This week I was trying to get a VPN tunnel up for a client. They wanted a tunnel from their Cisco ASA into Microsoft Azure. Normally I’d use IKEv1 (because I know how to troubleshoot it!) But the guys running the site in Azure were using policy routing, which needs IKEv2.
So I converted from IKEv2 to IKEv2. As I said I’m used to debugging IKEv1, but not IKEv2, so I was struggling to make sense of what was going on. The ‘interesting traffic’ was spawning a LOT of phase 1 tunnels, but Phase 2 IPSEC refused to pass traffic.
[box]
Clients-ASA(config)# show cry isa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:151, Status:UP-IDLE, IKE count:25, CHILD count:0
Tunnel-id Local Remote Status Role
526939783 222.222.222.222/500 123.123.123.123/500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4423 sec
Tunnel-id Local Remote Status Role
3227575251 222.222.222.222/500 123.123.123.123/500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4425 sec
Tunnel-id Local Remote Status Role
3073641799 222.222.222.222/500 123.123.123.123/500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4482 sec
-----------------Further Output Removed for the Sake of Brevity------------------
[/box]
A debug of IKEv2 was pretty confusing but it did reveal this;
I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.
Solution
Note: At time of writing he latest version is 8.6
1. Download GNS3, I accept all the defaults (I actually tick to install SuperPuTTy, as tabbed console windows can be handy when using GNS3). Launch the program, you will be greeted with the following setup wizard. Select Option 1.
Note: You can do the same in future, by going to Edit > Preferences
2. Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.
3. Option 2.
4. Click Test Settings > Have patience, it can take a couple of minutes > Apply > OK.
Adding Router Images to GNS 3
5. Option 3
Note: You can visit the same section in future by clicking Edit > IOS Images and Hypervisors.
6. Image file > Browse to the image you want to import. Here on GNS3 8.6 you can select the filename.bin file, with older versions you need to extract that file to a filename.image file.
Note: You need to legally download these images from Cisco. This means you need a Cisco CCO account, and a valid support agreement. DO NOT email me and ask for Cisco IOS images, (I will just ignore you!).
7. As mentioned above, it will convert my filename.bin image to an extracted filename.image file > Yes.
8. Set the Router platform and model > In the IDLE PC section click Auto calculation > This can take a while.
Note: You can do this later from the main workspace, and test a range of settings. I you don’t do this your virtual network devices will eat all your CPU power!
9. When complete click Close > Save > Close.
10. You can now start that model router to the workspace and use it. Repeat for each model of router you want to add.
Adding a Host to GNS3
Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.
12. Quemu > Quemu Guest > Give it an identifier name (can be anything) > Browse to, and select the image you downloaded.
13. Save > OK > Apply.
14. You can now drag a Quemu Guest machine onto the work space, and console into it.
Adding a Cisco ASA to GNS3
Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.
15. Edit > Preferences > Quemu > ASA > Give it an identifier name (can be anything) > Set the RAM to 1024 > Set the Qemu options to;
[box]
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
[/box]
Set the Kernel cmd line option to;
[box]
-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
[/box]
16. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?
Should you wish to locate these files form a less reputable source you are looking for asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.
17. Finally select the vmlunuz file > Open.
18. Save > OK > Apply.
19. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*
*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.
Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.
[box]
activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0
{Enter}
I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.</p?
Solution
Note: At time of writing the latest version is 1.3.6</p?
1. Download GNS3, I usually accept all the defaults.
2. Edit > Preferences > Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.
Adding Router Images to GNS 3
3. Dynamips > IOS Routers > New > Add in your route images > Follow instructions.</p?
Note: DONT Email me and ask for router images, go to Cisco and get them legally, (or use Google).
4. Make sure you take the time to calculate the ‘Idle-PC finder’ value for each router, or in large topologies you might quickly eat all your CPU power!
5. Continue adding routers as required.</p?
6. You can now drag a router onto the workspace and power it on.
Adding a Cisco ASA to GNS3
Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.
7. Edit > Preferences > Qemu > Qemu VMs > Add > Set the type to ASA 8.4(2).
8. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?
Should you wish to locate these files form a less reputable source you are looking for asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.
9. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*
*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.</p?
Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.
[box]
activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0:
{Enter}
Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.
11. Edit > Preferences > Qemu > Qemu VMs > Add > Set the type to default.
Apart from the fact that’s an appalling spelling of recognise, I got bitten by this last weekend.
I don’t use the ADSM as a rule so it would not normally be a problem, the only thing I do use the ASDM for is certificates, (it’s just easier).
Solution
Last time I saw an error like this I had to use a fiddler script to embed the firewall model in the https traffic, however now there’s a much easier fix!
I had installed ASDM 7.1(3) that was giving me the error, if you simply downgrade to 7.1(1) the problem goes away.
Related Articles, References, Credits, or External Links
This method provides failover to a redundant ISP link should your primary network connection go down. IT IS NOT going to load balance the traffic across both interfaces. In this example I’ve also got a VPN to a remote site and some port forwarding to contend with as well.
Where we are at the start.
Where we want to be
Solution
Before you go any further the ASA that will have the backup ISP line, needs a Security Plus Licence or it’s not going to work.
PetesASA>
PetesASA> en
Password: *******
PetesASA#
PetesASA# configure terminal
PetesASA(config)# interface Ethernet0/3
PetesASA(config-if)# nameif backup
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 234.234.234.234 255.255.255.248
PetesASA(config-if)# no shutdown
PetesASA(config-if)# exit
PetesASA(config)#
[/box]
2. In a ‘Failed Over’ state your traffic needs to then be NATTED to the backup interface, then setup a new route for the outside interface, and finally one for the backup interface. Note: The new primary route will be “Tracked” based on an SLA we will configure in a minute.
[box]
Configure NAT for a firewall running an OS NEWER than 8.3
PetesASA(config)# object network obj_any-01
PetesASA(config-network-object)# subnet 0.0.0.0 0.0.0.0
PetesASA(config-network-object)# nat (inside,backup) dynamic interfaceConfigure NAT for a firewall running an OS OLDER than 8.3
PetesASA(config)# global (backup) 1 interface
INFO: backup interface address added to PAT pool
Configure the Routes
PetesASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124 1 track 1
PetesASA(config)# route backup 0.0.0.0 0.0.0.0 234.234.234.235 2
[/box]
3. Now we are going to setup a new SLA that maintains connectivity to an IP address (In this case 4.2.2.2 via ICMP, then we are going to tie that SLA to “track 1”, )which you will remember is what keeps the default route on the Primary ISP), if that route fails, it swaps to the backup route.
[box]
PetesASA(config)# sla monitor 100
PetesASA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outside
PetesASA(config-sla-monitor-echo)# num-packets 3
PetesASA(config-sla-monitor-echo)# frequency 10
PetesASA(config-sla-monitor-echo)# sla monitor schedule 100 life forever start-time now
PetesASA(config)# track 1 rtr 100 reachability
PetesASA(config)#
[/box]
4. Any port forwarding getting done on the outside interface needs a mirror entry for the backup interface. and also will need matching ACL’s
5. Lets test it, issue a “show route” command, then disconnect your primary ISP then issue another “show route” command and it should have failed over like so;
[box]
PetesASA(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 123.123.123.124 to network 0.0.0.0
C 234.234.234.0 255.255.255.248 is directly connected, backup
C 123.123.123.0 255.255.255.240 is directly connected, outside
C 10.0.0.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 123.123.123.124, outside
PetesASA(config)#
Now Disconnect the Primary line
PetesASA(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 234.234.234.235 to network 0.0.0.0
C 234.234.234.0 255.255.255.248 is directly connected, backup
C 10.0.0.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [254/0] via 234.234.234.235, backup
PetesASA(config)#
[/box]
6. To enable this firewall to accept the existing VPN on its backup interface, you need to add the backup interface to that cryptomap (issue a show run crypto if your unsure). Then you need to enable ISAKMP on the backup Interface.
PetesASA(config)# wr mem
Building configuration...
Cryptochecksum: 91d190ba 2a3eb9c4 244d8c88 0da54e36
10220 bytes copied in 3.740 secs (3406 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Change the ASA at the Remote VPN Site
1. Connect to the firewall at the remote site, find the cryptomap that points to the main site (show run crypto). find the one that pointing to the IP at the main site, then add the new IP address as an alternate peer address.
[box]
RemoteSite(config)# crypto map outside_map 2 set peer 123.123.123.123 234.234.234.234
[/box]
2. Then create a tunnel group for the new backup address with the same shared secret as tunnel group to the primary IP.
RemoteSite(config-tunnel-ipsec)#write mem
Building configuration...
Cryptochecksum: 7a455ca7 3b637757 cd40aa82 7f3a22d8
7842 bytes copied in 1.530 secs (7842 bytes/sec)
[OK]
RemoteSite(config-tunnel-ipsec)#
[/box]
To test the VPN fails over, at the remote site issue a “show cry isa” command, then get someone at the primary site to disconnect the primary ISP, wait a few seconds and then re-issue a “show cry isa” command and it should have flipped over.
[box]
Failover-FWall# show cry isa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 123.123.123.123
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Now Disconnect the Primary line at the Main site
Failover-FWall# show cry isa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 234.234.234.234
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
[/box]
Related Articles, References, Credits, or External Links