The curious case of the IP Alias

Trying to log on to Skype earlier in the week on my MacBook Pro didn’t work. For some reason it simply wouldn’t connect – it just timed out. Everything else worked absolutely fine, no issues.

Figuring it was an IPv6 issue, I unbound IPv6 from en0 and tried again. Nothing. It wasn’t my Cisco ASA firewall playing games either, although logging on to it showed a vast number of packets dropped from 192.168.1.x on its inside interface (reverse path check, I don’t use 192.168.1.x internally). How could this be?

It turns out that I had a 192.168.1.x bound to en0 from when I was testing out some locally connected kit. Skype saw this as the first IP address it could use and bound to it – whereas everything else worked fine letting the OS choose. Unbinding this address made Skype leap in to action.

Installing an Olive on VirtualBox

Although it exists in many other places, I’ve not found a comprehensive set of instructions for installing JunOS 11.4 under VirtualBox that actually works. As I found, It isn’t too difficult, and only took me a day or so.

You’ll need to create a FreeBSD machine in VirtualBox with 1Gb of RAM and 5Gb of disk space. Select one or more network interfaces as the Intel PRO/1000 MT Desktop adapter. If you’re running on a UNIX system, additionally redirect the COM1 serial port to a host pipe called /tmp/com1. Use the command socat /tmp/com - to show the output from the serial console, which is useful after booting the Olive for the first time.

Installing FreeBSD

  • Download the FreeBSD 4.4 mini ISO from ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/ISO-IMAGES/4.4/4.4-mini.iso
  • Create a FreeBSD machine with 1Gb of RAM. Create a VDI startup disk (either dynamically allocated or fixed size) of 4Gb
  • Edit the machine settings and enable network adapters as Intel PRO/1000 MT Desktop (82540EM) adapters. Although FreeBSD 4.4 won’t support these, JunOS 11.4 will.
  • Attach the ISO image to the CD/DVD drive in the machine, and boot it.
  • When FreeBSD boots, select ‘Skip kernel configuration and continue with installation’.
  • At the /stand/sysinstall menu, select a Standard installation.
  • At the ‘FDISK Partition Editor’ screen, delete any existing slices and create a single FreeBSD slice covering the entire disk by pressing ‘A’. Press ‘Q’ to finish – changes are automatically saved.
  • At the ‘Install Boot Manager for drive ad0?’ page, select ‘Standard’ so as not to install a boot manager.
  • At the ‘FreeBSD Disklabel Editor’ screen, create partitions as follows:
    • 1G filesystem mounted on /
    • 512M swap partition
    • 512M filesystem mounted on /config
    • Remaining space in a filesystem mounted on /var
  • Press ‘Q’ to finish – changes are automatically saved.
  • At the ‘Choose Distributions’ page, select ‘X’ to exit’.
  • At the ‘Choose Installation Media’ page, select ‘Install from a FreeBSD CD/DVD’.
  • The disk will now be partitioned, filesystems created and FreeBSD installed.
  • After installation, the following questions will appear. Answer ‘No’ to each:
    • Would you like to configure any Ethernet or SLIP/PPP network devices?
    • Do you want this machine to function as a network gateway?
    • Do you want to configure inetd and simple internet services?
    • Do you want to have anonymous FTP access to this machine?
    • Do you want to configure this machine as an NFS server?
    • Do you want to configure this machine as an NFS client?
    • Do you want to select a default security profile for this host?
    • Would you like to customise your system console settings?
  • Answer ‘Yes’ to “Would you like to set this machine’s time zone now?”. Select ‘No’ to “Is this machine’s CMOS clock set to UTC?”, then select ‘8 – Europe’, ’42 – United Kingdom’ then ‘1 – Great Britain’. Answer ‘Yes’ to “Does the abbreviation ‘BST’ look reasonable?”
  • Answer ‘No’ to “Would you like to enable Linux binary compatibility?”
  • Answer ‘No’ to “Does this system have a USB mouse attached to it?”, then select ‘Exit’ at the “Please configure your mouse” menu
  • Answer ‘No’ to the question regarding browsing the FreeBSD package collection.
  • Answer ‘No’ to the question regarding adding initial user accounts.
  • Set a password for the ‘root’ user.
  • Answer ‘No’ to the question regarding the last chance to set options.
  • Select ‘X’ to exit installation, detach the ISO image and select ‘Yes’ to the “Are you sure you wish to exit?” question.
  • The virtual machine will now restart.

Creating a JunOS installation image

Download junos-olive-patch.sh and run it against a standard JunOS installation image, for example:

user@host:~$ ./junos-olive-patch.sh jinstall-11.4R2.14-domestic.tgz

This will unpack and patch the installation file, replacing ‘checkpic’ in the pkgtools archive with a symbolic link to /bin/true so the package will install on an Olive.

To get this installation package on to VirtualBox, make it in to an ISO file using mkisofs:

user@host:~$ mkisofs jinstall-11.4R2.14-domestic.tgz > olive.iso

Attach the ISO image to the Olive in VirtualBox, then mount the ISO file on FreeBSD by typing mount /cdrom. Install the package by running pkg_add -f jinstall-11.4R2.14-domestic.tgz.

Reboot, and wait for the BTX loader screen to disappear – this may take several minutes. If you’re using socat to monitor the output of the console, you’ll see JunOS being installed.

A problem isn’t always what it seems

I had a call today from somebody who was trying to use an Avaya IP Phone from their office at home. The phone has built-in IPSec VPN capability, and their phone switch is some distance away on – surprisingly – a DSL line. Call quality is not an issue, which is testament to Zen Internet‘s network quality.

In the office, the phone works fine. At home, it fails to establish a VPN, displaying an “Invalid PSK” error. Looking on the VPN router at the site with the softswitch, I see nothing untoward, so I set about asking the caller to tell me his default gateway address – which is the same address as the network range that the softswitch is no. No prizes for guessing why it doesn’t work.

Here I was, expecting a full-on IPSec debugging session, and it turns out to be IP addresses.

Importing SSL certificates on Cisco IOS

A requirement came up to use Cisco’s AnyConnect VPN on a router. For this, an SSL certificate and corresponding private key is required – I used CAcert.org.

I will deliberately skip the detail of how to generate an RSA private key, create a CSR and get this signed by a CA. Straight to the chase – here is how to import the key and certificate on to an IOS router.

Use openssl rsa -in foo.key -pubout to display the corresponding public key for your private key foo.key. This will begin with BEGIN PUBLIC KEY.

Next, ensure your private key has a password – use openssl rsa -in foo.key. If it doesn’t, encrypt it with 3DES using openssl rsa -in foo.key -3des and specify a password.

On the IOS device in question, use crypto key import rsa foo pem terminal to import the PEM encoded public key:


cr(config)#crypto key import rsa foo pem terminal strongpassword
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
...

Ensure there is a complete blank line after pasting the public key, and the router will then prompt:

% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.

Paste in the 3DES-encrypted key – it will begin BEGIN RSA PRIVATE KEY, and type ‘quit’ on a blank line at the end.

That’s it. It’s not straightforward, and I know I’ll forget if I don’t write it down!

Catalyst 6500 Supervisor 32 modular software

I’m on my way back from a few days in Milan, setting up a network for one of our customers. Standard equipment – a pair of Cat6504Es, some ASAs, a couple of ACE4710 load balancers.

As usual with anything I haven’t used before, problems occur. The biggest and most infuriating wasn’t the failed Sup32 (which was eventually replaced by Cisco after quite some work on our supplier’s behalf), but the fact I couldn’t get the Sup32 to boot from the image I’d downloaded.

Here’s what happened – each time I booted, the boot image loaded and spewed the following:

MAC based EOBC installed
Waiting (slot 1) for supervisor to come online in other slot. iteration
= 0

Next Retry will be done after 6 seconds

This repeated for what seemed like an eternity, then the Supervisor crashed and rebooted.

What fixed it? It turns out I had a modular image copied in to flash, not installed. That's not amazingly obvious, especially as the modular image has -mz in its name, and the image I wanted has -jz.

See this article on Cisco IOS Software Modularity on cisco.com for more information.