードのS/Nを使ってAsset Recovery
ssg5-isdn-> exit
Configuration modified, save? [y]/n n
login: XXXXXXXXXXXXXXXX
password:
!!! Lost Password Reset !!! You have initiated a command to reset the device to
factory defaults, clearing all current configuration and settings. Would you lik
e to continue? y/[n] y
!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of
the device will be erased. In addition, a permanent counter will be incremented
to signify that this device has been reset. This is your last chance to cancel
this command. If you proceed, the device will return to factory default configur
ation, which is: System IP: 192.168.1.1; username: netscreen, password: netscree
n. Would you like to continue? y/[n] y
In reset ...
■工場出荷状態リセット時に「Hit any key to run loader」を押した場合
Juniper Networks SSG5-ISDN Boot Loader Version 1.3.2 (Checksum: XXXXXXXX)
Copyright (c) 1997-2006 Juniper Networks, Inc.
Total physical memory: 256MB
Test - Pass
Initialization - Done
Hit any key to run loader
Hit any key to run loader
Serial Number [XXXXXXXXXXXXXXXX]: READ ONLY
HW Version Number [0710]: READ ONLY
Self MAC Address [XXXX-XXXX-XXXX]: READ ONLY
Boot File Name [screenos_image]: flash:/$NSBOOT$.BIN
Loading system image "/$NSBOOT$.BIN" from on-board flash disk...
Done! (size = 11,485,184 bytes)
■SSG5のbgroup0のデフォルトIPを変更
ssg5-isdn-> get config | include 192
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 dhcp server option gateway 192.168.1.1
set interface bgroup0 dhcp server ip 192.168.1.33 to 192.168.1.126
ssg5-isdn-> get config | include manage
set interface bgroup0 ip manageable
ssg5-isdn->
ssg5-isdn-> unset interface bgroup0 dhcp server option gateway
ssg5-isdn-> unset interface bgroup0 dhcp server ip all
ssg5-isdn-> unset interface bgroup0 dhcp server service
ssg5-isdn-> set interface bgroup0 ip 172.16.16.201/24
ssg5-isdn-> get config | include 192
ssg5-isdn->
ssg5-isdn-> get config | include dhcp
ssg5-isdn->
ssg5-isdn-> get config | include 172
set interface bgroup0 ip 172.16.16.201/32
ssg5-isdn->
ssg5-isdn-> get interface | include " U "
A - Active, I - Inactive, U - Up, D - Down, R - Ready
bgroup0 172.16.16.201/32 Trust 001b.c0cc.4b8b - U -
eth0/6 N/A N/A N/A - U -
null 0.0.0.0/0 Null N/A - U 0
ssg5-isdn->
ssg5-isdn-> ping 172.16.16.201 from bgroup0
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 172.16.16.201, timeout is 1 seconds
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/4 ms
ssg5-isdn->
ssg5-isdn-> set vrouter trust-vr route 0.0.0.0/0 interface bgroup0 gateway 172.16.16.200
ssg5-isdn->
ssg5-isdn-> ping 172.16.16.200
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 172.16.16.200, timeout is 1 seconds
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/7/25 ms
ssg5-isdn->
ssg5-isdn-> save
Save System Configuration ...
Done
ssg5-isdn->
■「config」をシリアルコンソール上に流して取得
flash -> script log
Ciscoの「terminal length 0」相当のコマンドと実行
「script」のログに流し込み用の設定のバックアップが出来る。
「set console page 0」は設定として残るので、unsetしておく。
ssg5-isdn-> set console page 0
ssg5-isdn-> get config | include console
set console page 0
ssg5-isdn-> get config
...
ssg5-isdn-> unset console page
ssg5-isdn-> get config | include console
ssg5-isdn->
[Ctrl]+[A]+[K]
■「config」の保存
flash -> tftp server
ssg5-isdn-> save config from flash to tftp 172.16.16.200 backup.cfg
Read config from flash.
System config (992 bytes) loaded
.
Done.
Save configurations (3212 bytes) to backup.cfg on TFTP server 172.16.16.200.
!!!!!!!!!!!!!!!!
tftp transferred records = 7
tftp success!
TFTP Succeeded
ssg5-isdn->
■「config」の初期化
bgroup0の設定も削除される。
ssg5-isdn-> unset all
Erase all system config, are you sure y/[n] ? y
, errno=2
, errno=2
ssg5-isdn->
ssg5-isdn-> reset
Configuration modified, save? [y]/n n
System reset, are you sure? y/[n] y
In reset ...
ssg5-isdn-> get config | include 192
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 dhcp server option gateway 192.168.1.1
set interface bgroup0 dhcp server ip 192.168.1.33 to 192.168.1.126
■「config」のリストアと再起動
tftp -> flash
ssg5-isdn-> save config from tftp 172.16.16.200 backup.cfg
Load config from 172.16.16.200/backup.cfg .
!!!!!!!!!!!!!!!
tftp received octets = 3404
tftp success!
TFTP Succeeded
Save config ... Done
ssg5-isdn->
ssg5-isdn-> reset
Configuration modified, save? [y]/n y
Save System Configuration ...
Done
System reset, are you sure? y/[n] y
In reset ...
ssg5-isdn-> ping 172.16.16.200
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 172.16.16.200, timeout is 1 seconds
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=1/1/2 ms
ssg5-isdn->
■SSG5の通常起動時の動作を確認
「Hit any key to run loader」のタイムアウトでデフォルト起動。
Juniper Networks SSG5-ISDN Boot Loader Version 1.3.2 (Checksum: XXXXXXXX)
Copyright (c) 1997-2006 Juniper Networks, Inc.
Total physical memory: 256MB
Test - Pass
Initialization - Done
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Loading default system image from on-board flash disk...
Done! (size = 11,485,184 bytes)
Ignore image authentication!
Start loading...
■softwareとは、ScreenOSである「flash:/$NSBOOT$.bin」のこと。
ssg5-isdn-> debug file all
ssg5-isdn-> get file
flash:/crashdump.dmp 16384
flash:/burnin_log1 20480
flash:/burnin_log0 20480
flash:/prngseed.bin 32
flash:/envar.rec 74
flash:/ns_sys_config 989
flash:/dhcpservl.txt 8
flash:/cli-log 49952
flash:/dnstb.rec 126
ssg5-isdn-> get dbuf stream | include bin
ssg5-isdn->
ssg5-isdn-> get dbuf info
count: 3715, last index: 3715, cur index: 0, size: 32768
start: 0, pause: 0
ssg5-isdn-> clear dbuf
ssg5-isdn-> get dbuf info
count: 3715, last index: 3715, cur index: 0, size: 32768
start: 0, pause: 0
ssg5-isdn-> clear dbuf
ssg5-isdn-> get dbuf info
count: 0, last index: 0, cur index: 0, size: 32768
start: 0, pause: 0
ssg5-isdn-> get file flash:/$NSBOOT$.BIN
flash:/$NSBOOT$.BIN 11485184
file is hidden
sg5-isdn-> get dbuf stream | include bin
ssg5-isdn->
■tftpでDebian Wheezyにsoftwareの保存
flash -> tftp server
ssg5-isdn-> get system | include software
Software Version: 5.4.0r6.0, Type: Firewall+VPN
ssg5-isdn->
ssg5-isdn-> save software from flash to tftp 172.16.16.200 ssg5ssg20.5.4.0r6.0.run
Load image from flash.
Save software to TFTP 172.16.16.200 (file: ssg5ssg20.5.4.0r6.0.run). It may take a few minutes ...
Type escape sequence to abort
!!!!!!!!!!!!!!!!!!!
tftp transferred records = 22433
tftp success!
TFTP Succeeded
ssg5-isdn->
■BOOT LOADRとimagekey.cerのtftpへの保存方法は不明。
隠しファイルとしてflashにあるだけなので、ここから先は要注意
BOOT LOADER OK ... Boot Loader Version: 1.3.3
BOOT LOADER NG ... Boot Loader Version: 1.3.2
ScreenOS OK ... 6.3.0r6.0
ScreenOS NG ... 5.4.0r6.0
imagekey OK ... Image authenticated!
imagekey NG ... Ignore image authentication
■tftpサーバにBOOT LOADERを展開
Archive: Loadssg5ssg20v133.d.zip
inflating: Loadssg5ssg20v133.d
-rw-r--r-- 1 nobody nogroup 408395 9月 4 2009 Loadssg5ssg20v133.d
* SSG5/SSG20 BOOT LOADER UPDATE UTILITY *
* *** DON'T POWER OFF DURING BOOT LOADER UPDATE *** *
$NSBOOT$BIN
■既存のBOOT LOADERを削除後にアップデートされるので要注意
作業中は電源を切らないこと。
sg5-isdn-> reset
System reset, are you sure? y/[n] y
In reset ...
Boot File Name [screenos_image]:Loadssg5ssg20v133.d
Loaded Successfully! (size = 408,395 bytes)
Ignore image authentication!
Save to on-board flash disk? (y/[n]/m) Yes!
Please input multiple system image file name [loadssg5.d]:
Saving system image to on-board flash disk...
Done! (size = 408,395 bytes)
Run downloaded system image? ([y]/n) Yes!
******************************************************************
* *
* SSG5/SSG20 BOOT LOADER UPDATE UTILITY *
* ============================================== *
* (c)1997-2006 Juniper Networks, Inc. *
* All Rights Reserved *
* *
* ---------------------------------------------- *
* Boot Loader Version: 1.3.3 *
* Date : 05/26/2006 *
* *
* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! *
* ! ! *
* ! Please don't power off during update. ! *
* ! Otherwise, the system can not boot again. ! *
* ! ! *
* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! *
* *
* *** DON'T POWER OFF DURING BOOT LOADER UPDATE *** *
* *** DON'T POWER OFF DURING BOOT LOADER UPDATE *** *
* *** DON'T POWER OFF DURING BOOT LOADER UPDATE *** *
* *
******************************************************************
Check on-board Boot Loader... Update needed!
Are you sure you want to update Boot Loader? (y/n)
Read product information of on-board boot flash device:
Manufacturer ID = 1f
Device ID = 13
Additional Device ID = 10
Boot flash device is XXXXXXXX
Erase on-board boot flash device.......... Done
Update Boot Loader.....................................................
Done
Verify Boot Loader... Done
Boot Loader has been updated successfully!
Please hit any key to reboot the system...
Juniper Networks SSG5-ISDN Boot Loader Version 1.3.3 (Checksum: XXXXXXXX)
Copyright (c) 1997-2006 Juniper Networks, Inc.
ssg5-isdn-> debug file all
ssg5-isdn-> get file
flash:/crashdump.dmp 16384
flash:/burnin_log1 20480
flash:/burnin_log0 20480
flash:/prngseed.bin 32
flash:/envar.rec 74
flash:/ns_sys_config 947
flash:/dhcpservl.txt 0
flash:/cli-log 49952
flash:/dnstb.rec 83
ssg5-isdn-> get dbuf stream | include Load
ssg5-isdn-> get file flash:/LOADSSG5.D
flash:/LOADSSG5.D 408395
file is hidden
■ScreenOSをtftpサーバに配置
$ cd /srv/tftp
$ unzip ssg5ssg20.6.3.0r6.0.zip
Archive: ssg5ssg20.6.3.0r6.0.zip
inflating: ssg5ssg20.6.3.0r6.0
$ sudo chown -R nobody:nogroup ssg5ssg20.6.3.0r6.0
■ScreenOSのアップグレード
tftp -> flash
ssg5-isdn-> reset
System reset, are you sure? y/[n] y
In reset ...
Boot File Name [Loadssg5ssg20v133.d]: ssg5ssg20.6.3.0r6.0
atatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatata
Loaded Successfully! (size = 13,295,019 bytes)
Ignore image authentiggcation!
Save to on-board flash disk? (y/[n]/m) Yes!
Please input multiple system image file name [ssg5ssg2.0]:
Saving system image to on-board flash disk...
Done! (size = 13,295,019 bytes)
Run downloaded system image? ([y]/n) Yes!
sg5-isdn-> debug file all
ssg5-isdn-> get file
flash:/crashdump.dmp 32768
flash:/burnin_log1 20480
flash:/burnin_log0 20480
flash:/prngseed.bin 32
flash:/envar.rec 85
flash:/ns_sys_config 947
flash:/dhcpservl.txt 0
flash:/cli-log 49952
flash:/dnstb.rec 83
flash:/pkidatabase.digest 20
sg5-isdn-> get dbuf stream | include ssg5ssg2.0
ssg5-isdn-> get system version
Encoding: 1
Version: 6.3.0.1.0.0.0.0
DM Version: 1
ssg5-isdn->
■「Ignore image authentiggcation!」は証明書の更新が必要なので、
tftpサーバに展開。PDFのmd5と一致することを確認
$ unzip image_key.zip
Archive: image_key.zip
inflating: imagekey.cer
inflating: image_key_readme.pdf
$ md5sum imagekey.cer
ccfcd027e20c9cc38b5d8dac17c7199f imagekey.cer
■証明書のアップデート
tftp -> flash
ssg5-isdn-> save image-key tftp 172.16.16.200 imagekey.cer
Load file from TFTP 172.16.16.200 (file: imagekey.cer).
!!!!!
tftp received octets = 865
tftp success!
Done
TFTP Succeeded
ssg5-isdn->
ssg5-isdn-> exec pki test skey
exec pki test <skey>.
Flash base = 0x51000000, Flash end = 0x0, sector size= 0x4000
KEY1 N/A len =432
308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b magic2=0
KEY2 N/A len =432
308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b magic2=0
KEY3 N/A len =432
308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b magic2=0
ssg5-isdn->
■flashから何も考えずに新しいBOOT LOADERとScreenで起動することを確認
ssg5-isdn-> reset
System reset, are you sure? y/[n] y
In reset ...
Loading default system image from on-board flash disk...
Done! (size = 13,295,019 bytes)
■「Unsupported command」のような旧バージョンにしかない設定をリセット
Unsupported command - set zone "VLAN" block
ssg5-isdn-> unset all
Erase all system config, are you sure y/[n] ? y
ssg5-isdn-> reset
Configuration modified, save? [y]/n n
System reset, are you sure? y/[n] y
In reset ...
ssg5-isdn-> get config | include VLAN
set zone "VLAN" vrouter "trust-vr"
unset zone "VLAN" tcp-rst
unset interface vlan1 ip
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set zone "VLAN" vrouter "trust-vr"
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset interface vlan1 ip
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
■この状態で工場出荷時にリセットしても以下となる。
Boot Loader Version 1.3.3
Image authenticated!
Version 6.3.0r6.0