Implementing GetVPN over IOS/untrusted network

In my last blog post, I began working through implementing a GetVPN configuration over a private “mpls” (simulated) network in which I cannot trust the “wan” links.  So, I created the network as such.  I’ve run into a snag.  I need to build tunnel interfaces, I am finding.  Since I have only done this with the help of an engineer in the past, I have no specific plan of how to do this.  Today, I will look into creating the tunnel(s).  I found Cisco’s “Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide” and am looking that over now.

The procedure I had been following was kidvelvet’s and the tunnels were established just fine.  I am just not passing traffic over them.

GET VPN using IOS Routers w/BGP, EIGRP (Part 1)

This is an expansion of kidvelvet’s excellent post “GET VPN through IOS Routers“.  He gives us a great view of the GETVPN config, but I needed more.  In my case, I need to model a GetVPN over an MPLS network.  Now, it is too much work to make an MPLS network for something like this, but, I can take the core principles:  BGP for the inter-node connectivity and we build the GetVPN tunnels over that infrastructure.  I’m using EIGRP for LAN routing.  My goal is for the nodes, of which I may add more later to be able to propagate EIGRP updates through the tunnels.

My initial layout is identical to kidvelvet’s, save for the routing protocol configurations.  Once the basic concept is done, I’ll come back and muck with it to provide a little more of a potential real-world setup.  Hopefully, this might avoid the pitfalls he described, too.

 

Base Topology for the GetVPN Lab

At this stage, I have configured the 4 nodes to talk to each other via BGP.  I am using GNS3 0.7.2 and the images are of a Cisco 2691 Multiservice Router running IOS version 12.4(15)T14.  Follow the links for more about GNS3.  For those who might troll for GNS IOS images, don’t bother looking here.

Here are links to the base configurations (before I started building the GetVPN structure):

R1 Configuration
R2 Configuration
R3 Configuration
R4 Configuration

Memory? What’s to forget?

Over the past several months, I have embarked on Phase II of a massive (for my employer) network hardware upgrade.  It has been an educational experience.  Cisco charges a ton of money for both RAM and Flash Memory upgrades.  These upgrades are necessary to be able to use the current and supported IOS versions, like 15.x.

A Cisco 512 MB Compact Flash card at one vendor was $410.  An equivalent CF card (from Transcend) was $26 was found.  Take a guess which one I ordered?

When it comes to RAM, I was able to upgrade a Cisco 3845 Router from 256 MB to 1 GB for only $87.  Buying Cisco parts for this same RAM upgrade would have cost me over $2,400.  Hmmm…. Which to choose?

Upgrading my Cisco 2811 routers from 256 MB RAM to 512 MB RAM (using Cisco parts, of course) would cost me just shy of $1,400 per router.  No thanks.  I’ll go find the 3rd party memory for much cheaper.
 

Resurrection

For all who thought this blog was deader-than-a-doornail, you almost had it right.  I am going to make another concerted effort to post more regularly about technical issues.  Please bear with me while I work on getting my rusty writing skills back in shape.

I have several people who have inspired me (though the don’t know it), mostly Scott and T.J. (@scottm32768 and @trejrco on Twitter, respectively), whom I met at the Cisco Live! 2010 conference in Las Vegas.

–NG

The First Day

I am back to work from the Cisco Live conference and the 4th of July holiday weekend.  Today’s plans are to implement a VPN connection for some remote devices we have.  This way, they can securely communicate back to the mother ship.  I am looking at the EasyVPN solution from Cisco that I learned about last week at the Cisco Live conference in San Francisco.  I’ve known about EasyVPN for a long time, but never really knew what it was or how to implement it.  Now, I do!

If this works out well, I’ll just use this same methodology to swing another remote site’s VPN connection from one endpoint to another.  The EasyVPN client setup is really easy, I am finding.  The EasyVPN Server is not as simple, but really not that hard.

Sunny SF

Today’s weather is fantastic. I had a great flight from Portland to San Francisco this morning. My hotel room was actually ready for me when I arrived about 10:15 am. I had a fantastic lunch and my registration for Cisco Live was nearly flawless.

Currently, I am in an OSPF class and this instructor, Barry, is very dynamic. I am getting a lot out of it! More blogging later! You can get more “realtime” updates by following “av8rgeek” on Twitter.

iSCSI and Ubuntu 8.04 LTS Server

Our local SAN is an EMC Clariion 300cxi.  This is a decent SAN and we have enough space for what we want–save for one thing:  Ubuntu iSCSI support.

Not having seen the this link, I didn’t know iSCSI support could be easy.  Here it is a year later with LOTS of googling around and still not much data is available.  Anyway, I still have to troubleshoot why I can’t seem to mount more than a single path or successfully use multipathing.

I believe part of my frustrations are the fact that I have been doing the process manually for some time.  Also, I could not easily automate any part of it because I am not an iSCSI expert by any stretch of the imagination.  I am going to see if I can virtualize the machine somehow and run it that way.  I would rather try to separate the logging from the network management anyway.

Just a small rant about iSCSI.

–NG

San Francisco, Here I come!

As John Denver once sang, “My bags are packed, I’m ready to go…”

I booked my flight and hotel yesterday in addition to finalizing (as best as I can for the moment) my conference schedule.  This is going to be an exciting trip.  Those who know me personally already know of my passion for flying and that I have my FAA Private Pilot certificate.  However, I have not been on a commercial plane since my honeymoon in 2002.  It is going to be an adventure!  I’ll try to tweet or blog while I am there.  You can follow me on Twitter as av8rgeek.

-NG

Cisco Live 2009 — To Go or Not To Go?

I have never been to a Cisco Live conference before and, for the first time, I have enough “money” (Cisco Learning Credits) to attend the conference.  My challenge is that neither I nor my employer have a budget to attend this conference.

Here is what I worry about:
1. Is it wasting my money?
2. Are the sessions really that useful?

My goals are to earn my CCNP with more focus on security and to be proficient at the ASA Firewall line.

Any thoughts from the world?

–NG

Little successes

I am pleased with my work today.  I have the basic config set for the router and switch at a new site I am setting up.

Now, I get to move into the more “advanced” topics of creating two site-to-site VPN tunnels, one to the HQ and one to the Data Center.  Creating the VPN tunnels should not be too hard, as long as everything matches.  However, getting dynamic routing (I’m using EIGRP) to work is going to be a different story.

I also need to create the correct ACL’s to allow the traffic through the VPN tunnel(s) while restricting the unencrrypted traffic from ever leaking out the same “outside” interface.

There is one more thing.  I want to go outside.  The weather is sunny and so inviting.  Oh well.