SRX Services Gateway
Reply
Contributor
ahmedsharif
Posts: 36
Registered: ‎04-24-2009
0

SCTP ALG

HI experts

 

I have active/active setup using local interfaces which are not part of any redundancy group so that both paths can remain active at the same time. Here is what I have done.

 


routing-instance name         SS7

security zones name           SS7-trust and SS7-untrust

Policy in between zones     from-zone SS7-trust to-zone SS7-untrust     

 

I am using srx1400 junos 11.1.

MY question is that how can I enable the SCTP alg on SRX using local interfaces?

Is it enabled right now? If yes how can i check it?

If it is not enabled how can i enabled it for sctp traffic using local interfaces?

 

 

show routing-instances SS7
instance-type virtual-router;
interface ge-0/0/6.466;
interface ge-0/0/6.686;
interface ge-4/0/6.467;
interface ge-4/0/6.687;
routing-options {
    static {
        route 10.87.42.249/32 next-hop 10.87.41.146;
        route 10.87.42.253/32 next-hop 10.87.41.154;
        route 10.87.40.4/32 next-hop 10.87.53.66;
        route 10.87.40.36/32 next-hop 10.87.53.74;
    }
}

security {

   policies{

      from-zone SS7-trust to-zone SS7-untrust {
          policy SS7-trust-untrust {
              match {
                  source-address any;
                  destination-address any;
                 application junos-gprs-sctp;
              }
              then {
                  permit;
           }
      }
}

 

ge-0/0/6 {
    vlan-tagging;
    unit 466 {
        vlan-id 466;
        family inet {
            address 10.87.53.65/29;
        }
    }
    unit 686 {
        vlan-id 686;
        family inet {
            address 10.87.41.145/29;
        }
    }
}

 

ge-4/0/6 {
    vlan-tagging;
    unit 467 {
        vlan-id 467;                    
        family inet {
            address 10.87.53.73/29;
        }
    }
    unit 687 {
        vlan-id 687;
        family inet {
            address 10.87.41.153/29;
        }
    }
}

 

Thanks

Regards

 

 

 

Ahmed Sharif
Juniper Employee
tonyzhou
Posts: 91
Registered: ‎11-11-2010

Re: SCTP ALG

If you want to configure SCTP, follow the steps:

(1)      configure SCTP profile

root@haricot# show security gprs sctp | display set | match profile

set security gprs sctp profile lp association-timeout 1440

set security gprs sctp profile lp handshake-timeout 30

set security gprs sctp profile lp drop payload-protocol m2ua

(2)     configure policy,and bind SCTP profile to the policy

root@haricot# show security policies | display set

set security policies from-zone Tsctp-zone to-zone Usctp-zone policy lp match source-address any

set security policies from-zone Tsctp-zone to-zone Usctp-zone policy lp match destination-address any

set security policies from-zone Tsctp-zone to-zone Usctp-zone policy lp match application junos-gprs-sctp

set security policies from-zone Tsctp-zone to-zone Usctp-zone policy lp then permit application-services gprs-sctp-profile lp

set security policies from-zone Usctp-zone to-zone Tsctp-zone policy lp match source-address any

set security policies from-zone Usctp-zone to-zone Tsctp-zone policy lp match destination-address any

set security policies from-zone Usctp-zone to-zone Tsctp-zone policy lp match application junos-gprs-sctp

set security policies from-zone Usctp-zone to-zone Tsctp-zone policy lp then permit application-services gprs-sctp-profile lp

JNCIE-SEC
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.