Simple GRE-Tunnel on vMX

As part of my JNCIE-ENT study, GRE-Tunnels are also a topic.
Turns out, that GRE-Tunnels are quite simple to set up and give you a lot of Flexibility.

GRE-Tunnel Topology

In this Topology, the network 172.16.1.x/24 is behind vMX-VFP6 (VPC8) and the network 172.16.2.x/24 is behind vMX-VFP4 (VPC7). Our middle Router, vMX-VFP5/ vMX-VCP2 is not aware of the 172 networks and has no route at all towards the networks. VCP1 and VCP3 are out Tunnel-Endpoints and are configured like this:

First you configure a gr-Interface with a tunnel source and destination.
You also should have a static route to reach the other side of your endpoint!

As you can see in the routing table, VCP2 is not aware of the 172 networks and still VPC7 and VPC8 can issue a ping towards each other, with vPC7 having 172.16.2.100/24 and VPC8 having 172.16.1.100/24 as the host addresses.

Setting up GRE-Tunnels is extremely easy. This allows you to tunnel your networks through your Provider network. But be careful – GRE is not IPsec – especially in terms of security.

Although GRE is able to carry other protocols as well as IP packets in an IP network while IPSec is not, IPsec offers more security than GRE because of its authentication feature.

But do you know the best part? This Lab was done in 6 Minutes (5.5 minutes boot time and the rest configuring) with EVE-NG. As you may have heard, I will soon present a short session about how to use EVE for prepping and labbing – if any of you attend the #NXTWORK2019 you need to check out the Ambassadors Masterclass – especially if you currently use ESX for labbing…

EVE-NG Pro 2.0.6-6 is out!

A couple of hours ago, EVE-NG Pro 2.0.6-6 was released introducing the new Dark-Mode.

In my opinion, this is great when labbing at night because your eyes don’t need to adjust between the flashy white background from eve-ng and the dark background of your ssh-Application.

I recently also tried out the Link-Suspension Feature and boy is this great ๐Ÿ™‚
All the Juniper Gear I tested so far is working fine with the Link suspension, allowing you to test even more scenarios than before. I will also show you this shiny feature in Vegas at the #NXTWORK2019.

If you are there, make sure to check out our Masterclass ๐Ÿ™‚
Can’t wait to meet you all – let’s talk about Tech or just about EVE.
And don’t worry – as far as I know, none of us has ever bitten a human – feel free to talk to us ๐Ÿ™‚

Link-Suspend-Feature in Action (click image to view)

EVE-NG and Juniper Devices – Pimping your KVM

Have you ever noticed that your vSRX, vMX and vQFX run on insane CPU percentage?
Well yes, you might think because on DPDK Hosts (I wrote about that earlier), the v-Devices run in “Poll-Mode”. But that doesn’t mean, you can’t try to “improve” this behavior.

CAUTION: I tried this myself and have not seen any issues so far – however, this does not guarantee fatal possible side-effects, that I’m unaware of or that do not affect my Labs. If you mess with your EVE, you are on your own so try it and if it works fine, if not you should probably change it back or wait for the official release from the EVE-NG Team if this turns out to be working and they feel the need to implement this. I only tried this with “Pure-Juniper” Labs so far.

In my Test-Setup (1 vMX and 2 vQFX) my CPU went from 35% to below 16% (EVE on ESX).
I think Bare (which I will try next) will show the same if not more drops in the CPU usage.

Update 02.09.2019 – Yes. Bare was even more crazy, allowing me to run 40vQFX at the same time at roughly 70% CPU usage!!!! Insane :O

Also, there was no need to reboot the host.

Test-Setup
After the config-knob

Here’s what I changed:

and

Let me know in the comments or on Twitter if this also worked for you and if you see any side effects please also let me know.

Heres some background in case you wonder, what this does:
https://www.kernel.org/doc/Documentation/virtual/kvm/halt-polling.txt
The interesting Part for me was the Notes at the end:

Sounds like the v-Devices, right? ๐Ÿ˜‰

Disabling TLS 1.0 and TLS1.1

For me, it is always important, to make my blog safe for readers and avoid nearly all possibilities for nasty folks to do nasty things ๐Ÿ˜‰

No Website is 100% secure of course but I try my best to improve my Servers every day.
Therefore I now only serve this Website over TLS 1.2 until TLS1.3 is officially supported through the default repositories. TLS 1.0 and TLS1.1 are rarely used and therefore I think it’s safe to disable them. If you face issues, feel free to contact me.

Juniper EMEA & CALA Tech Fest 2019 โ€“ Live Agenda

Here you find the Agenda for the EMEA & CALA Tech Fest 2019.
This Post will be updated by me if anything changes during the Event (Room Names, Slots, etc.) so feel free to bookmark this Page. I will also write Articles every evening so make sure to check them out ๐Ÿ™‚
Last Edited: 12.07.2019, 15.32 (CEST)

Agenda for Tuesday, July 16th:

Agenda for Tuesday, July 16th (click the image to enlarge)

Agenda for Wednesday, July 17th:

Agenda for Wednesday, July 17th, Morning Sessions (click the image to enlarge)
Agenda for Wednesday, July 17th, Afternoon Sessions (click the image to enlarge)

Agenda for Thursday, July 18th:

Agenda for Thursday, July 18th, Morning Sessions (click the image to enlarge)
Agenda for Thursday, July 18th, Afternoon Sessions (click the image to enlarge)

Make sure to visit the Certification booth (pre-registration recommended) to get your (re)certifications ready.
Meeting room for Certification is ‘Berlin’.
Looking forward to meeting all of you in Prague ๐Ÿ™‚

Below you will find the Updated rooms:

EVE-NG Pro 2.0.5-21 is out!

Today the new eve-ng pro (v2.0.5-20-PRO) was released, hours later v2.0.5-21-PRO was released including the latest bugfixes. It has some major improvements in regards to usability (with a brand new notification bar) and CPU optimization.

You might have noticed the new login message (Steph Edition) after the update. Stephan was the EVE Logo Designer and recently passed away at the age of 35 so this is a tribute for him in this release.

More info about the changes made in this release (like the new notification bar) will follow soon so make sure to get back here from time to time ๐Ÿ˜‰

Tribute for Steph

Why is my vSRX always using 100% CPU?

I get this Question a lot – the vSRX is taking almost 100% of the CPU.
But why is that?

This happens if you are using the vSRX on a “DPDK-Host” – The CPU cores will be constantly polling for packets, and they will be displayed as 100% busy in the output of โ€œtopโ€, simply because on DPDK Hosts, the vSRX runs in “polling mode”. The Docs will tell you this:

“vSRX runs DPDK in polling mode, and thus consumes all available CPU. The vFP uses DPDK to continuously poll the NIC queues for new packets, so cores allocated to the NIC queue processing are locked at almost 100% CPU usage all the time. It doesn’t matter if you have 1pps of traffic or 100Mpps.

As you can see, this behavior is normal and should not alert you – on Hardware, where vSRX is not depending on DPDK, the CPU usage reduces drastically because the vSRX does not have to poll the Packets. This is called โ€œinterrupt basedโ€ where the hardware sends a signal to the CPU once a new packet arrives that has to be processed.

Guest Post: An in-depth review of the L2TP/IPsec protocol

Image credit: Pixabay

Among the various VPN protocols, Layer 2 Tunneling Protocol (L2TP) is one of the most secure. Moreover, it is incredibly easy to set up.

Taken alone, L2TP is simply a tunneling protocol (facilitates end-to-end communication) that allows remote clients to use a public network to communicate within a private network. To provide the required encryption; it is paired with IPsec which is a security protocol.

Different VPN protocols carry various strengths and weaknesses and to fully understand the strengths and weaknesses of L2TP/IPsec; here is an in-depth review.

History of L2TP/IPSec

L2TP was developed in the 90s by both Cisco and Microsoft. The two companies came together out of a need to develop a protocol that would improve on the individual protocols that each company had developed.

Before L2TP, a Microsoft employee had developed the first ever tunneling protocolโ€”Point-to-Point Tunneling Protocol(PPTP). The main reason the Microsoft employee developed the protocol was to allow users to work effectively and securely from home via a secure internet connection.

Unfortunately, PPTP, though effective, was not perfect. For one, due to the technology of that time, it had weak encryption. Second, the protocol did not and still does not recover as quickly as others over unstable network connections.

To try and improve on the weaknesses of PPTP, Cisco came up with Layer 2 Forwarding (L2F) protocol. L2F, according to Cisco, was meant to tunnel Point-to-Point communications over an IP and create a dial-up link across a network.

Similar to PPTP, L2F had significant weaknesses such as low support for different devices and weak encryption. Therefore, Cisco and Microsoft came together in a bid to create a protocol that wouldnโ€™t have some of these glaring weaknesses. They succeeded because they created L2TP/IPsec which is still in use today.

The differences between L2TP and PPTP/L2F

As noted above, L2TP is pretty much an extension pf both PPTP and L2F. To differentiate between the three and understand why L2TP is better, here are the differences.

The differences between L2TP and L2F include:

  • L2F lacks a defined client
  • L2F only works in compulsory tunnels (the tunnel ends at ISP) while L2TP can use voluntary tunnels (the tunnel ends at the remote client) which makes it flexible
  • L2TP has additional beneficial features such as flow control

The differences between L2TP and PPTP include:

  • A PPTP connection only tunnels over IP while L2TP is more flexible and can tunnel over a wide variety of media
  • A PPTP connection can only handle one tunnel between two points. L2TP supports multiple tunnels between any two points, and each tunnel will have its own quality of service (QoS)
  • The size of L2TP headers is as low as 4 bytes while that of PPTP is larger

How L2TP/IPsec works

L2TP/IPsec uses a technique known as double encapsulation to facilitate security. This unique feature is the reason L2TP/IPsec first gained popularity. Essentially, the first encapsulation will create a connection between two parties.

The second encapsulation, on the other hand, contains the IPSec encryption which provides for security. Due to the double encapsulation, it is impossible to tamper with a data packet while it is on the move from one party to another.

That protects anyone who is using this protocol from a man-in-the-middle attack. Man-in-the-middle attacks occur when an attacker lies in wait and alters communication between two parties without their knowledge. As a result, even though the two parties believe they are communicating with each other, in reality, they are both communicating with the attacker who can misinform, misdirect and cause harm.

Note that L2TP on its own without IPsec supports several authentication options. One it supports Password Authentication Protocol (PAP). Second, it supports the Challenge Handshake Authentication Protocol and finally, Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). MS-CHAP is similar to CHAP with the only difference being that it is proprietary to Microsoft.

The IPsec part of the L2TP/IPsec protocol contains a 256-bit encryption key. A 256-bit encryption key offers military-grade encryption that is next to impossible to break. Also, it contains security algorithms that also help in improving security.

Strengths

  • Easy to set up due to minimal complexity
  • High levels of security due to double encapsulation
  • Compatible with a large number of devices and operating systems
  • Supports multithreading (execution of multiple threads concurrently) which in turn enhances performance

Weaknesses

  • According to reports, it is possible the NSA has weakened the IPsec protocol in their bid to monitor what people are doing online. As a result, the protocol has weakened security to some degree
  • It is possible to block L2TP/IPsec because it runs on User Datagram Protocol (UDP) port 500
  • Double encapsulation reduces the speed by a significant margin

Shoutouts to Jeff Anderson from techwarn.com for this Guest Post – hope you guys enjoyed it.