WAP, NVGRE and Hair pinning

Hello All ,

Today we faces connectivity issue between tenant networks behind same NVGRE GW.

Think that you have two tenants , Company A and Company B and two virtual networks and also NAT rule configured for remote access 3389 (RDP) to Company A VM can connect Company B VM but problem is two virtual networks are behind the same NVGRE GW.

Problem is single interface and To and From is behind a single interface , means source vm network coming from NVGRE outside interface and want to get in same interface to access other vm network .

This image could explain , BRIDGE is describing NVGRE , squares are vm networks and VM s behind

Pls check related settings on NVGRE GW node , active or passive , i guess its not important

 

PS C:\Users\Administrator.DORUKCOSN> Get-NetNatGlobal
InterRoutingDomainHairpinningMode : External

 

Then set it Local

PS C:\Users\Administrator.DORUKCOSN> Set-NetNatGlobal -InterRoutingDomainHairpinningMode Local
PS C:\Users\Administrator.DORUKCOSN>

Then go go go , try it now

External comes default , be care about it

Regards
VM

How SCVMM balance between NVGRE GWs

Today, we focused how SCVMM balance virtual networks(VN) and services between NVGRE GWs or Network Services(NS) with my team mate Gokhan Acar.

We have two NS configured in SCVMM

First what we faced, second or last added gateway (sorry no time to add 3th one) become first responsible unit to manage and provide NAT, VPN services to related VNs. We deployed “internetgwservice1” first and create some VN on it then deploy “internetgwservice2” and SCVMM start to create a new requests on it.

Then we try to understand how SCVMM really try to balance between two NS. Old one already have seven VN then we start to create additional VNs. its start to deploy every VN on newly added gw. I expect that after eight it will start to load balance but not !

To shorten the time, try to change the limit 50 to lower value to make easy test, but discover that its not possible to do 😦

You should be faced with such error below

Error (21426)

Execution of Microsoft.SystemCenter.NetworkService::RegisterGatewayVMNetwork on the configuration provider 4ee559f1-f479-480c-9458-d14b8b1c1779 failed. Detailed exception: Microsoft.VirtualManager.Utils.CarmineException: Unable to add routing domain information to the Remote Access server. (A Hardware Management error has occurred trying to contact server hv3nvgnode02.dorukcosn.azure :n:CannotProcessFilter :HRESULT 0x8033801a:No instance found with given property values. .

WinRM: URL: [http://hv3nvgnode02.dorukcosn.azure:5985], Verb: [ENUMERATE], Resource: [http://schemas.microsoft.com/wbem/wsman/1/wmi/root/virtualization/v2/*], Filter: [associators of {Msvm_EthernetPortAllocationSettingData.InstanceID=”Microsoft:A449D45C-53B9-4B0A-9E98-C0E3BFB9ECBD\\BB614953-7878-4C15-A915-A587B429D7B1\\C”}where AssocClass=Msvm_EthernetPortSettingDataComponent ResultClass=Msvm_EthernetSwitchPortRoutingDomainSettingData]

Check that WinRM is installed and running on server hv3nvgnode02.dorukcosn.azure. For more information use the command “winrm helpmsg hresult” and http://support.microsoft.com/kb/2742275 .)

Fix the issue in Remote Access server and retry the operation.

Recommended Action

Check the documentation for the configuration provider or contact the publisher support.

Then we back and try to create more VN with NAT services enabled

Until reach 50th VN everything created on last added NVGRE GW but when we try to create 51th VN we faced same error like above. We are very sure that some cache things happen because the next GW is not run on related host

I guess need to wait little but we try to restart SCVMM services 😀 and push to create 51th VN again , its worked ! 🙂

Continue creating 52,53,54 and its working

Looks like SCVMM do not make round robin based balance, first over the related NVGRE GW then switch to next ….

VM

 

No-Look VPN Configuration with Azure Pack :D

Hello All

After very long search on Google find only the Azure VPN configuration but there is no example and good explanation about how you can do it with Azure Pack.
DorukNET is COSN provider and we are preparing to offer Azure Pack in Turkey and want to clarify VPN configuration with our Fortigate expert Salih 😛

Before start let me explain ISP point of view VPN properties ;

• First you ask peer ip address
• Second you ask phase 1 config properties like IKE version , encryption , key life time and key
• Third you ask phase 2 config properties , encryption , key life time , network remote and local one which you will encrypt
• Also talk about other things dead peer detection  (DPD)
• Policy service consideration also important , mostly we do not allow any to any communication

When you login as a customer to WAP Service Management Portal, you couldn’t see every properties you need to establish VPN , mostly things are preconfigured and customer point of view there is no way to see it. Also its little hard to discover by administrator point of view but at the end we succeeded .

This article is about establish VPN between Fortinet and Microsoft NVGRE GW

Fortigate FW Version : 5.0.patch5

DorukNET WAP Customer Site Network

Provider-SiteAzure : 10.0.0.0/24
NVGRE GW Peer IP Address : xxx.yyy.zzz.50

Customer OnPremise Site Network
LocalSite-OnPremise: xxx.102.yyy.240/28
Customer Peer IP Address :Note that WAP site NVGRE GW Peer ip is not available before you create a new site-to-site setup

Lets create it

Login to WAP Service Management Portal and go to Networks and double click your already created network and click Create VPN

Set your remote site VPN Device ip address, here we set our Fortigate FW outsite ip address and pre-shared key

a

As a address space you have to set remote site ip address block which you would like to communicate encrypted
Important note, WAP GUI do not allow enter single ip address as a remote

Next two screen WAP allow you to set limitation about VPN configuration if you needed please enter , we did not test its working or not :)Then action time , WAP send the request to VMM to create VPN configuration on NVGRE GW

 

Succeeded

Check VMM site if you are provider to confirm

Now you will start to understand why we described article subject as a No-Look !

Now customer can not see anything more than VPN configuration is Enabled  !  No any knowledge about Phase 1 , Phase 2 configuration . Here what provider need to do, well document everything and somehow if provider have some boundaries need to automate the configuration

For example after VPN configuration enabled we can see such properties for VPN

You can see that Microsoft configure each pre-shared key as an Run-As-Account

From WAP GUI there is no way to set certificate as a auth method , actually i do not need it , no need to push Microsoft here 😀

Routes section is easy, its remote network

Click the Advanced section , you will see the configuration of VPN but you have to understand which one is Phase1 and Phase 2 , very good , lovely

We find a pptx file after almost 50-100 search on Google , i know you thing maybe i m searching wrong key words , i m accepting 😀

This slide actually do not equal defaults but it help us a lot but funny thing you can see that there is no timeout for key life values for Phase 2 also we discover the Phase 1 key life from this slide too also you can find it from powershell “Get-VpnS2SInterface” command

We used related configuration for us

Easy part , go to Forti , which traditionally we know everything how to configure 😀

Phase 2

Rule for Forti

Monitor VPN Connectivity

Ping it or Remote it

Hope this article help for everyone

VM