VPN Config vShield Edge to Fortigate

vShield Edge and VPN with Fortigate

VPN configuration for Fortigate is not documented you can find out all on this article ….

Please go to vShield configuration like below Administration -> Open vDC –> Edge Gateway -> Right click on right edge device –> Click Edge Gateway Services

Related screen show below taken from already configured one , but first you have to Enable VPN which you can see on left site , its a checkbox !
Quick not for you, if edge device is not connected internet and its behind of some networks and outside of this edge ip is private then you can click Configure Public IPs section and make a nat for reach that edge for VPN …
Before start please be careful to write down everything correct after submit config you do not have a chance to edit it, you have to delete and re-enter everything

Please click a “Add” for configure new VPN configuration , for phase1 and phase2 full settings defaults check this article. vCloud Director do not show full configuration like traditional firewall configuration.

Part 1

Give the name and description which will be indicator about VPN to whom or between
Establish VPN to : –> because of i imagine you will do VPN with remote network which is not in your provider vCloud island , selected a remote network
Choose which internal network will be interact with remote network
Peer Network : is remote network block, here we can not set single ip address, because looks like vShield not supporting it, i will provide infer later … Please use xxx.yyy.zz.ttt./24 or xxx.yyy.zz.ttt./29 bla bla ….
Local Endpoint : Leave default or desired one
Local ID : You can set any here, but i generally set ip address of my edge gateway outside ip here , again this could be hostname something which firewall use indicator for that
Peer ID :  You can set any here, but i generally set ip address of my remote firewall outside ip here , again this could be hostname something which firewall use indicator for that

Part 2

Peer IP : Very important, it should be exactly the remote firewall outside ip address which you will establish VPN
Encryption Protocol : Choose agreed one with remote site
Shared Key : like this 123451234512345123451234512345aA

if everything is okay, first screen you have to see check  sign on first screen which you enabled VPN first.
Generally on vCloud Director you need to wait little, everything is updating slow and in 5 mins everything start to seen correctly, do not worry about changes of status not seen correctly

For vCloud Director providers, do many things like debug , log or something else, use vShield Manager

For customers use syslog but looks like some debugs you need a syslog and also vCloud Director GUI still not comfortable for example if you want to change something you need to delete whole config and re-enter everything 😀

A good feature you will get notification about vpn tunnel when its up or down , mail will be like below

You will also get down message like top and also from vCloud Director GUI you can see the error message

Last thing about configuration ;

After over the vpn config you have to do one more thing, from firewall section you have to create rule to remote site access you network via vpn like below …

Fortigate site screen shots are below … i’m not explaining something, forti guys also should have a knowledge, if something you need to learn please comment me or send a mail / tweet from About page …

 

 

 

VM

 

vSheild Edge VPN Defaults

To established VPN between firewalls sometimes not easy, two sites need to be agree on settings and firewall rules need to matched

I would like to describe vShield Edge defaults because not all informations are described and shown on vCloud Director GUI and also on vShield Manager

if you are customer i advise you to have syslog server

if you are admin on provider site pls run with vShield Manager logging

You can little confuse when you start to configure VPN, vShield Edge configuration is not like standard firewalls, you can not see the sections of phase1 and phase2 and don’t configure SA lifetimes or others because of that you have to know default values

I also advise to read http://www.vmware.com/pdf/vshield_51_admin.pdf

vShield Edge use/support

IKEv2

Phase 1

Main Mode (For other modes and explanations pls read this ) No Aggressive Mode
3DES/AES (Choose Encryption)
SHA1 (Integrity Algorithm )
PSK(pre-shared secret key) and Certificate (For Certificate you have to use vShield Manager GUI)(I never use it)
SA Lifetime (28800) no any data kbyets
DH Group 2

Phase2

3DES/AES (Choose Encryption) (From vDirector GUI you will see that selected one will be available for phase1 and 2  )
SHA1 (Integrity Algorithm )
ESP Tunnel Mode
DH Group 2
PFS
SA Lifetime (3600) no any data kbyets
Selectors for all IP protocols, all ports, between the two networks, using IPv4 subsets

DPD (Dead Peer Detection also generally selected on remote site)

Looks like VMware already tested vShield Edge to Cisco Router /ASA, Watchguard

My next articles will be VPN between vShield Edge to Frotigate and vShield Edge to CheckPoint

VM

vCloud Director 5.1.1 is coming

All vCloud Providers

Version 5.1.1 is coming very soon

Also vShield Manager and other products updates are coming too !

I guess it will be available in a month …

VM

vDirector 5.1, finally number of supported things increased

This is different look to whats new of vDirector 5.1
This article still in update ….

About Allocation Model

–vCpu Speed

A new parameter added to configuration, before it was available for only Pay-As-You-GFrow model now you can set it on Allocation Model. Be careful its not important you you set %0 guarantee for cpu if you set vCpu speed,  its counted and you can not power up VM if each vm vCpu Speed exceed the set of GHZ usage.

Looks like no %100 backward compatibility , you have to set 0.26 which is minimum value.

Very important this value after upgraded set 0.26 for all organisation for allocation model and its cause performances issue because all running VMs are limited to use 0.26 GHZ cpu , be careful

VMware support said that “engineering is preparing a workaround for this in a future update of vCloud director.

About Storage/Disk of vDC and VM

–Changing Organization vDC storage allocation (changing the vDC disk quota)

It’s moved under storage profile, you can not increase or decrease storage from properties of vDC

–Add disk and/or increase size of existing vm disk

At the end, its allowed now you can add disk or increase the disk size when vm running without stop it

—Care about nodes local disk

After storage profile support local disks become useful by vDirector pls disable all locals on vDirector

Still we have a headaches , all vDirector admins pls make a feature request from right site of panel <Feature Request<

1. No way to add vNIC when vm is running :((
2. No way to change network when vm is running :((
3. I don’t understand why still vDirector do not understand shouted down vm and indicate partially down message ?!
4. Firewall user experience need to be improved like zone/aggregate rules like zone for inside to outside , zone for outside to inside, zone for other pares like between dmz1 to dmz2 or dmz1 to outside for better understanding

vDirector 5.1 sql upgrade failing

Yesterday we saw that not to much people upgraded their vCloud environment to 5.1

We hanged on step 2.0.34. it has a very funny when you heard that the problem , Problem is mem_overhead column.
At the upgrade time sql upgrade script create some temporary tables and this temp tables columns type of  mem_overhead is “int” but real world active running persistent tables mem_overhead is bigint and this cause vDirector upgrade problem …

Solution

First, restore the old db , select the values from vm_in table and find out something more then nine digits

select * from vm_inv where mem_overhead=3968430080

Replace it with any nine digits like below

update  vm_inv set mem_overhead=396843008  where mem_overhead=3968430080

VMware Support answer us like below 

I just got confirmation from engineering team that the memory_overhead_mb column in computevm table, it is deleted later in the upgrade script. So we don’t need to worry about about if this int type will cause any further issue with vCD5.1.

The workaround we discussed( just change the int to bigint), it should also work.And since the column is deleted at the end of upgrade, so we also don’t need to worry the type change has some downside in the future.

Hope no body need this article, but if you needed then you have a solution.

Note to all, always do tests with real data on test environment maybe still you can not see something but still you have chance to catch it !

VM

Full Error is Below ;

2012-10-01 19:34:06,380 | INFO | main | UpgradeAgent | Executing upgrade task: Upgrade to 2.0.34 |
2012-10-01 19:34:06,381 | DEBUG | pool-1-thread-1 | LoggingProgressListener | Upgrade Task Received progress report: com.vmware.vcloud.progress.ImmutableProgressReport@65f4be12 {state: RUNNING, progress: 0%} |
2012-10-01 19:34:06,383 | DEBUG | pool-1-thread-1 | LoggingProgressListener | Upgrade Task Received progress report: com.vmware.vcloud.progress.ImmutableProgressReport@65f4bfa5 {state: RUNNING, progress: 13%} |
2012-10-01 19:34:06,384 | DEBUG | pool-1-thread-1 | SerialAggregateTask | Steps to upgrade to 2.0.34: Beginning execution of task Record version 2.0.33.transition |
2012-10-01 19:34:06,427 | DEBUG | pool-1-thread-1 | SerialAggregateTask | Steps to upgrade to 2.0.34: Beginning execution of task Compute.groovy:22 |
2012-10-01 19:34:06,427 | DEBUG | pool-1-thread-1 | RawSQLTask | Executing sql ‘INSERT INTO computevm (id, computehub_id, vrp_id, creation_status, memory_min_mb,
memory_configured_mb, memory_overhead_mb, cpu_min_mhz, num_vcpu, vmmoref)
SELECT distinct vm.id, vrprp.computehub_id, vrp.id,
0,
vminv.mem_reservation, vminv.mem, vminv.mem_overhead,
vminv.cpu_reservation, vminv.vcpu_count,
vm.moref
FROM vm vm, vm_inv vminv, vapp_vm vappvm,
vrp vrp, vrp_rp vrprp,
vm_container vmcont,
org_prov_vdc o, org_prov_vdc_rp orp
WHERE vm.moref = vminv.moref
AND vm.vc_id = vminv.vc_id
AND vm.id NOT IN (SELECT vm_id FROM deployed_vm)
AND vm.id = vappvm.svm_id
AND vappvm.vapp_id = vmcont.sg_id
AND vmcont.org_vdc_id = o.id
AND o.id = orp.org_prov_vdc_id
AND orp.rp_moref = vrprp.sub_rp_moref
AND orp.vc_id=vrprp.sub_rp_vc_id
AND vrp.id = vrprp.vrp_id
AND vminv.resource_pool_moref = vrprp.sub_rp_moref’ |
2012-10-01 19:34:06,861 | WARN | pool-1-thread-1 | SerialAggregateTask | Steps to upgrade to 2.0.34: Task failed due to uncaught exception |
java.sql.DataTruncation: Data truncation
at net.sourceforge.jtds.jdbc.SQLDiagnostic.addDiagnostic(SQLDiagnostic.java:382)
at net.sourceforge.jtds.jdbc.TdsCore.tdsErrorToken(TdsCore.java:2816)
at net.sourceforge.jtds.jdbc.TdsCore.nextToken(TdsCore.java:2254)
at net.sourceforge.jtds.jdbc.TdsCore.getMoreResults(TdsCore.java:631)
at net.sourceforge.jtds.jdbc.JtdsStatement.processResults(JtdsStatement.java:584)
at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQL(JtdsStatement.java:546)
at net.sourceforge.jtds.jdbc.JtdsStatement.executeImpl(JtdsStatement.java:723)
at net.sourceforge.jtds.jdbc.JtdsStatement.execute(JtdsStatement.java:1157)
at com.vmware.vcloud.upgrade.tasks.RawSQLTask.call(RawSQLTask.java:106)
at com.vmware.vcloud.upgrade.tasks.RawSQLTask.call(RawSQLTask.java:1)
at com.vmware.vcloud.upgrade.SerialAggregateTask.call(SerialAggregateTask.java:43)
at com.vmware.vcloud.upgrade.SerialAggregateTask.call(SerialAggregateTask.java:1)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.doCall(AbstractDelegatingTask.java:124)
at com.vmware.vcloud.upgrade.TransactionTask.doCall(TransactionTask.java:74)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:103)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:1)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.doCall(AbstractDelegatingTask.java:124)

at com.vmware.vcloud.upgrade.UpgradeTask.doCall(UpgradeTask.java:79)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:103)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:1)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2012-10-01 19:34:06,862 | DEBUG | pool-1-thread-1 | RawSQLTask | Transaction for task ‘com.vmware.vcloud.upgrade.SerialAggregateTask@3a97263f’ will rollback |
java.sql.DataTruncation: Data truncation
at net.sourceforge.jtds.jdbc.SQLDiagnostic.addDiagnostic(SQLDiagnostic.java:382)
at net.sourceforge.jtds.jdbc.TdsCore.tdsErrorToken(TdsCore.java:2816)
at net.sourceforge.jtds.jdbc.TdsCore.nextToken(TdsCore.java:2254)
at net.sourceforge.jtds.jdbc.TdsCore.getMoreResults(TdsCore.java:631)
at net.sourceforge.jtds.jdbc.JtdsStatement.processResults(JtdsStatement.java:584)
at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQL(JtdsStatement.java:546)
at net.sourceforge.jtds.jdbc.JtdsStatement.executeImpl(JtdsStatement.java:723)
at net.sourceforge.jtds.jdbc.JtdsStatement.execute(JtdsStatement.java:1157)
at com.vmware.vcloud.upgrade.tasks.RawSQLTask.call(RawSQLTask.java:106)
at com.vmware.vcloud.upgrade.tasks.RawSQLTask.call(RawSQLTask.java:1)
at com.vmware.vcloud.upgrade.SerialAggregateTask.call(SerialAggregateTask.java:43)
at com.vmware.vcloud.upgrade.SerialAggregateTask.call(SerialAggregateTask.java:1)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.doCall(AbstractDelegatingTask.java:124)
at com.vmware.vcloud.upgrade.TransactionTask.doCall(TransactionTask.java:74)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:103)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:1)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.doCall(AbstractDelegatingTask.java:124)
at com.vmware.vcloud.upgrade.UpgradeTask.doCall(UpgradeTask.java:79)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:103)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:1)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2012-10-01 19:34:06,864 | DEBUG | pool-1-thread-1 | LoggingProgressListener | Upgrade Task Received progress report: com.vmware.vcloud.progress.ImmutableProgressReport@702d32f8 {state: FAILED, progress: 13%} |
2012-10-01 19:34:06,866 | ERROR | main | UpgradeAgent | Unable to upgrade the database: java.sql.DataTruncation: Data truncation |
com.vmware.vcloud.upgrade.UpgradeAgentException: java.sql.DataTruncation: Data truncation
at com.vmware.vcloud.upgrade.UpgradeAgent.runUpgradeTasks(UpgradeAgent.java:1219)
at com.vmware.vcloud.upgrade.UpgradeAgent.executeUpgrade(UpgradeAgent.java:745)
at com.vmware.vcloud.upgrade.UpgradeAgent.start(UpgradeAgent.java:979)
at com.vmware.vcloud.upgrade.UpgradeAgent.main(UpgradeAgent.java:881)
Caused by: java.sql.DataTruncation: Data truncation
at net.sourceforge.jtds.jdbc.SQLDiagnostic.addDiagnostic(SQLDiagnostic.java:382)
at net.sourceforge.jtds.jdbc.TdsCore.tdsErrorToken(TdsCore.java:2816)
at net.sourceforge.jtds.jdbc.TdsCore.nextToken(TdsCore.java:2254)
at net.sourceforge.jtds.jdbc.TdsCore.getMoreResults(TdsCore.java:631)
at net.sourceforge.jtds.jdbc.JtdsStatement.processResults(JtdsStatement.java:584

at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQL(JtdsStatement.java:546)
at net.sourceforge.jtds.jdbc.JtdsStatement.executeImpl(JtdsStatement.java:723)
at net.sourceforge.jtds.jdbc.JtdsStatement.execute(JtdsStatement.java:1157)
at com.vmware.vcloud.upgrade.tasks.RawSQLTask.call(RawSQLTask.java:106)
at com.vmware.vcloud.upgrade.tasks.RawSQLTask.call(RawSQLTask.java:1)
at com.vmware.vcloud.upgrade.SerialAggregateTask.call(SerialAggregateTask.java:43)
at com.vmware.vcloud.upgrade.SerialAggregateTask.call(SerialAggregateTask.java:1)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.doCall(AbstractDelegatingTask.java:124)
at com.vmware.vcloud.upgrade.TransactionTask.doCall(TransactionTask.java:74)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:103)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:1)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.doCall(AbstractDelegatingTask.java:124)
at com.vmware.vcloud.upgrade.UpgradeTask.doCall(UpgradeTask.java:79)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:103)
at com.vmware.vcloud.upgrade.AbstractDelegatingTask.call(AbstractDelegatingTask.java:1)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Upgrade vDirector,vShield Manager

This documentation is explaining upgrade vDirector 1.5 to 5.1 and vShield Manager 5.0-473791 to 5.1.0-807847 .

Next you have to upgrade vCenter,ESXi and other components, if you need instruction pls check the link. (Upgrading vCenter ,ESXi ,vShield are not must its working with vDirector 5.1 one but for full functionality and capability you have to upgrade all)

I expect that you are using vShield Manager 5.0 and above because under 5.0 version SQL upgrade will be canceled

Download vmware-vcloud-director-5.1.0-810718.bin (Upgrade File) andVMware-vShield-Manager-upgrade-bundle-5.1.0-807847.tar.gz (Upgrade File) my.vmware.com

To understand really what was changed, i advise you to get screenshots and create procedures how you are working on vDirector, then create something on version 5.1 and compare everychange very easy.
Shortly you couldn’t see any more Organization Networks on Manage & Monitor screen , Edge Gateways will be on newly , Storage Profile and Datastore Cluster will be appear newly 😀

Be aware about your vShield Edges, a new concept “compact” and “full” is available, shortly full have more ram then compact and support multiple interface 😀 which we are waiting for a long time also HA now available means you have redundant firewall now and don’t worry that alignment  of this VMs if you have enough host, DRS care about where place the HA vShield Edges.

Pls care about whats change about Organization Network changed vDC network, Nat rules changed Edge Gateway Rules.

We was waiting vShield Edge become more usable because old version have no CIDR entry, no Load Balancer , no DNAT, no HA but it has now, right time to use it but if you have a vShield firewalls soory 😦 you have to upgrade all pls read the instruction from  upgrade section of 5.1 installation pdf, which link is below.

I advise you to read the documentation one time http://pubs.vmware.com/vcd-51/topic/com.vmware.ICbase/PDF/vcd_51_install.pdf to understand whats is changed and steps for other explanations , but i can say that this article %100 cover the upgrade and succeeded %100

Step 1  : Upgrade vDirector

Check the status of vDirector, what it is doing any job running on it
./cell-management-tool -u vDirector_admin_user -p vDirector_admin_user_pass cell –status

Stop the new process entry , just only allow to processed already submitted requests
./cell-management-tool -u administrator -p Pa55w0rd cell –quiesce true

Check status until queue down to 0 and then execute command below to stop the cell
./cell-management-tool -u administrator -p Pa55w0rd cell –shutdown

for me cell could not stop quickly, you have to wait little , or stop the vcd service without execute such commands

First give executable right and execute the installation

chmod u+x vmware-vcloud-director-5.1.0-810718.bin
./vmware-vcloud-director-5.1.0-810718.bin

Upgrade SQL server

/opt/vmware/vcloud-director/bin/upgrade

Step 2 : Upgrade vShield Manager

Login vShield Manager and upgrade it from Settings & Report –> Updates  –> Upload Settings and upload the file you downloaded from my.vmware.com

 

Click install and fallow upgrade …..

 

 

Installation will reboot the vShield Manager VM wait until see the such line , then you can connect new manager

 

Upgrade vCenter Inventory, Server , vSphere Clients ,ESXi and others like syslog, web client, if need  help, pls check the link

Continue to configure vShiled Manager, need to integrate vCenter Server with it and configure ntp which vmware advse to have SSO server and vShield manager actually all components working together need to be same i thing ….

Pls Edit lookup Service , vCenter Server, DNS and ntp and configure it with your credentials …

 

 

After upgrade over, upgrade  vDirector agent, but be careful its need switch node maintenance mode , means need to move all VMs  between nodes until you update all nodes , pls see below

 

 

After that hope everything over fine , test your service creations and new features …..

VM