Juniper Routers with Qemu

Lately, I've been dealing trying to run Junipers routers in my laptop. After some attempts I could final sort out.

All the information to make it I got it from these posts:

http://blog.gns3.net/2009/10/olive-juniper/

http://brezular.wordpress.com/2012/07/03/installing-olive-12-1r1-9-under-qemu/

In my case I am running and Ubuntu 12.04.1 LTS.

1. Qemu installation

First of all, the following dependencies must be installed prior the qemu package:

libncurses5-dev
zlib1g-dev
libsdl-dev
libpcap-dev

Second, get the qemu package and the olive patch.. For instance, you can download it from here:

http://mirrors.fe.up.pt/pub/nongnu//qemu/qemu-0.11.0.tar.gz

http://ignum.dl.sourceforge.net/project/gns-3/Qemu/qemu-0.11.0-olive.patch4

I used the same version recommended in the gns3 blog. I would like to play with newer versions of qemu when I have a bit more time.

and install it in your computer:

tar xvzf qemu-0.11.0.tar.gz
cd qemu-0.11.0
patch -p1 -i qemu-0.11.0-olive.patch
./configure --target-list=i386-softmmu
make
sudo make install

2. Freebsd installation

To create a new virtual machine in qemu type the following command:

qemu-img create -f qcow2 olive-base.img 4GB

And launch the installation thourgh:

qemu -m 512 -hda olive-base.img -cdrom ./4.11-RELEASE-i386-miniinst.iso -enable-kvm

It begins the FreeBSD installation. Choose the following options:

- Skip kernel configuration
- Standard Installation
- In FDISK Partition Editor, press A to allocate the entire disk for FreeBSD and then Q to confirm.
- Install a Standard MBR and create the following partitions:

     ad0s1a / 1024M
     ad0s1b swap 1024M
     ad0s1e /config 12M
     ad0s1f /var rest

-  “User” distribution type and answer no for the question “Would you like to install the FreeBSD ports collection?”.
- install from a FreeBSD CD/DVD
- Once the files are copied, the installer program will ask you many user confirmation questions. Answer no to all of them.

3. Junos installation

For getting Junos running you will have to get a copy of a junos olive image. Once you have it, you can proceeed as it follows:

qemu-system-i386 -m 1024M -boot c -net nic,macaddr=00:aa:00:60:01:01,model=e1000 -hda olive-base3.img -enable-kvm -net user -serial telnet:0.0.0.0:3000,server
QEMU waiting for connection on: telnet:0.0.0.0:3000,server

Check you get an IP address by dhcp:

dhclient em0
netstat -r
ping 10.0.2.2

Copy the olive image from your pc to the freebsd virtual mahchine:

scp user@10.0.2.2:~/Desktop/jinstall-8.5R1.14-domestic-signed.tgz /var/tmp

mkdir ./jinst-signed
cd jinst-signed
tar zxvf ../jinstall-8.5R1.14-domestic-signed.tgz

Remove or rename the sig and md5 files:

rm *.sig *.sha1 *.md5

mkdir ./jinst
cd jinst
tar zxvf ../jinstall-8.5R1.14-domestic.tgz


mkdir ./pkgtools
cd pkgtools
tar zxvf ../pkgtools.tgz
cd ./bin
cp /hvar7tmp/true ./checkpic
cd ..

tar zcvf ../pkgtools.tgz *
cd ..
rm -rf pkgtools

tar zcfv /var/tmp/jinstall-8.5R1.14-domestic-olive.tgz *

And finally install the junos package with the following command:

pkg_add -f /var/tmp/jinstall-8.5R1.14-domestic-olive.tgz

Once the installation is finished the system will reboot.

4. Running the router

Create a new image off of your base image. You can repeat it for all your routers you want to emulate:

qemu-img create -b olive-base.img -f qcow2 R1.img

qemu R1.img -m 96 -nographic -daemonize -serial telnet::2001,server,nowait \ -localtime -net nic,vlan=1,macaddr=00:aa:00:60:01:01,model=e1000 \ -net udp,vlan=10,sport=10000,dport=10001,daddr=127.0.0.1

For a second router, we repeat the same commands

qemu R2.img -m 96 -nographic -daemonize -serial telnet::2002,server,nowait \ -localtime -net nic,vlan=10,macaddr=00:aa:00:60:11:02,model=e1000 -net udp,vlan=10,sport=10001,dport=10000,daddr=127.0.0.1

Once the routers runnig you can configure an interface on both in the same network and test that ping works correctly!!

sysopt connection permit-vpn

When creating VPNs in Cisco ASA Firewall a very important configuration to be in mind it's the sysopt connection permit-vpn.

When enabled the commands allow packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance. In other works, the traffic will bypasss the access lists configured in the interfaces, so it will be no necessary to explicitly allow the traffic.

To verify if it is enable you have to perform the show run all sysopt command:

ASA# show running-config all sysopt no sysopt connection timewait sysopt connection tcpmss 1380 sysopt connection tcpmss minimum 0 no sysopt nodnsalias inbound no sysopt nodnsalias outbound no sysopt radius ignore-secret sysopt connection permit-vpn

In case you want to filter the traffic encapsulated, you have to use the vpn-filter command in the group policy attributes and applied to the tunnel-group associated with the VPN you are configuring:

access-list 100 extended deny tcp any host 10.10.1.10 eq 80 access-list 100 extended permit ip any any group-policy CustomerA internal group-policy CustomerA attributes vpn-filter value 100 tunnel-group 172.16.1.1 general-attributes default-group-policy CustomerA

New Year Proposition

Happy new year 2013,

My proposition for this new year 2013, it's to keep the roadmap for the CCIE R&S. I know it is going to be a long way so I am going to take my time.

First goal, it is the CCIE R&S Written. I hope to achieve it by June or July.

Right now I am reading some stuff, several books, and doing some labs in GNS3 to check what I am reading until now. Not just focus on the Written but also keeping an eye in the lab exam.

In the meantime, I Would also like to spend some more time to Juniper stuff.

See you soon!