Best Practices from Oracle Development's A‑Team

GNS3: IPSEC tunnel between ASAv and OCI

Catalin Andrei
Cloud Networking Solutions Architect

In the previous blogs, we imported the GSN3 VM and created a Cisco ASAv appliance. I would like to continue the journey and use what we created so far for a real lab scenario.

In this blog, I will show you how to create an IPSEC tunnel from an ASAv in GNS3 and an OCI DRG.

I will mention again that this blog doesn’t have any production value and that the firmware used here for the ASAv is downloaded from Cisco’s website.

As a prerequisite, you will need to have an OCI tenant with enough resources to import the GNS3 VM and create an IPSEC tunnel, a valid account with Cisco to be able to download the required binaries.

The GNS3 emulations are isolated from the guest OS of the VM. To connect the emulation to the networking of the VM we will use a tap interface that will do the bridging. Below you can see the graphical representation.


  • Configure the Guest OS

We will begin with the creation of a tap interface in the GNS3 VM. This will bridge the emulation lab to the host Linux OS of the VM.

  1. Install the utility that will create the tap interface:

apt-get install uml-utilities
modprobe tun
  1. Configure the tap interface with an IP address.

ifconfig tap1 netmask up
  1. Configure iptables to hide the behing the external interface.

iptables -t nat -I POSTROUTING -s -o eth0  -j MASQUERADE


  • Create the initial ASAv config

The ASAv console is VNC based and this means that the copy/paste will not function. I prefer to configure the ASAv with IP address on the interfaces and ssh, and the rest of the config will be done by connecting to the ASA.

  1. Configure the hostname and external interface:

hostname us-phx-asav
interface GigabitEthernet0/0
 nameif outside
  ip address
  no shut
  1. Configure a user:

username catalin password *****
  1. Configure the ssh key:

crypto key generate rsa modulus 2048
  1. Save config:

write memory
  1. Configure the ssh login:

aaa authentication ssh console LOCAL
  1. Permit ssh login:

ssh outside

At this point you can ssh to the asa:


  • Configure the ipsec and bgp

For the ipsec and the bgp you can follow the official OCI documentation.

crypto ikev1 enable outside
crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800

crypto ipsec ikev1 transform-set oracle-vcn-transform esp-aes-256 esp-sha-hmac

crypto ipsec profile oracle-vcn-vpn-policy
 set ikev1 transform-set oracle-vcn-transform
 set pfs group5
 set security-association lifetime seconds 3600

tunnel-group 129.146.X.X type ipsec-l2l
tunnel-group 129.146.X.X ipsec-attributes
  ikev1 pre-shared-key XXXXXXXXXXXXXXXXXXXX
tunnel-group 129.146.Y.Y type ipsec-l2l
tunnel-group 129.146.Y.Y ipsec-attributes
 ikev1 pre-shared-key XXXXXXXXXXXXXXXXXXXX

interface tunnel 1
  nameif ORACLE-VPN1
  ip address
  tunnel source interface outside
  tunnel destination 129.146.X.X
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile oracle-vcn-vpn-policy
interface tunnel 2
  nameif ORACLE-VPN2
  ip address
  tunnel source interface outside
  tunnel destination 129.146.Y.Y
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile oracle-vcn-vpn-policy
router bgp 65002
  address-family ipv4 unicast
   neighbor remote-as 31898
   neighbor activate
   neighbor remote-as 31898
   neighbor activate
   network mask
   no auto-summary
   no synchronization

  • Test the tunnel

You can see the tunnel status:

Ping the tunnel interfaces:

and see the bgp status:

With these outputs, we reached at the end of this blog series dedicated to creating a lab on OCI.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha