Category: Networking

Although it exists in many other places, I’ve not found a comprehensive set of instructions for installing JunOS 11.4 under VirtualBox that actually works. As I found, It isn’t too difficult, and only took me a day or so.
You’ll need to create a FreeBSD machine in VirtualBox with 1Gb of RAM and 5Gb of disk space. Select one or more network interfaces as the Intel PRO/1000 MT Desktop adapter. If you’re running on a UNIX system, additionally redirect the COM1 serial port to a host pipe called /tmp/com1. Use the command socat /tmp/com - to show the output from the serial console, which is useful after booting the Olive for the first time.

Installing FreeBSD

• Download the FreeBSD 4.4 mini ISO from ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/ISO-IMAGES/4.4/4.4-mini.iso
• Create a FreeBSD machine with 1Gb of RAM. Create a VDI startup disk (either dynamically allocated or fixed size) of 4Gb
• Edit the machine settings and enable network adapters as Intel PRO/1000 MT Desktop (82540EM) adapters. Although FreeBSD 4.4 won’t support these, JunOS 11.4 will.
• Attach the ISO image to the CD/DVD drive in the machine, and boot it.
• When FreeBSD boots, select ‘Skip kernel configuration and continue with installation’.
• At the /stand/sysinstall menu, select a Standard installation.
• At the ‘FDISK Partition Editor’ screen, delete any existing slices and create a single FreeBSD slice covering the entire disk by pressing ‘A’. Press ‘Q’ to finish – changes are automatically saved.
• At the ‘Install Boot Manager for drive ad0?’ page, select ‘Standard’ so as not to install a boot manager.
• At the ‘FreeBSD Disklabel Editor’ screen, create partitions as follows:
  • 1G filesystem mounted on /
  • 512M swap partition
  • 512M filesystem mounted on /config
  • Remaining space in a filesystem mounted on /var
• Press ‘Q’ to finish – changes are automatically saved.
• At the ‘Choose Distributions’ page, select ‘X’ to exit’.
• At the ‘Choose Installation Media’ page, select ‘Install from a FreeBSD CD/DVD’.
• The disk will now be partitioned, filesystems created and FreeBSD installed.
• After installation, the following questions will appear. Answer ‘No’ to each:
  • Would you like to configure any Ethernet or SLIP/PPP network devices?
  • Do you want this machine to function as a network gateway?
  • Do you want to configure inetd and simple internet services?
  • Do you want to have anonymous FTP access to this machine?
  • Do you want to configure this machine as an NFS server?
  • Do you want to configure this machine as an NFS client?
  • Do you want to select a default security profile for this host?
  • Would you like to customise your system console settings?
• Answer ‘Yes’ to “Would you like to set this machine’s time zone now?”. Select ‘No’ to “Is this machine’s CMOS clock set to UTC?”, then select ‘8 – Europe’, ’42 – United Kingdom’ then ‘1 – Great Britain’. Answer ‘Yes’ to “Does the abbreviation ‘BST’ look reasonable?”
• Answer ‘No’ to “Would you like to enable Linux binary compatibility?”
• Answer ‘No’ to “Does this system have a USB mouse attached to it?”, then select ‘Exit’ at the “Please configure your mouse” menu
• Answer ‘No’ to the question regarding browsing the FreeBSD package collection.
• Answer ‘No’ to the question regarding adding initial user accounts.
• Set a password for the ‘root’ user.
• Answer ‘No’ to the question regarding the last chance to set options.
• Select ‘X’ to exit installation, detach the ISO image and select ‘Yes’ to the “Are you sure you wish to exit?” question.
• The virtual machine will now restart.

Creating a JunOS installation image

Download junos-olive-patch.sh and run it against a standard JunOS installation image, for example:
user@host:~$ ./junos-olive-patch.sh jinstall-11.4R2.14-domestic.tgz
This will unpack and patch the installation file, replacing ‘checkpic’ in the pkgtools archive with a symbolic link to /bin/true so the package will install on an Olive.
To get this installation package on to VirtualBox, make it in to an ISO file using mkisofs:
user@host:~$ mkisofs jinstall-11.4R2.14-domestic.tgz > olive.iso
Attach the ISO image to the Olive in VirtualBox, then mount the ISO file on FreeBSD by typing mount /cdrom. Install the package by running pkg_add -f jinstall-11.4R2.14-domestic.tgz.
Reboot, and wait for the BTX loader screen to disappear – this may take several minutes. If you’re using socat to monitor the output of the console, you’ll see JunOS being installed.

I had a call today from somebody who was trying to use an Avaya IP Phone from their office at home. The phone has built-in IPSec VPN capability, and their phone switch is some distance away on – surprisingly – a DSL line. Call quality is not an issue, which is testament to Zen Internet‘s network quality.
In the office, the phone works fine. At home, it fails to establish a VPN, displaying an “Invalid PSK” error. Looking on the VPN router at the site with the softswitch, I see nothing untoward, so I set about asking the caller to tell me his default gateway address – which is the same address as the network range that the softswitch is no. No prizes for guessing why it doesn’t work.
Here I was, expecting a full-on IPSec debugging session, and it turns out to be IP addresses.

A requirement came up to use Cisco’s AnyConnect VPN on a router. For this, an SSL certificate and corresponding private key is required – I used CAcert.org.
I will deliberately skip the detail of how to generate an RSA private key, create a CSR and get this signed by a CA. Straight to the chase – here is how to import the key and certificate on to an IOS router.
Use openssl rsa -in foo.key -pubout to display the corresponding public key for your private key foo.key. This will begin with BEGIN PUBLIC KEY.
Next, ensure your private key has a password – use openssl rsa -in foo.key. If it doesn’t, encrypt it with 3DES using openssl rsa -in foo.key -3des and specify a password.
On the IOS device in question, use crypto key import rsa foo pem terminal to import the PEM encoded public key:

cr(config)#crypto key import rsa foo pem terminal strongpassword
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
...

Ensure there is a complete blank line after pasting the public key, and the router will then prompt:
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
Paste in the 3DES-encrypted key – it will begin BEGIN RSA PRIVATE KEY, and type ‘quit’ on a blank line at the end.
That’s it. It’s not straightforward, and I know I’ll forget if I don’t write it down!

I’m on my way back from a few days in Milan, setting up a network for one of our customers. Standard equipment – a pair of Cat6504Es, some ASAs, a couple of ACE4710 load balancers.
As usual with anything I haven’t used before, problems occur. The biggest and most infuriating wasn’t the failed Sup32 (which was eventually replaced by Cisco after quite some work on our supplier’s behalf), but the fact I couldn’t get the Sup32 to boot from the image I’d downloaded.
Here’s what happened – each time I booted, the boot image loaded and spewed the following:
MAC based EOBC installed
Waiting (slot 1) for supervisor to come online in other slot. iteration
= 0
Next Retry will be done after 6 seconds
This repeated for what seemed like an eternity, then the Supervisor crashed and rebooted.
What fixed it? It turns out I had a modular image copied in to flash, not installed. That's not amazingly obvious, especially as the modular image has -mz in its name, and the image I wanted has -jz.
See this article on Cisco IOS Software Modularity on cisco.com for more information.