Enterprise Gateway Configuration for End-to-End validation of HNV Gateway connectivity

This post will help you to configure Enterprise or Physical Infrastructure Gateways using Windows RRAS to validate the End-to-E2E data path for Gateway connections with SDN Private Cloud that you have set up using the instruction from these deployment guides.

To understand the deployment topology for various types of Gateways, we need to first understand the corresponding scenarios that these gateways are used in. This will help clarify the placement and configuration of Enterprise or Physical Infrastructure Gateways for their corresponding HNV Gateways.

Types of Gateways and their corresponding deployment scenarios

There are three types of Gateways available via Windows SDN solution for connectivity with non-SDN infrastructure. This infrastructure could be Enterprise on-premises connected over public internet, or dedicated leased line, or a physical infrastructure.

IPsec Gateways

IPsec Gateways are used for connecting Virtual Networks with other virtualized or physical networks (usually Enterprise on-premises networks) over the public internet. The Enterprise gateway and the HNV Gateway establish the secure IPSec connection over public Internet IP Addresses to exchange data between the two networks.

IPSec

GRE Gateway

GRE Gateways are used for connecting Virtual Networks with other physical networks over dedicated connectivity. The Physical Network gateway (GRE Terminating device) and the HNV Gateway establish the connection identified by the unique GRE Key to exchange data between the two networks.

GRE

 

Layer 3 Forwarding Gateways

Layer 3 Forwarding Gateways are used for connecting Virtual Networks with other physical networks (usually shared resources inside the hoster premises) over VLAN isolated network. The Physical Network gateway (a Layer 3 router) and the HNV Gateway establish the connection over this Network isolated by unique VLAN ID to exchange data between the two networks.

L3-Fwd-GW

 

Setting up an Enterprise / Physical Network Gateway

To set up or simulate a non-SDN gateway, you will need to deploy a Windows Server Host or Virtual Machine and make sure it has at least 2 Network Adapters. One of these adapters must be available to connect with the HNV Gateways as shown in the diagrams above, and the other Adapter shall be used for connecting with Client Computers inside the non-SDN network.

Once the Gateway Hosts or VMs are installed, and started, go to the Gateway and configure as per the required scenario by following the instructions below:

Install Remote Access Service

Via PowerShell cmdlets

# Add RemoteAccess Feature 
Add-WindowsFeature -Name RemoteAccess -IncludeAllSubFeature -IncludeManagementTools 
Import-Module RemoteAccess

# Install RemoteAccess in VpnS2S Mode 
Install-RemoteAccess  -VpnType VpnS2S 

# Check the service installation status 
Get-Service RemoteAccess

Via Server Manager UI

  • Open Service Manager UI
  • On the Dashboard screen, click on Add roles and features under Configure this local server
  • Click Next on the Before You Begin screen
  • Select Installation type as Role-based or feature-based installation option and click Next
  • Select the default option (local server) on Server Selection screen and click Next
  • Select Remote Access under Server Roles and click Next
  • Click Next on Features screen
  • On Remote Access Welcome screen, click Next
  • Select DirectAccess and VPN (RAS) and Routing under Role Services screen and click on Add Features for any dependencies in the pop-up window. Click Next.
  • Click Next on Web Server Role (IIS)
  • Under WebServer Role services, click Next with default selections
  • Review the configuration and click on Install to install Remote Access Close the windows when Installation finishes.

Setting up an IPsec Network Connection

# Add VPN S2S Interfaces 
Add-VpnS2SInterface -Name "ToCloud" -Protocol IKEv2 -Destination "<Cloud GW's Public IPv4 Address>" -AuthenticationMethod PSKOnly
 -SharedSecret "P@ssw0rd" -Persistent -IPv4Subnet "<Cloud Network>/<Prefix Length>:<Metric>" -AuthenticationTransformConstants
 SHA196 –CipherTransformConstants AES256 –DHGroup Group2 –EncryptionMethod AES256 –IntegrityCheckMethod SHA1 –PfsGroup
 PFS2048 –EnableQoS Enabled -NumberOfTries 0 

# Connect VPN S2S Interfaces with HNV Gateway 
Connect-VpnS2SInterface -Name "ToCloud" -PassThru

Note: You can also configure an IPsec network connection (called the Demand-Dial connection) from Routing and Remote Access UI by following the Routing and Remote Access Server Setup Wizard.

Setting up an GRE Network Connection

# Add VPN S2S Interfaces 
Add-VpnS2SInterface -GreTunnel -Name "ToCloud" -GreKey 1234 -Destination "<Cloud GW's Public IPv4 Address>"
 -IPv4Subnet "<Cloud Network>/<Prefix Length>:100" -SourceIPAddress "<Gateways Internet IP Address>" 

# Connect VPN S2S Interfaces with HNV Gateway 
Set-VpnS2SInterface -Name "ToCloud" -GreTunnel -AdminStatus:$true

Setting up a Layer 3 Forwarding Gateway

# Enable Forwarding on all Network Adapters
$netAdapters = @(Get-NetAdapter) 
Set-NetIPInterface -InterfaceIndex $netAdapter.IfIndex -Forwarding Enabled 

# Plumb the routes to Virtual Network Subnets on the DMZ / External Interface 
$IPv4subnets = @("<Vnet Subnet 1>", "<Vnet Subnet 2>") 
foreach ($subnet in $IPv4Subnets) {
     New-NetRoute -InterfaceAlias “<Network Adapter connected to VLAN Network>” -DestinationPrefix $subnet
 -NextHop “<HNV Gateway’s L3 Forwarding IP Address>” -Confirm:$false -ErrorAction Ignore
 }

Setting up a BGP Router

# Add BGP Routers 
Add-BgpRouter -BgpIdentifier "<Local Gateway's Enterprise IP Address>" -LocalASN 64522 –PassThru 
# Add BGP Peers 
Add-BgpPeer -Name CloudPeer -LocalIPAddress "<Local Gateway's Enterprise IP Address>" -PeerIPAddress "<Cloud Gateway's VSID IP Address>"
 -PeerASN 64512 –PassThru 

# Connect BGP Peers and check if the routes are exchanged and Hosted networks are accessible 
Start-BgpPeer -Name CloudPeer 
Get-BgpPeer -Name CloudPeer 

# Retrieve BGP Learned Routes 
Get-BgpRouteInformation