In the previous blogs, we imported the GSN3 VM and created a Cisco ASAv appliance. I would like to continue the journey and use what we created so far for a real lab scenario.
In this blog, I will show you how to create an IPSEC tunnel from an ASAv in GNS3 and an OCI DRG.
I will mention again that this blog doesn’t have any production value and that the firmware used here for the ASAv is downloaded from Cisco’s website.
As a prerequisite, you will need to have an OCI tenant with enough resources to import the GNS3 VM and create an IPSEC tunnel, a valid account with Cisco to be able to download the required binaries.
The GNS3 emulations are isolated from the guest OS of the VM. To connect the emulation to the networking of the VM we will use a tap interface that will do the bridging. Below you can see the graphical representation.
We will begin with the creation of a tap interface in the GNS3 VM. This will bridge the emulation lab to the host Linux OS of the VM.
Install the utility that will create the tap interface:
apt-get install uml-utilities modprobe tun tunctl |
Configure the tap interface with an IP address.
ifconfig tap1 192.168.255.1 netmask 255.255.255.248 up |
Configure iptables to hide the 192.168.255.0/29 behing the external interface.
iptables -t nat -I POSTROUTING -s 192.168.255.0/29 -o eth0 -j MASQUERADE |
The ASAv console is VNC based and this means that the copy/paste will not function. I prefer to configure the ASAv with IP address on the interfaces and ssh, and the rest of the config will be done by connecting to the ASA.
Configure the hostname and external interface:
hostname us-phx-asav interface GigabitEthernet0/0 nameif outside ip address 192.168.255.2 255.255.255.248 no shut |
Configure a user:
username catalin password ***** |
Configure the ssh key:
crypto key generate rsa modulus 2048 |
Save config:
write memory |
Configure the ssh login:
aaa authentication ssh console LOCAL |
Permit ssh login:
ssh 192.168.255.1 255.255.255.255 outside |
At this point you can ssh to the asa:
For the ipsec and the bgp you can follow the official OCI documentation.
crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 28800 crypto ipsec ikev1 transform-set oracle-vcn-transform esp-aes-256 esp-sha-hmac crypto ipsec profile oracle-vcn-vpn-policy set ikev1 transform-set oracle-vcn-transform set pfs group5 set security-association lifetime seconds 3600 tunnel-group 129.146.X.X type ipsec-l2l tunnel-group 129.146.X.X ipsec-attributes ikev1 pre-shared-key XXXXXXXXXXXXXXXXXXXX tunnel-group 129.146.Y.Y type ipsec-l2l tunnel-group 129.146.Y.Y ipsec-attributes ikev1 pre-shared-key XXXXXXXXXXXXXXXXXXXX interface tunnel 1 nameif ORACLE-VPN1 ip address 10.10.10.2 255.255.255.252 tunnel source interface outside tunnel destination 129.146.X.X tunnel mode ipsec ipv4 tunnel protection ipsec profile oracle-vcn-vpn-policy interface tunnel 2 nameif ORACLE-VPN2 ip address 10.10.10.6 255.255.255.252 tunnel source interface outside tunnel destination 129.146.Y.Y tunnel mode ipsec ipv4 tunnel protection ipsec profile oracle-vcn-vpn-policy router bgp 65002 address-family ipv4 unicast neighbor 10.10.10.1 remote-as 31898 neighbor 10.10.10.1 activate neighbor 10.10.10.5 remote-as 31898 neighbor 10.10.10.5 activate network 192.168.255.8 mask 255.255.255.248 no auto-summary no synchronization exit-address-family |
You can see the tunnel status:
Ping the tunnel interfaces:
and see the bgp status:
With these outputs, we reached at the end of this blog series dedicated to creating a lab on OCI.