Virtual lab route through VPN

VMware specific discussions

Virtual lab route through VPN

Veeam Logoby dood » Mon Feb 11, 2013 5:39 pm

Case ID : 00179835

Hello,

Always trying to get my virtual lab working ...
Here is the network schema : http://www.apnet.fr/veeam_archi.jpg

Veeam support checked everything today and conclude that a route is missing between Veeam backup server and Virtual Lab.
I'm agree with that but before adding route i try a few things :
- Ping from the virtual lab (connecting on the console with root) to the masquerade ip of the virtual server which start on it : no answer
- Ping from the virtual server running on the virtual lab to anywhere (virtual lab, gateway, veeam, ...) : no answer

Could someone let me know which ping tests have to work based on my schema ?
(ping from Veeam Server to Virtual Lab(eth0) work)
dood
Influencer
 
Posts: 23
Liked: 4 times
Joined: Mon Aug 23, 2010 12:32 pm

Re: Virtual lab route through VPN

Veeam Logoby chrisdearden » Mon Feb 11, 2013 5:59 pm

I don't recall if the Lab router is set to answer ICMP on any of its interfaces. Putting the lab on a different subnet to the VBR server is quite complex and generally something I'd only recommend for someone who knows their networking pretty well.
chrisdearden
Expert
 
Posts: 1529
Liked: 225 times
Joined: Wed Jul 21, 2010 9:47 am
Full Name: Chris Dearden

Re: Virtual lab route through VPN

Veeam Logoby dood » Mon Feb 11, 2013 6:07 pm

Hmmm interesting ... but my Veeam Server is not virtualized so i've no other place to put the lab router on :-/
The solution is maybe to rebuild my veeam physical server with a Free ESXI so i can run my virtual lab "localy" ?
dood
Influencer
 
Posts: 23
Liked: 4 times
Joined: Mon Aug 23, 2010 12:32 pm

Re: Virtual lab route through VPN

Veeam Logoby tsightler » Mon Feb 11, 2013 6:52 pm

The big thing missing is the route to the 192.168.100.0/24 network from the Veeam server. You would need to add routes within your network so that attempts to access this network are routed from the Veeam server, through the WAN, to the vLab. It's possible, but as Chris said, a little bit tricky, especially if your not a network guy. You can also do some clever bridging with OpenVPN or Tinc between two Windows or Linux servers.

The simpler option is probably to just install a B&R server on the side with the vLab.
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Virtual lab route through VPN

Veeam Logoby dood » Mon Feb 11, 2013 11:48 pm

I just add a new route on my VPN link (route all the subnet 192.168.100.x through the vpn).
Veeam B&R can now ping the router interface on the 100 subnet but can't access my VM running in the virtual lab, this makes my crazy.

The simplier option can't unfortunately work for me as my B&R server must be alone on the second physical site (externalized backup).
dood
Influencer
 
Posts: 23
Liked: 4 times
Joined: Mon Aug 23, 2010 12:32 pm

Re: Virtual lab route through VPN

Veeam Logoby foggy » Tue Feb 12, 2013 2:44 pm

dood wrote:Veeam B&R can now ping the router interface on the 100 subnet but can't access my VM running in the virtual lab, this makes my crazy.

Is there a chance of the firewall being active on this VM?
foggy
Veeam Software
 
Posts: 14742
Liked: 1079 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Virtual lab route through VPN

Veeam Logoby tsightler » Tue Feb 12, 2013 3:02 pm

As stated, it's a complex setup. If you can ping the 100 subnet from the B&R server while the Surebackup job is running it really should work assuming all of the other networking is configured correctly. I've actually got this setup configured in my home lab across a network emulator and I've helped several customers get this working as well so it's possible to make it work, but you have to really understand the network of your environment, the vLab, and how the Surebackup job works.
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Virtual lab route through VPN

Veeam Logoby dood » Tue Feb 12, 2013 3:39 pm

foggy wrote:
dood wrote:Veeam B&R can now ping the router interface on the 100 subnet but can't access my VM running in the virtual lab, this makes my crazy.

Is there a chance of the firewall being active on this VM?


No firewall but nice try :)

tsightler wrote:As stated, it's a complex setup. If you can ping the 100 subnet from the B&R server while the Surebackup job is running it really should work assuming all of the other networking is configured correctly. I've actually got this setup configured in my home lab across a network emulator and I've helped several customers get this working as well so it's possible to make it work, but you have to really understand the network of your environment, the vLab, and how the Surebackup job works.


Alright, good news that someone make it work.
I'm pretty sure that there's a network misconfiguration but it's a little bit hard to find where as i can't compare with a similar working solution.

Anyway, maybe you have a schema of your home lab (with routes rules you setup) ?

To check vm, Veeam sends requests through the network on 192.168.100.5 (AD01 in my example), when this request is accepted by the Virtual Lab it NAT to 192.168.1.5 in the isolated environnement.
Please correct if i'm wrong :wink:

Another wonderful schema : http://www.apnet.fr/veeam_archi_2.jpg
dood
Influencer
 
Posts: 23
Liked: 4 times
Joined: Mon Aug 23, 2010 12:32 pm

Re: Virtual lab route through VPN

Veeam Logoby tsightler » Tue Feb 12, 2013 5:56 pm

The one thing that jumps out to me on the diagram is the 192.168.100.253 address on the router on the vLab side. This makes it look like you added a 192.168.100.253 address to the router on the vLab side, but this isn't correct (unless I'm misreading the diagram). The router on the vLab side simply needs to have a route to the 192.168.100.x network via 192.168.1.100 which is the IP address of the vLab proxy. This will cause the router to send all packets destined for 192.168.100.x addresses to the vLab proxy which will then translate those addresses to the "real" addresses in the vLab.
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Virtual lab route through VPN

Veeam Logoby dood » Tue Feb 12, 2013 6:32 pm

I'm making some more tests but i think it seems to work now !!!

The adress 192.168.100.253 on the router is the secondary interface for the .100 subnet, i can't mount a VPN on 2 subnets without defining this interface.
In a working case, should i be able to access "outside" (ie : google or local production network) FROM a virtual lab VM ?
dood
Influencer
 
Posts: 23
Liked: 4 times
Joined: Mon Aug 23, 2010 12:32 pm

Re: Virtual lab route through VPN

Veeam Logoby tsightler » Tue Feb 12, 2013 6:45 pm

dood wrote:In a working case, should i be able to access "outside" (ie : google or local production network) FROM a virtual lab VM ?


By default behavior, no, you should not. Otherwise it wouldn't really be "isolated". However, you can enable access to websites using a simple proxy that's available on the vLab proxy appliance as described in the following KB article:

http://www.veeam.com/kb1165
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Virtual lab route through VPN

Veeam Logoby dood » Tue Feb 12, 2013 10:37 pm 2 people like this post

Here we go, everything you need to make this work* :

Image

Production site is in one datacenter (site A), Veeam B&R is in an other datacenter (site B)
Veeam B&R is not virtualized.

VPN connections are established through Sonicwall Appliances

I don't give you lots of details about Virtual Lab configuration because there's nothing very specific.
For my example :

Application Group :
AD01 (Active Directory server, 192.168.1.5)

Virtual Lab :
Proxy
- IP address : 192.168.1.110
- Subnet mask : 255.255.255.0
- Gateway : 192.168.1.250
- DNS Server : 192.168.1.5
Networking :
- Advanced
Network Settings :
- IP address : 192.168.1.250
- Mask : 255.255.255.0
- Masquerade IP address : 192.168.100.D


The Veeam B&R server should be able to ping virtual lab VMs when started.
Virtual lab's VM can be pinged through their masquerade IP (ie : 192.168.100.5 for AD01).
So you need to route this subnet on VPN connections.

On Sonicwall, you can make one VPN connection and route n subnet inside.

On the Site A Sonicwall :

Go to "Network/Interfaces", click "Add Interface ..." and set :
Zone : LAN
VLAN Tag : 1
Parent interface : X0 (LAN zone)
IP Address : 192.168.100.1 (any available address on the 100 subnet)
Subnet mask : 255.255.255.0

Assuming you already get your vPN working with only one subnet and would like to add the masquerade subnet :
Just check your VPN Policie, in "Network" tab "Choose local network from list : LAN Subnets"

Finally add a NAT rule :
In "Network/NAT Policies" click "Add ..."
Original Source: Any
Translated Source: Original
Original Destination: 192.168.100.5
Translated Destination: 192.168.1.110
Original Service: Any
Translated Service: Original

On the Site B Sonicall :

Edit your working VPN policie :
In "Network" tab "Choose destination network from list : <predefined object>"
<predefined object> is a address group which contains 2 address objects : obj1 and obj2
Name : obj1
Zone assignement : LAN
Type : Network
Network : 192.168.1.0
Netmask : 255.255.255.0

Name : obj2
Zone assignement : LAN
Type : Network
Network : 192.168.100.0
Netmask : 255.255.255.0


Some things i've read on topics :
- Check VM firewall (disable for testing purpose)
- Check antivirus (Symantec seems to be problematic)

* : not work totally but can ping virtual lab's vm :mrgreen:
dood
Influencer
 
Posts: 23
Liked: 4 times
Joined: Mon Aug 23, 2010 12:32 pm

Re: Virtual lab route through VPN

Veeam Logoby dood » Tue Feb 12, 2013 10:40 pm

tsightler wrote:By default behavior, no, you should not. Otherwise it wouldn't really be "isolated". However, you can enable access to websites using a simple proxy that's available on the vLab proxy appliance as described in the following KB article:
http://www.veeam.com/kb1165


Fine, so no issue here.
dood
Influencer
 
Posts: 23
Liked: 4 times
Joined: Mon Aug 23, 2010 12:32 pm

Re: Virtual lab route through VPN

Veeam Logoby dood » Sun Feb 17, 2013 2:00 pm

Get some time to try to make this thing work.

My virtual lab's VM starts now successfully but except ICMP frames no TCP traffic seems to pass (telnet from Veeam B&R to 192.168.100.5:389 fail).

Telnet tests work fine to the production VM (from the Veeam B&R server and through the same VPN), so no software firewall/antivirus issue
When trying same test with ICMP packet, i get a 100% success.

The NAT rule which i define on my firewall apply to all services (TCP, UDP, ICMP).

I run packet monitor on the production and veeam routers and it seems that everything is fine :
Image

Does ICMP and TCP frames are processed in a different way by the virtual lab ?
dood
Influencer
 
Posts: 23
Liked: 4 times
Joined: Mon Aug 23, 2010 12:32 pm

Re: Virtual lab route through VPN

Veeam Logoby foggy » Tue Feb 19, 2013 12:59 pm

ICMP and TCP traffic is processed by the virtual appliance in the same way, so masquerade addresses should be accessible by both protocols. Seems like something environmental, I recommend to ask support for assistance.
foggy
Veeam Software
 
Posts: 14742
Liked: 1079 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Next

Return to VMware vSphere



Who is online

Users browsing this forum: Yahoo [Bot] and 8 guests