Posts Tagged ‘screen’

Little tip with SRX Dynamic VPNs and 'security screens' on the VPN's ingress zone I stumbled across during my JNCIE-SEC study.

UPDATE (20120401): Seems Juniper has addressed and fixed this bug ...
More info: 

It seems you can not have the 'IP Spoofing' screen enabled when sending IPSec Dynamic VPN traffic ingressing into the zone with the screen set. This traffic is dropped by the screen which can be seen via a 'security flow traceoption flag basic-datapath':

  • 'packet dropped, drop by spoofing check.'

So removing (or deactivating) the ip spoofing check solved the problem:

  • deactivate security screen ids-option from-Internet ip spoofing

Kind of lame, the spoofing screen sounds a good idea on your Internet facing interfaces, but seems a no no if you want dynamic VPNs. That is all. Hopefully eventually Juniper make this check smarter.

32- and 64-bit PL2303 drivers for OS X 10.6 are available here.

You'll need to modify, as root, the '/System/Library/Extensions/ProlificUsbSerial.kext/Contents/Info.plist ' file after installing the driver to suit the USB manufacturer and device ID. For the ATEN UC232A, examples below appear to work for it (for me in 10.7).

To obtain the IDs, Wayne Roberts (who informed my via the SAGE-AU mailing lists), used 'USB' which comes with the developer tools/XCode.

Modify the current lines of the XML:

# <key> can be the Hex values as 'Vendor'_'Product', Wayne thinks this is more cosmetic however.


# <idProduct> and <idVendor> should be the decimal of the respective values, as per USB

Once you've done this, either restart the machine or run 'kextunload' and 'kextload' on ProlificUsbSerial.kext and it should show up as /dev/tty.usbserial.

** If you have installed the UC232A Drivers, either rm or mv the 'UC-232AC.kext' before the reboot to avoid conflicts **