Remote desktop, GNS3 crashes when drag and drop topology objects

Couple of days ago I reinstalled my machine that I use as GNS3 server. It was about time as thing started to become a bit unstable after so many patches and updates to bring it up from Ubuntu 8.04.

I picked Xubuntu 14.04 LTS as my distro because I like XFCE and with the new GNS3 installed directly from PPA following https://www.gns3.com/support/docs/linux-installation it seems to be a piece of cake the entire story.

Unfortunately the reality was different. The above machine is sitting in my lab and most of the time I do just remote desktop on it via X2GO or XRDP. The issue that I encounter was that GNS3 was starting fine, everything looked to be working correctly, but when I was trying to drag and drop an object (like router, switch) to the topology the GNS3 would crash and the logs would show a nice segmentation fault.

I spent a lot of hours reading about and it seems I’m not the only one which had this strange behavior. However nobody could actually point out a real solution to this problem.

One workaround that I found to be working is to use Thinlinc, a remote desktop server provided by Cendio. The free version supports for up to 10 concurrent users and in my case this limitation should not pose a problem. One disadvantage can be seen that it’s not open source and you need to install also the client software. Again not a big deal, at least for my scope.

If you arrived to my post looking for a solution, the above workaround can be one and it’s working fine.

However, the engineer in me was not satisfied as why the solution would not work just using the included packages in Ubuntu 14.04 LTS.

Digging more, I found that the problem is not actually related to GNS3, but rather to the Qt version that comes with Ubuntu 14.04. Also it’s seems that not only GNS3 is affected by this issue, which appears to be a Qt Bug, but also other software used via a remote X11 connection – https://bugreports.qt.io/browse/QTBUG-38109

Now if you check the GNS3 Linux manual installation page, you’ll see that python3-pyqt5 must be installed. When you install it from PPA, the same python3-pyqt5 is installed, just that maybe you’ll miss it among the other packets that are added automatically.

Checking the Ubuntu 14.04 packages http://packages.ubuntu.com/trusty/python/ (search for python3-pyqt5 to avoid going via all packages) I noticed that the default version is 5.2.1 I’ve checked for particular Bugs with this version that can be related to my problems, unfortunately my search brought no conclusive result, so I had to assume that this version has a problem. I’m not a developer so this task was even harder for me.

I went to check the next Ubuntu release. 15.04 is out of the marked since January 2016 and the only alternative was 15.10. I’m not very keen on trying non-LTS versions, but desperate times require desperate measures. Searching for the same python3-pyqt5 (http://packages.ubuntu.com/wily/python/) I saw that this version is 5.4.2.

Next I tried to find a way to install the 5.4.2 python3-pyqt5 version on Ubuntu 14.04. No success here. I ran into more problems than solutions. If you have a solution to have these two versions working together, please let me know.

Having nothing to lose I downloaded the Xubuntu 15.10, installed it and…everything is working like a charm so farm. I can open GNS3 and drag and drop successfully via a remote connection (XRDP or X2GO).

As you can see I have no solution to the actual problem, but at least I can suggest 2-3 workarounds that may get you out of the woods. For me an article like this would have been very helpful while doing my research, but there was none out there, beside different community posts usually without any answer. This is the reason for which I wanted to share this story with you.

If you have this issue and found another solution, please let me know as I would like to use the 14.04 LTS version of Ubuntu, otherwise I need to wait for the release of 16.04 LTS scheduled for this year.

SSL Certificate signed by own CA

There are a lot of “how-to” on the Internet explaining the setup procedure. This is mainly a copy / paste example for those in a hurry :)

How to setup your own CA

Generate a key for CA

Pick a password and remember it!

Generate a SSL certificate for CA

How to create a new SSL certificate signed by your own CA

Request a new key for the new domain that you want to secure

Pick a password and remember it!

Request a CSR and sign it with the previous created key

Request the SSL certificate and sign it against the CA

(Optional for Linux) Secure the key on the server

To have the SSL working you need to copy on the server side
– MyServerName.key
– MyServerName.crt
– myCA.crt (that’s the CA certificate)

How to view a certificate

How to check whether a private key matches a certificate or that the certificate matches the certificate signing request (CSR)

Does anybody knows a simple script that can offer the above functionality from web interface? I was looking around for a while now, but either they are enterprise complex or do not work. Let me know in Comments if you have a good suggestion.

Thanks!

Mikrotik L2TP with IPsec for mobile clients

I got some questions about how to configure Mikrotik to act as L2TP Server with IPsec encryption for mobile clients. I know this is not exactly in the line of this blog oriented on enterprise networks, but it’s network technology in the end so I’ll try to cover it here.

Before we start, please make sure that your Mikrotik build-in firewall is configured in such way that it can accept packets on the WAN interface. You can check my article on IPsec VPN Mikrotik to Cisco for firewall configuration.

Another important part is that I’m using RouterOS v6.24 in the below scenario. In earlier versions some configurations are a bit different, but you’ll figure it out as I will explain where is really important.

1. Add a new IP Pool

It’s not mandatory if you already have a IP Pool, but I assume you don’t and we need to add one.

GUI

IP > Pool

Add a new pool

CLI

L2TP Configuration

1. Configure L2TP Profile

Before adding a new L2TP Server, we need to add a new L2TP Profile. We can use also the default one, but I don’t like to mix things.

GUI

PPP > Profiles

The rest of values can be left on default value.

CLI

2. Add a L2TP-Server

GUI

PPP > Interface > L2TP Server

CLI

3. Add PPP Secrets

GUI

PPP > Secrets

Let the rest as default.

CLI

IPsec Configuration

On IPsec configuration, you can use the default configuration (like Proposals) but I would suggest to let those as default and add your new ones. In case that you already have some IPsec configuration which is already working and using the default configuration we don’t want to mess with that.

1. IPsec Proposals

GUI

IPsec > Proposals

CLI

Something to mention here. In version previous than 6.xx, you can pick only one encryption algorithm, if I remember correctly. You cannot add multiple algorithms (like 3des and aes-256 above). If this is the case, be sure to stay with 3des. I know it offer less security, but for some reason I could not force Microsoft Windows to work on L2TP via aes-256.

2. IPsec Peers

GUI

IPsec > Peers

CLI

IMPORTANT

The value of the Secret field above, MUST be the same as in L2TP Configuration, Step 2.
Also, if your RouterOS support only one encryption algorithm, then pick 3des.

3. IPsec Policies

GUI

CLI

Below, I’ll add two examples how to configure the iPhone and Microsoft Windows to work with the above configuration.

iPhone

Go to Settings, VPN section and Add VPN Configuration…

It will look like this:

iPhone L2TP Configuration

The Server is the public IP address or FQDN of your Mikrotik. Account and Password are the one defined in L2TP Configuration Step 3. (MYUSER and MYPASSWORD in the example above). Secret , is the IPsec Secret Key defined in L2TP Configuration Step 2. and IPsec Configuration Step 2. (MYKEY in the example).

PC with Microsoft Windows

1. Add a new VPN connection

Add New VPN Connection

2. Pick the option Use my Internet connection

Chose VPN type

3. Add Mikrotik L2TP Server details

Add L2TP Mikrotik details

4. Add the user and password

Add L2TP user

Add this point Windows 7 force me to hit Connect. I will not work yet. Please follow the next steps.

You need to reach the Properties of your new VPN connection.

5. Configure the VPN Security settings.

Be sure to have the settings like in image below, to force encryption and use mschap2 protocol.

L2TP VPN Security

6. Set the IPsec Secret key

Hit the Advanced button and set the IPsec key

L2TP IPsec Key

Hit Connect and it will work. If you have questions please be sure to add them to Comments.

IPsec VPN Mikrotik to Cisco

Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices. For today, I will replace the Linux device with a Cisco. I did test the entire construct in GNS3 integrated with Mikrotik.

The topology looks like this:

IPsec VPN Mikrotik Cisco

The red line represent the IPsec VPN tunnel.
Please note the used IP addresses. In this way the below configuration will be easier to understand.

Mikrotik Configuration

1. Firewal rules

By default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down)

On INPUT channel allow the following on the interface facing Internet
– Port 500/UDP
– Port 4500/UDP
– Proto 50
– Proto 51
It may be that you don’t need all these ports, but you can close them later. You can check logs if you want to troubleshoot.

On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade.
You need to add a rule with ACCEPT source LOCAL_LAN (192.168.88.0/24 in this example) destination REMOTE_LAN (192.168.0.0/24 in this example).

On Console the configuration looks like this:

CLI

2. The IPsec Proposal

GUI

IP > IPsec > Proposals

CLI

3. The IPsec Policy

GUI

IP > IPsec > Policies

CLI

4. The IPsec Peer

GUI

IP > IPsec > Peers

CLI

Cisco configuration

1. Crypto ISAKMP Policy

You can specify also the hash as sha1, but this is the default method on Cisco, so no extra line will appear.

2. Crypto ISAKMP neighbor

3. Crypto IPsec transformation set

4. Crypto map

5. Access-list for interesting traffic

6. Interface config

The settings (like encryption algorithm) can be tuned to fit your requirements.

If you have any questions or something is unclear please let me know in Comments.

How to integrate F5 BIG-IP VE with GNS3

I would like to start by saying Merry Christmas and Happy Holidays season to all. In between spending time with my family, decorating the Christmas three and opening presents, I did find some time to play around with my hobby and testing something in the lab.

Lately I wanted to get a feeling how F5 BIG-IP works, you know, just to get familiar with its interfaces, rules and being capable of setting up a basic LTM or APM. Far from me the idea of becoming an expert on the first touch, but it’s nice to discover new technologies.

Beside getting the F5 BIG-IP VE (Virtual Edition), running up VMware (ESXi, Player, Fusion or Workstation) and starting the virtual machine I also wanted to emulate some kind of real environment to test. So, I did build the below topology in GNS3:

F5 BIG-IP Simple setup

Some explanation:

  • Client WIN7 is a VM in VirtualBox and integrated in GNS3
  • WWW Servers are VMs in VirtualBox and integrated in GNS3
  • WIN2008 AD DC is a VM in VirtualBox and integrated in GNS3
  • Routers are emulated in GNS3
  • F5 BIG-IP VE is a VM in VMware Workstation and integrated as a Cloud in GNS3

GNS3 is version 1.2.1 which works perfect. Why VirtualBox and VMware Workstation? Usually I have no problem to have my VMs in VirtualBox, but I could not successfully import the F5 BIG-IP VE OVA image in VirtualBox. I had to download a trial version of VMware Workstation to install the OVA image.

If you want to know more about this F5 product, Ethan Banks has a great article about the BIG-IP VE. Please note that Ethan’s article is about getting a lab license for BIG-IP VE. I just went for the trial version. You can download the OVA image and get the license here:
https://www.f5.com/trial/secure/big-ip-ltm-virtual-edition.php

Download the BIG-IP VE OVA image, get a trial license (valid for 90 days) and install it in VMware Workstation. It may work with other VMware products, but in this article I’m using only VMware Workstation.

The part that gave me some headache was the how to have a successfully network communication between VMware Workstation and GNS3.

Before GNS3 1.2.1, when I had to use a “cloud” to integrate VirtualBox VMs in GNS3, I was configuring a TAP interface and use Bridge mode for the VM NIC to the TAP interface. Then on the GNS3 Cloud, I was adding the TAP as a Generic Ethernet NIO on the NIO Ethernet. If you want to refresh more deeply the above information please read my article about How to integrate GNS3 with VirtualBox.

Unfortunately, in VMware Workstation, I cannot just bridge a VMnet interface to a TAP and use that specific VMnet in a VM. I just could not make it work.

To cut it short, here are the steps that I had to follow to have this working. I assume that you have VMware Workstation installed already. Another detail is that I’m using Ubuntu 14.04 to test the entire scenario.

1. Add two VMnet interfaces in VMware Workstation Virtual Network Editor

Use the image below to have an idea what I mean.

Virtual Network Editor

2. Configure the BIG-IP VE NIC as follow in VMware Workstation

I assume that you have the BIG-IP VE OVA imported in VMware Workstation

BIG-IP VE NIC

I had 4 NICs originally, but I only need three:

  • VMnet0 is bridge to my real LAN interface so I can manage the F5 BIG-IP VE over Web / CLI interfaces
  • VMnet11 – one “internal” interface facing LAN (server side)
  • VMnet22 – one “external” interface facing WAN (client side)

3. Configure two tap interfaces for F5 BIG-IP VE to be used in GNS3

11 – internal, 22 – external

*user = the non-root user which you use on Ubuntu host.

If you are having problems to find tunctl command please do the following:

Bring the interfaces up

4. Remove the IP addresses on both TAP and VMnet interfaces

5. Bridge the TAP and the VMnet interfaces

Bring the bridge interfaces up

5. Add the F5 BIG-IP VE to GNS3

If with GNS3 1.2.1 you can add the VirtualBox VMs directly, for the VMware Workstation (Player, Fusion, etc…) VMs you still need to you the Cloud part.

My GNS3 for F5 topology looks like this:

F5 topology in GNS3

And the GNS3 Cloud (representing the F5 BIG-IP VE) settings are the following:

F5 GNS3 Cloud settings

6. Connect the GNS3 Cloud interfaces to R1 and R2

Like shown in the image above, connect the TAP interface of the Cloud to the peer routers.

I’m running all applications (GNS3, VMware Workstation, VirtualBox) as non-root user. If you’re doing the same an error may occur in GNS3. Something like:

Server error [-3200] from x.x.x.x:8000: R1: unable to create TAP NIO

If this is the case, please run the following command on Ubuntu host:

This will help you setup the environment to test F5 BIG-IP VE in a lab environment totally virtualized. I’m not going to cover here how to configure the F5 BIG-IP VE. Maybe in one of my next articles.

If you encounter problems, please let me know in Comments.