Category Archives: NVGRE GW
WAP, NVGRE and Hair pinning
Hello All ,
Today we faces connectivity issue between tenant networks behind same NVGRE GW.
Think that you have two tenants , Company A and Company B and two virtual networks and also NAT rule configured for remote access 3389 (RDP) to Company A VM can connect Company B VM but problem is two virtual networks are behind the same NVGRE GW.
Problem is single interface and To and From is behind a single interface , means source vm network coming from NVGRE outside interface and want to get in same interface to access other vm network .
This image could explain , BRIDGE is describing NVGRE , squares are vm networks and VM s behind
Pls check related settings on NVGRE GW node , active or passive , i guess its not important
PS C:\Users\Administrator.DORUKCOSN> Get-NetNatGlobal
InterRoutingDomainHairpinningMode : External
Then set it Local
PS C:\Users\Administrator.DORUKCOSN> Set-NetNatGlobal -InterRoutingDomainHairpinningMode Local
PS C:\Users\Administrator.DORUKCOSN>
Then go go go , try it now
External comes default , be care about it
Regards
VM
How SCVMM balance between NVGRE GWs
Today, we focused how SCVMM balance virtual networks(VN) and services between NVGRE GWs or Network Services(NS) with my team mate Gokhan Acar.
We have two NS configured in SCVMM
First what we faced, second or last added gateway (sorry no time to add 3th one) become first responsible unit to manage and provide NAT, VPN services to related VNs. We deployed “internetgwservice1” first and create some VN on it then deploy “internetgwservice2” and SCVMM start to create a new requests on it.
Then we try to understand how SCVMM really try to balance between two NS. Old one already have seven VN then we start to create additional VNs. its start to deploy every VN on newly added gw. I expect that after eight it will start to load balance but not !
To shorten the time, try to change the limit 50 to lower value to make easy test, but discover that its not possible to do 😦
You should be faced with such error below
Error (21426)
Execution of Microsoft.SystemCenter.NetworkService::RegisterGatewayVMNetwork on the configuration provider 4ee559f1-f479-480c-9458-d14b8b1c1779 failed. Detailed exception: Microsoft.VirtualManager.Utils.CarmineException: Unable to add routing domain information to the Remote Access server. (A Hardware Management error has occurred trying to contact server hv3nvgnode02.dorukcosn.azure :n:CannotProcessFilter :HRESULT 0x8033801a:No instance found with given property values. .WinRM: URL: [http://hv3nvgnode02.dorukcosn.azure:5985], Verb: [ENUMERATE], Resource: [http://schemas.microsoft.com/wbem/wsman/1/wmi/root/virtualization/v2/*], Filter: [associators of {Msvm_EthernetPortAllocationSettingData.InstanceID=”Microsoft:A449D45C-53B9-4B0A-9E98-C0E3BFB9ECBD\\BB614953-7878-4C15-A915-A587B429D7B1\\C”}where AssocClass=Msvm_EthernetPortSettingDataComponent ResultClass=Msvm_EthernetSwitchPortRoutingDomainSettingData]Check that WinRM is installed and running on server hv3nvgnode02.dorukcosn.azure. For more information use the command “winrm helpmsg hresult” and http://support.microsoft.com/kb/2742275 .)Fix the issue in Remote Access server and retry the operation.Recommended ActionCheck the documentation for the configuration provider or contact the publisher support.
No-Look VPN Configuration with Azure Pack :D
Hello All
After very long search on Google find only the Azure VPN configuration but there is no example and good explanation about how you can do it with Azure Pack.
DorukNET is COSN provider and we are preparing to offer Azure Pack in Turkey and want to clarify VPN configuration with our Fortigate expert Salih 😛
Before start let me explain ISP point of view VPN properties ;
- First you ask peer ip address
- Second you ask phase 1 config properties like IKE version , encryption , key life time and key
- Third you ask phase 2 config properties , encryption , key life time , network remote and local one which you will encrypt
- Also talk about other things dead peer detection (DPD)
- Policy service consideration also important , mostly we do not allow any to any communication
When you login as a customer to WAP Service Management Portal, you couldn’t see every properties you need to establish VPN , mostly things are preconfigured and customer point of view there is no way to see it. Also its little hard to discover by administrator point of view but at the end we succeeded .
This article is about establish VPN between Fortinet and Microsoft NVGRE GW
NVGRE GW Peer IP Address : xxx.yyy.zzz.50
LocalSite-OnPremise: xxx.102.yyy.240/28
Customer Peer IP Address :Note that WAP site NVGRE GW Peer ip is not available before you create a new site-to-site setup
Important note, WAP GUI do not allow enter single ip address as a remote
You can see that Microsoft configure each pre-shared key as an Run-As-Account
From WAP GUI there is no way to set certificate as a auth method , actually i do not need it , no need to push Microsoft here 😀
Easy part , go to Forti , which traditionally we know everything how to configure 😀