X

Best Practices from Oracle Development's A‑Team

GNS3: IPSEC tunnel between ASAv and OCI

Catalin Andrei
Cloud Networking Solutions Architect

In the previous blogs, we imported the GSN3 VM and created a Cisco ASAv appliance. I would like to continue the journey and use what we created so far for a real lab scenario.

In this blog, I will show you how to create an IPSEC tunnel from an ASAv in GNS3 and an OCI DRG.

I will mention again that this blog doesn’t have any production value and that the firmware used here for the ASAv is downloaded from Cisco’s website.

As a prerequisite, you will need to have an OCI tenant with enough resources to import the GNS3 VM and create an IPSEC tunnel, a valid account with Cisco to be able to download the required binaries.

The GNS3 emulations are isolated from the guest OS of the VM. To connect the emulation to the networking of the VM we will use a tap interface that will do the bridging. Below you can see the graphical representation.

 

  • Configure the Guest OS

We will begin with the creation of a tap interface in the GNS3 VM. This will bridge the emulation lab to the host Linux OS of the VM.

  1. Install the utility that will create the tap interface:

apt-get install uml-utilities
modprobe tun
tunctl
  1. Configure the tap interface with an IP address.

ifconfig tap1 192.168.255.1 netmask 255.255.255.248 up
  1. Configure iptables to hide the 192.168.255.0/29 behing the external interface.

iptables -t nat -I POSTROUTING -s 192.168.255.0/29 -o eth0  -j MASQUERADE

 

  • Create the initial ASAv config

The ASAv console is VNC based and this means that the copy/paste will not function. I prefer to configure the ASAv with IP address on the interfaces and ssh, and the rest of the config will be done by connecting to the ASA.

  1. Configure the hostname and external interface:

hostname us-phx-asav
interface GigabitEthernet0/0
 nameif outside
  ip address 192.168.255.2 255.255.255.248
  no shut
  1. Configure a user:

username catalin password *****
  1. Configure the ssh key:

crypto key generate rsa modulus 2048
  1. Save config:

write memory
  1. Configure the ssh login:

aaa authentication ssh console LOCAL
  1. Permit ssh login:

ssh 192.168.255.1 255.255.255.255 outside

At this point you can ssh to the asa:

 

  • Configure the ipsec and bgp

For the ipsec and the bgp you can follow the official OCI documentation.

crypto ikev1 enable outside
 
crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800

crypto ipsec ikev1 transform-set oracle-vcn-transform esp-aes-256 esp-sha-hmac

crypto ipsec profile oracle-vcn-vpn-policy
 set ikev1 transform-set oracle-vcn-transform
 set pfs group5
 set security-association lifetime seconds 3600
  

tunnel-group 129.146.X.X type ipsec-l2l
tunnel-group 129.146.X.X ipsec-attributes
  ikev1 pre-shared-key XXXXXXXXXXXXXXXXXXXX
 
tunnel-group 129.146.Y.Y type ipsec-l2l
tunnel-group 129.146.Y.Y ipsec-attributes
 ikev1 pre-shared-key XXXXXXXXXXXXXXXXXXXX

interface tunnel 1
  nameif ORACLE-VPN1
  ip address 10.10.10.2 255.255.255.252
  tunnel source interface outside
  tunnel destination 129.146.X.X
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile oracle-vcn-vpn-policy
 
interface tunnel 2
  nameif ORACLE-VPN2
  ip address 10.10.10.6 255.255.255.252
  tunnel source interface outside
  tunnel destination 129.146.Y.Y
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile oracle-vcn-vpn-policy
 
router bgp 65002
  address-family ipv4 unicast
   neighbor 10.10.10.1 remote-as 31898
   neighbor 10.10.10.1 activate
   neighbor 10.10.10.5 remote-as 31898
   neighbor 10.10.10.5 activate
   network 192.168.255.8 mask 255.255.255.248
   no auto-summary
   no synchronization
  exit-address-family

  • Test the tunnel

You can see the tunnel status:

Ping the tunnel interfaces:

and see the bgp status:

With these outputs, we reached at the end of this blog series dedicated to creating a lab on OCI.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha