Discussion:
[j-nsp] SSH from cisco router to Juniper Box
a. rahman isnaini rst / netsoft
2008-09-01 03:45:49 UTC
Permalink
Hi,


I'm trying to do ssh from my cisco router to juniper box.
Cisco IP has been permitted, to log in.
But not success, the error is :

Sep 1 10:22:23 GW-1 sshd[38928]: Did not receive identification string
from 192.168.0.99
Sep 1 10:22:23 GW-1 inetd[2541]: /usr/sbin/sshd[38928]: exit status 0xff00

From Cisco :
gw-99#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-o Specify options
-p Connect to this port
WORD IP address or hostname of a remote system

Any suggestion ?


rgs
a. rahman isnaini r.sutan
Nic Tjirkalli
2008-09-01 06:43:01 UTC
Permalink
Howdy ho,
Post by a. rahman isnaini rst / netsoft
Hi,
I'm trying to do ssh from my cisco router to juniper box.
Cisco IP has been permitted, to log in.
Sep 1 10:22:23 GW-1 sshd[38928]: Did not receive identification string from
192.168.0.99
Sep 1 10:22:23 GW-1 inetd[2541]: /usr/sbin/sshd[38928]: exit status 0xff00
gw-99#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-o Specify options
-p Connect to this port
WORD IP address or hostname of a remote system
Any suggestion ?
maybe an SSH version incompatibility - not 100% sure of this ...
Post by a. rahman isnaini rst / netsoft
From CISCO ssh ? output it looks like CISCO can only do SSH version 1 as
it dose not have a -v option to set version ...

from a cisco taht has an ssh that dose V1 and 2
gw#ssh -v ?
1 Protocol Version 1
2 Protocol Version 2

maybe on juiper enable SSH v1 and v2 (if you really want to allow v1 SSH
in) with
set system services ssh protocol-version [v1 v2]
commit

later
Post by a. rahman isnaini rst / netsoft
rgs
a. rahman isnaini r.sutan
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
---------------------------------------------------------------------
A darkroom is not the best place to develop a reputation.

Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team

Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.

Company Information:http:// www.verizonbusiness.com/za/contact/legal/

This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.
Rolf Mendelsohn
2008-09-01 06:45:38 UTC
Permalink
Hi Rahman,

Many of the cisco IOS releases do not support ssh version 2, they support only
version 1 or 1.5.

By default i think BSD only allows version 2 and stronger cyphers.

From my router (running 12.4.18b):

cr1.lda6.ao>ssh ?
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
WORD IP address or hostname of a remote system

Regards,
Rolf
Post by a. rahman isnaini rst / netsoft
Hi,
I'm trying to do ssh from my cisco router to juniper box.
Cisco IP has been permitted, to log in.
Sep 1 10:22:23 GW-1 sshd[38928]: Did not receive identification string
from 192.168.0.99
Sep 1 10:22:23 GW-1 inetd[2541]: /usr/sbin/sshd[38928]: exit status 0xff00
gw-99#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-o Specify options
-p Connect to this port
WORD IP address or hostname of a remote system
Any suggestion ?
rgs
a. rahman isnaini r.sutan
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
a. rahman isnaini rst / netsoft
2008-09-01 09:44:33 UTC
Permalink
Thanks Rolf & Nic.


a. rahman isnaini r.sutan
Post by Rolf Mendelsohn
Hi Rahman,
Many of the cisco IOS releases do not support ssh version 2, they support only
version 1 or 1.5.
By default i think BSD only allows version 2 and stronger cyphers.
cr1.lda6.ao>ssh ?
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
WORD IP address or hostname of a remote system
Regards,
Rolf
Post by a. rahman isnaini rst / netsoft
Hi,
I'm trying to do ssh from my cisco router to juniper box.
Cisco IP has been permitted, to log in.
Sep 1 10:22:23 GW-1 sshd[38928]: Did not receive identification string
from 192.168.0.99
Sep 1 10:22:23 GW-1 inetd[2541]: /usr/sbin/sshd[38928]: exit status 0xff00
gw-99#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-o Specify options
-p Connect to this port
WORD IP address or hostname of a remote system
Any suggestion ?
rgs
a. rahman isnaini r.sutan
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Bit Gossip
2008-09-03 21:58:12 UTC
Permalink
Experts,
do you know if there is a Junos equivalent to the following Cisco:

rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
<1-254> maximum number of hops



Thanks,
Bit
Stefan Fouant
2008-09-03 20:44:53 UTC
Permalink
Post by Bit Gossip
Experts,
rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
<1-254> maximum number of hops
Thanks,
Bit
No knob that I am aware of but Richard Steenbergen has a hack on cluepon:

http://juniper.cluepon.net/index.php/CS_BGP_TTL_Security
--
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D
Richard A Steenbergen
2008-09-03 16:19:11 UTC
Permalink
Post by Bit Gossip
Experts,
rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
<1-254> maximum number of hops
http://juniper.cluepon.net/index.php/CS_BGP_TTL_Security

Plus please request that they actually add this relatively simple
feature, rather than making us script around it. :)
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Truman Boyes
2008-09-03 21:20:28 UTC
Permalink
Bit,

http://www.juniper.net/techpubs/software/junos/junos92/swconfig-routing/multihop.html#id-13320727

Yes you can specify a maximum TTL value. This match is performed on
RE, not on the PFE as opposed to a firewall match.

Regards,
Truman
Post by Bit Gossip
Experts,
rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
<1-254> maximum number of hops
Thanks,
Bit
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Truman Boyes
2008-09-03 22:49:33 UTC
Permalink
Just a follow up to my previous post. This maximum TTL value is not
the same as the cisco ttl-security feature (GTSM).

Truman
Post by Truman Boyes
Bit,
http://www.juniper.net/techpubs/software/junos/junos92/swconfig-routing/multihop.html#id-13320727
Yes you can specify a maximum TTL value. This match is performed on
RE, not on the PFE as opposed to a firewall match.
Regards,
Truman
Post by Bit Gossip
Experts,
rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
<1-254> maximum number of hops
Thanks,
Bit
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Stefan Fouant
2008-09-03 23:23:09 UTC
Permalink
Truman,

That's for BGP multihop... That's not the same as GTSM.

Cheers,
Post by Truman Boyes
Bit,
http://www.juniper.net/techpubs/software/junos/junos92/swconfig-routing/multihop.html#id-13320727
Yes you can specify a maximum TTL value. This match is performed on
RE, not on the PFE as opposed to a firewall match.
Regards,
Truman
Post by Bit Gossip
Experts,
rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
<1-254> maximum number of hops
Thanks,
Bit
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Sent from Gmail for mobile | mobile.google.com

Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D
Truman Boyes
2008-09-03 23:40:08 UTC
Permalink
Yup, seems to be a delay in the mailing list, as I replied to my own
message right after posting, but it hasn't come through yet :)

Cheers,
Truman
Post by Stefan Fouant
Truman,
That's for BGP multihop... That's not the same as GTSM.
Cheers,
Post by Truman Boyes
Bit,
http://www.juniper.net/techpubs/software/junos/junos92/swconfig-routing/multihop.html#id-13320727
Yes you can specify a maximum TTL value. This match is performed on
RE, not on the PFE as opposed to a firewall match.
Regards,
Truman
Post by Bit Gossip
Experts,
rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
<1-254> maximum number of hops
Thanks,
Bit
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Sent from Gmail for mobile | mobile.google.com
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D
Harry Reynolds
2008-09-03 23:31:31 UTC
Permalink
I believe this knob only affects outbound ttl setting, effetely placing
a scope on how far away the remote peer *could* be. It will not prevent
acceptance of a connection with an incoming ttl that is less than the
value specified, which is the functionality being sought here.

The juniper knob provides outbound protection, while the cisco one
provides inbound.

IIRC, you can set a jni with multi-hop ttl-3, and we will set ttl = 3 in
outgoing packets rather than default of 1/64 for normal/multihop
respectively. There is no specific inbound check, other than normal IP
sanity checking. The inbound packet could have any TTL from 1-255 and we
will accept it.

General TTL security may be easy to implement in a software based
router, but JUNOS FW filters are done in HW, by ASICS, and not all
platforms support full GTTL, as per the cluepon site. As always, if you
need a feature request it through the sales channels to help expedite a
solution to market.

Regards and HTHs





-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Truman Boyes
Sent: Wednesday, September 03, 2008 2:20 PM
To: Bit Gossip
Cc: 'Juniper-Nsp'
Subject: Re: [j-nsp] ttl-security

Bit,

http://www.juniper.net/techpubs/software/junos/junos92/swconfig-routing/
multihop.html#id-13320727

Yes you can specify a maximum TTL value. This match is performed on RE,
not on the PFE as opposed to a firewall match.

Regards,
Truman
Post by Bit Gossip
Experts,
rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
<1-254> maximum number of hops
Thanks,
Bit
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
James Jun
2008-09-03 23:38:28 UTC
Permalink
Post by Truman Boyes
http://www.juniper.net/techpubs/software/junos/junos92/swconfig-
routing/multihop.html#id-13320727
Yes you can specify a maximum TTL value. This match is performed on
RE, not on the PFE as opposed to a firewall match.
That's not filtering on TTL. It just specifies what TTL to use to send bgp
traffic over to your peer.

James
Bit Gossip
2008-09-03 21:58:12 UTC
Permalink
Experts,
do you know if there is a Junos equivalent to the following Cisco:

rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
<1-254> maximum number of hops



Thanks,
Bit
Loading...