VMware VCD VPN + Fortigate

Posted on December 29th, 2012 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , , , , , , , , , , .

29 12 2012

I’ve been testing a new platform at the day job for the last couple of days, as a user. The main part of this, is I do all the tests as if I was the end user (i.e. our Customer). The platform is based on VMware’s Virtual Cloud Director 5.1. I’m working with our product team to get the platform ready to hand over to our customers, and filling in the missing gaps, when it comes to requirements, documentation and any support needs.

One thing I was playing with today, was the inbuilt VPN capabilities. The documentation from VMware here, if I am honest, is quite incomplete. Even as a seasoned VMware user, some elements, are confusing. So the documentation for this element, were, how do I put it… minimal (read: missing all the needed info). I assume it’s because they’re assuming that you’ll be connecting it to another vShield Edge device, so their defaults, would just work.

I was working with my physical test lab to simulate a customer’s existing hosted solution, i.e. a rack of equipment in their data centre. The firewall I was using was an old Fortigate 200A, however this is running the latest v4 FortiOS, so would be the same for any firewall from Fortinet (running V4, V3 would be very very similar, if you still have that out there).

So, let’s assume the following:

 vOrg Network: 192.168.15.0/24
 VShield Edge IP: 90.1.1.1.1
 All devices NATed behind the Edge device.
 Legacy Network: 10.30.3.0/24
 Fortigate IP: 80.1.1.1.1
 All devices NATed behind the Fortigate.

Login to the VCD Portal, and go to your vOrg network preferences, right click on the network you want to configure for VPN access.

Network

Go to the VPN tab, and If not already enabled, enable the VPN service. Then select new.

Network2

Change the “Establish VPN to” to External Network.

VCDVPN1

From the below, we’re going to fill out.

 Name: Your choice
 Description: Your choice
 Local Networks: LS-Network2 (matches the 192.168.15.0/24) Here I chose the network that matched my requirements. (Yours will differ, and you'll need to make the amendments throughout.)
 Peer Networks: 10.30.3.0/24
 VPN Endpoint: The vShield Edge device you're going to terminate the VPN on.
 Local ID: Your choice - just needs to match what you configure the firewall with.
 Peer ID: Your choice - just needs to match what you configure the firewall with.
 Peer IP: This is going to be your other firewall. So for me it was 80.1.1.1
 Encryption Protocol: again, your preference. AES256 is a sane default.
 Shared Key: Your choice - just needs to match what you configure the firewall with.
 The rest: I left as default.

Now this left me asking some questions, i.e. what were the other settings going to be, such as Authentication method, DH Group, PFS, Key lifetime..etc None of this is listed in the documentation/user guide.

Anyway, to continue, you need to add a firewall rule in, to allow communication between the two environments. Something like the below, but again, adapt to your requirements.

VCDFW

Moving on to the Fortigate. This took a while to work out, as basically, I had to configure the VPN, wait for the edge device to try and bring up the VPN to see what it was proposing, in order to then set the Fortigate to match these (read: a complete PITA). However now that’s been done, hopefully this will help someone.

Go to your VPN Settings, add a new Phase I


FNP1

So the settings here:

 Name: Your choice.
 Remote Gateway: Static IP.
 IP Address: Edge device IP. Mine 90.1.1.1
 Local Interface: Your internet facing interface.
 Mode: I chose Main, but this can be your preference.
 Pre-shared Key: What you made up in the earlier steps.
 Enable interface mode (makes life a lot easier for firewall rules.)
 IKE Version: 1
 Local IP: I chose main - your config may differ.
 Encryption: Whatever you chose earlier. AES256 for me.
 Authentication: SHA1 (This is one of the settings not documented anywhere)
 DH Group: 2 (This is one of the settings not documented anywhere)
 Keylife: 28800 (This is one of the settings not documented anywhere)
 DPD: Disabled - The edge device didn't seem to respond to these, so the Fortigate tore the tunnel down. (This is one of the settings not documented anywhere)

Phase II:

FNP2

 Name: Your choice.
 Phase I: Select the one you configured above.
 Encryption: AES256 (unless chosen different above)
 Authentication: SHA1 (This is one of the settings not documented anywhere)
 DH Group: 2 (This is one of the settings not documented anywhere)
 Keylife: 1800 (This is one of the settings not documented anywhere)
 Source Address: 10.30.3.0/24 (yours will need to changed to match your network)
 Destination Address: 192.168.15.0/24 (match your vOrg Network)
 The Rest: Default.

Next: create the firewall rules. Incoming and outgoing for the VPN interface. I wont go into details here, as if you’re reading this I expect you’ll know how to add a policy in.

Static Route. You’ll need to create a static route for the VPN, in order to route traffic down the interface. Interestingly, you didn’t need to do this on the Edge config.

Go to the Router > Static > Create new. Something like the below, amended to your network.

FNSR

Once this is done, the VPN should come up.

0 comments.

Windows 7 RC1, Boot Camp & VMware Fusion – No Networking

Posted on May 7th, 2009 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , , .

7 05 2009

Last week when I was at a festival, my macbook unfortunately ran totally out of space, and there wasn’t much I could delete. With almost 20 gigs of SD cards, the only thing that could really take the chop was my XP boot camp partition.

Cut a long story short, I’ve now got a much bigger drive (500 GB) for my macbook. Along with the release of Windows 7 RC1 being released I thought I’d give it a try with boot camp.

Installing is pretty easy, burn the Microsoft ISO to a DVD, and follow the normal guide. I detest the fact that I need to burn another CD, or use my OS X Install DVD (which I can never find) to get the boot camp drivers. If like me you’d like to download them, I’ve given a link below to where you may find them. I just put them on a usb stick.

Once installed, pretty much everything works under boot camp, the only thing I found that didn’t play was the ‘Reboot into OS X’ I get an error. This isn’t a huge problem, as you can just hold the alt key on boot up to select OS X or Windows.

Once I got all that working, I then wanted to get the same build / partition under VMware fusion. Reading a few guides, the best way is to follow the normal guide for XP, but change it so the guest is set to Windows 2008 Server. Again, all working pretty well once you install VMware Tools.


No Network

The only problem that I did have, is there was no networking for the guest. The NIC just showed as Ethernet Controller. Nothing seemed to get this NIC working, tried manually installing the drivers from the VMWare tools cd, copying from another Windows 7 guest.

The only thing that seemed to fix it, was to shutdown the guest, and add a second NIC, and boot back up. Windows 7 RC1, installs this NIC with no problems at all, and all is working. Intererstingly, it still wont play with the original one. None the less, it’s all working through it’s second, new NIC, so I am happy with that.


Windows 7 with second NIC

Useful links

3 comments.

VMware Server 2.0 installation error – boche.net – VMware Virtualization Evangelist

Posted on November 20th, 2008 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , .

20 11 2008

Just tried to re-install VMWare Server 2.0 on one of my lab machines, and keep getting “The System Administrator has set policies to prevent this installation“. The below blog shows how to correct, on a non domain server.

VMware Server 2.0 installation error – boche.net – VMware Virtualization Evangelist.

For a server on a domain, you’ll need to do this on the DC, naturally.

0 comments.

Fell of the waggen

Posted on September 16th, 2008 by Luke Sheldrick.
Categories: IT / Tech, Personal.
Tags: , , , , , , .

16 09 2008

Well not really, but the whole giving up drinking and shaving until November fell through. Nevermind, the hangover’s were worth it.. not 🙂

You know, I always have a load of shit, I think I should blog about, but when I get 5 to actually sit down and type something up, I’ve either forgot about it, or well think it does indeed sound shit so forget about it.

Friday saw a few drinks after work, which led to 2 bars, 2 clubs and ending up losing a wad in the casino…. this is when you realise that first shot was a bad, very bad idea. Nevermind, had a good night [what I can remember of it anyways].

Spent the weekend working, and starting to play with Gentoo. I’m sure I’ll rant more about that all later. Today found an absolutely brilliant tool, that I had kinda been looking for a while. I run a couple of servers, that run Windows 2003, and VMWare Server 1.0.7, mostly just as R&D machines. I could look into setting up a nice ESX cluster, but I just haven’t got around to it. Also on the list to look play with is Xen and KVM. KVM especially looks quite interesting, just been bought out by RedHat, and boasts that it can run more on your hardware than VMWare can.

Anyways I digress, what I currently do is pretty bad in way of backing up my VM Guests, in that I will every now and again, turn one off, copy it’s directory on the host, switch it back on, and move that copy offsite. Whilst it works, and is better than nothing, it’s not really ideal as it causes an outage when I do it. I know with Windows Shadow Copy it can copy/mirror drives [including any locked files] but what I wanted to be able to do was the odd locked file, i.e. the vmdk that’s locked. Bring in hobocopy. Does exactly what I was looking for, you can tell it a source and destination file or directory, and it will use the Microsoft Shadow service, and mirror it for you, complete, and intact. Perfect! it even has the functionality to do incrimental backups using a state file. Wouldn’t work for VMWare files, as it would just see the file as being changed, even though only 1meg of the 100GB file has changed, it would still copy the whole flat file. Baring that, an excellent tool. Now just to setup a schdule to make a mirror, and rsync it offsite, and a nice enterprise offsite backup, for nothing 🙂

Tonight I went out with a few friends, to The Royal Albert Hall, to see cocknbullkid when my friend told me about it, I kinda didn’t believe it, but yes it was true. Very good artist, even if the sound levels were a bit off, and the set seemed a bit short, really enjoyed it. Then off to soho for a coffee. Was a bit weird walking around soho sober, looks totally different to when you’ve had 10 double black russians 🙂 Just for proof, picture below of the comp’ed ticket I / we managed to blag at the door 🙂

0 comments.

1 of 11

Templatesbrowser.com