My new article with @AltaroSoftware – How to Boost Network Performance Inside China’s Great Firewall

Together with Altaro, I wrote a new article about how to improve the performance for users inside of china using services and cloud services outside of china.

I hope you enjoy reading.

How to download VPN Device Configurations from Azure

Hi everyone,

as you may know IPSec VPN Config with Azure and different Firewall / VPN Device Vendors can become very tricky.

Some devices like from Palo Alto, Barracuda, FortiNet or CheckPoint are able to autonegotiate the VPN Configurations with an Azure Virtual Network Gateway but there are also the other like from Cisco or Ubiquiti Networks.

Microsoft published a very small but amazing new feature into the Azure Virtual Network Gateway Service. It happend very silently somewhen in the last weeks.

Since that update you are able to download the VPN configuration for some of those Vendors where you need a manuel configuration. You can easily replicate or upload the configuration into you device and it will do the rest.

Let me show you how to do it.

Select the connect of your Local Network Gateway / ExpressRoute Circuit to your Virtual Network Gateway

Afterwards you click on Download Configuration.

Now you select your vendor or the generic sample

Select the device

The firmware version

And at last download the configuration

The outcome will be a file with a configuration similar to this one.

! Microsoft Corporation
! ——————————————————————————————————————————————–
! Generic configuration templates
!
! IMPORTANT: This template is for Allied Telesis AR Series VPN Routers running on Firmware Version 5.4.7 or higher.
!
! This configuration template shows all the VPN configuration parameters associated with your S2S VPN connection.
! The script you need to copy onto your Allied Telesis AR Series VPN Router (5.4.7+) to setup a RouteBased IKEv2 VPN Tunnel to Azure with VTI Support (no BGP) is found below [#10]:
! ——————————————————————————————————————————————–

! [1] Resource names
! CONNECTION NAME : This field is the name of your connection resource
! VIRTUAL NETWORK GATEWAY : The name of your Azure VPN gateway resource for the connection
! LOCAL NETWORK GATEWAY : The name of your local network gateway resource for the connection
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_NAME = Demo-GW01-Demo-LW01
/Data/VNG_NAME = b3b85211-0dd1-4850-87c9-1029cc4579da
/Data/LNG_NAME = Demo-LW01
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [2] Public IP address of the Azure VPN gateway
! Active-Standby VPN gateway (single public IP address)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/VNG_GATEWAYIP = 51.144.114.218
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Active-Active VPN gateway (A/A mode if more than one public IP is listed below)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VNG_GATEWAYIPS/IpAddress/IP =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [3] Public IP address of the on-premises VPN device
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_GATEWAYIP =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [4] VNet address prefixes: a list of all VNet address prefixes in different formats
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VnetSubnets/Subnet/SP_NetworkIpRange = 192.168.155.0
SP_NetworkSubnetMask = 255.255.255.0
SP_NetworkWildcardBits = 0.0.0.255
SP_NetworkCIDR = 192.168.155.0/24
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [5] On-premises address prefixes: a list of all on-premises address prefixes defined in LNG
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/OnPremiseSubnets/Subnet/SP_NetworkIpRange = 172.20.100.0
SP_NetworkSubnetMask = 255.255.252.0
SP_NetworkWildcardBits = 0.0.3.255
SP_NetworkCIDR = 172.20.100.0/22
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [6] Phase 1/Main Mode:
! IKE encryption algorithm
! IKE hashing algorithm
! IKE Diffie-Hellman group
! IKE SA lifetime (seconds)
! IKE SA data size (Kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IKE_ENCRYPTION_1 = aes256
/Data/IKE_INTEGRITY_1 = sha1
/Data/IKE_DHGROUP_1 = 2
/Data/IKE_SALIFETIME_1 = 28800
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [7] Phase 2/Quick Mode:
! IPsec encryption algorithm
! IPsec hashing algorithm
! PFS Group (Perfect Forward Secrecy)
! IPsec SA (QMSA) lifetime (seconds)
! IPsec SA (QMSA) lifetime (kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IPsec_ENCRYPTION_1 = aes256
/Data/IPsec_INTEGRITY_1 = sha1
/Data/IPsec_PFSGROUP_1 = None
/Data/IPsec_SALIFETIME = 3600
/Data/IPsec_KB_SALIFETIME = 102400000
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [8] Connection pre-shared key
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_PSK = Abcd1234
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [9] BGP parameters – Azure VPN gateway
! Enable BGP
! BGP ASN for Azure VPN gateway
! BGP speaker IP address for the Azure VPN gateway
! BGP peer IP address(es)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_BGP_ENABLED = False
/Data/VNG_ASN = VNG_ASN
/Data/VNG_BGPIP = VNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [10] BGP parameters – on-premises network / LNG
! BGP ASN for the on-premises network
! BGP speaker IP address for the on-premises network
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_ASN = LNG_ASN
/Data/LNG_BGPIP = LNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! ########################################################################################################
! !!! Search for “REPLACE” to find the values that require special considerations
! ########################################################################################################
! ON-PREMISES ENVIRONMENT:
!
! – AR-Series WAN/Public Interface:
! INTERFACE: ETH1
! ZONE: VPN
! IP: VPN PUBLIC IP
! ISP Default GW: x.x.x.1
!
! – A.T ONPREMISES/LOCAL ENVIRONMENT:
! INTERFACE: VLAN1
! ZONE: PRIVATE
! On-Premises Addr Range: ON-PREMISES ADDRESS RANGE (ex. 192.168.1.0/24)
! A.T MGMT/LAN Interface: 192.168.1.254
!
! – AR-Series VPN BLADE:
! TUNNEL VTI IP: ex. 192.168.2.222/32
! TUNNEL INTERFACE: tunnel0
! ISAKMP PROFILE: AZURE-ISAKMP
! IPSEC PROFILE: AZURE-IPSEC
! ISAKMP PEER: AZURE GW PUBLIC IP
!
! AZURE VNET ENVIRONMENT:
!
! – AZURE VIRTUAL NETWORK:
! – ADDRESS RANGE: AZURE ADDRESS RANGE (ex. 10.10.0.0/16)
! – AZURE GATEWAY IP: AZURE GATEWAY PUBLIC IP

! ============================================================================================
! Example – Allied Telesis AR Series VPN Router (5.4.7+) in Active/Passive Azure GW Mode, with VTI Support (No BGP Router)
! ============================================================================================

! FOLLOW THESE STEPS TO CREATE YOUR IKEv2 TUNNEL TO AZURE:

! CREATE YOUR PRIVATE ZONE, CONTAINING YOUR ON-PREMISES/LAN NETWORK
! Note: REPLACE “vlan1” and “192.168.1.254” as needed. They are used here as examples for your LAN network and LAN Host/Management IP.

zone PRIVATE
network LAN
ip subnet 172.20.100.0/22 interface vlan1
host LAN_IP
ip address 192.168.1.254
!

! Note: REPLACE “eth1” as needed. It is used here as your WAN interface.
zone PUBLIC
network WAN
ip subnet 0.0.0.0/0 interface eth1
host WAN_IP
ip address
!

! Note: REPLACE “tunnel0” as needed. It is used here to denote your VTI tunnel interface.
zone VPN
network AZURE
ip subnet 192.168.155.0/24 interface tunnel0
!

application esp
protocol 50
!
application icmp
protocol icmp
!
application isakmp
protocol udp
sport 500
dport 500
!
! Below shows you how to enable the Web-Control Feature Function, in case you have a valid feature license key (commented out)
!web-control
! action permit
! provider digitalarts
!

! THESE ARE YOUR REQUIRED FIREWALL RULES FOR YOUR AZURE CONNECTION

firewall
rule 10 permit isakmp from PUBLIC.WAN.WAN_IP to PUBLIC.WAN
rule 20 permit isakmp from PUBLIC.WAN to PUBLIC.WAN.WAN_IP
rule 30 permit esp from PUBLIC.WAN.WAN_IP to PUBLIC.WAN
rule 40 permit esp from PUBLIC.WAN to PUBLIC.WAN.WAN_IP
rule 45 permit ping from PRIVATE to PRIVATE
rule 50 permit ping from VPN.AZURE to PRIVATE.LAN
rule 60 permit ping from PRIVATE.LAN to VPN.AZURE
rule 70 permit ping from PUBLIC.WAN to PRIVATE.LAN
rule 75 permit ping from PRIVATE to PUBLIC
rule 80 permit any from PRIVATE.LAN to VPN.AZURE
rule 90 permit any from VPN.AZURE to PRIVATE.LAN
protect
!

! NAT RULE
nat
rule 10 masq any from PRIVATE to PUBLIC
enable
!

! AZURE IPSEC PROFILE
crypto ipsec profile AZURE-IPSEC-Demo-GW01-Demo-LW01
lifetime seconds 3600
transform 1 protocol esp integrity SHA1 encryption AES256
!

! AZURE ISAKMP/IKEv2 PHASE 1 PROFILE
crypto isakmp profile AZURE-IPSEC-Demo-GW01-Demo-LW01
!
crypto isakmp profile AZURE-ISAKMP-Demo-GW01-Demo-LW01
version 2
lifetime 28800
transform 1 integrity SHA1 encryption AES256 group 2
!

! AZURE ISAKMP PRE-SHARED KEY
crypto isakmp key 8 Abcd1234 address
!

! AZURE ISAKMP PEER (AZURE GATEWAY)
crypto isakmp peer address <-> profile AZURE-ISAKMP-Demo-GW01-Demo-LW01
!

! MAKE SURE YOU HAVE CONFIGURED VPN WAN INTERFACE WITH A PUBLIC IP ADDRESS. BELOW IS AN EXAMPLE
! Note: REPLACE “eth1” if already used.
! Note: REPLACE subnet prefix “/24” below by the correct prefix (offered by your ISP) for your public IP block if it’s different.

interface eth1
description external wan
ip address 84.177.215.91/24

! MAKE SURE YOU HAVE CONFIGURED YOUR VPN MANAGEMENT/LAN INTERFACE, FOR YOUR ONPREMISES NETWORK. BELOW IS AN EXAMPLE
! Note: REPLACE “vlan1” if already used
! IMPORTANT:
! Ensure that the management interface for your onPremises network, that is used by your AR-Series LAN, is listed below !
! REPLACE “192.168.1.254” as needed (Azure does not have visibility over your MGMT IP).
! In this example, my management IP is 192.168.1.254, for my onPremises LAN network 192.168.1.0/24.

interface vlan1
description Internal LAN
ip address 192.168.1.254/24

! CREATE YOUR VTI INTERFACE FOR THE ROUTEBASED TUNNEL TO AZURE:
! REPLACE “Tunnel0” to something else, if already used.
! IMPORTANT: Ensure that the local network address space for your onPremises network, that is used by your AR-Series LAN interface, is listed under “tunnel local selector” !
! –> It is essential to list this one first in the Azure Portal, under your Local Network Gateway –> Configuration–>”Address Space” blade.
! –> Following this, you must also define your VTI interface next (/32), as a second entry under the same Azure blade mentioned above.
! (LNG –> Configuration–> “Address Space”)

! IMPORTANT NOTES:
! > Your VTI Interface IP below (192.168.2.222/32) is an example. REPLACE ‘192.168.2.222/32’ with a different /32 host IP, it if this range is already used by another interface.
! > As explained above, make sure that you have also added this IP to the “LOCAL NETWORK GATEWAY” object in the Azure Portal, following your actual LAN segment. When doing so, please
! add a /32 subnet mask to it, and ensure that this IP doesn’t overlap with your on-premises address range(s).

interface Tunnel10
ip address 192.168.2.222/32
ip tcp adjust-mss 1350
tunnel source
tunnel destination
tunnel local selector 1 172.20.100.0/22
tunnel remote selector 1 192.168.155.0/24
tunnel protection ipsec profile AZURE-IPSEC-PROFILE-Demo-GW01-Demo-LW01
tunnel mode ipsec ipv4
!

! CREATE YOUR STATIC ROUTES
! Note: The 0/0 route needs to have your ISP Default GW as your Next-Hop.
! REPLACE “x.x.x.1” by your assigned ISP Default GW IP.

ip route 0.0.0.0/0 x.x.x.1 eth1
ip route 192.168.155.0/24 tunnel0
!
line con 0
line vty 0 4
!
end
!————————————————–END——————————————————-!

I hope the post was helpful and if you have any questions, don’t hesitate to ask.

Cheers,
Flo

Poor network performance in VM when creating a virtual switch and using broadcom NIC with Windows Server 2012

This issue is resolved please read post: http://cloud.klafox.rocks/?p=2050

 

Some customers reported me about performance issue with virtual machines running on Hyper-V V3 (Windows Server 2012) after creating a switch.

Together with colleagues we found out that the issue only appears with Broadcom network interface cards.

We saw that the issue is related by “Virtual Machine Queues” enabled on the networkadapter.

If you are facing this issue, please try to disable “Virtual Machine Queues” first on the virtual NIC in your VM. If this doesn’t resolve your issue, please disable “Virtual Machine Queues” also on the physical NIC of your server.

The issue should be fixed with a Broadcom firmware and driver update for the NIC.

You can do this in the Adapter Properties of the Network Interface Card.

Adapter Properties in BASC

Adapter Properties in BASC

Adapter Properties of a NIC

Adapter Properties of a NIC

 

 

How to enable SR-IOV for Hyper-V on a Dell PowerEdge 12th Generation

If you need more information about SR-IOV, please visit the Blog of my friend Didier van Hoye (WorkingHardInIT).

http://workinghardinit.wordpress.com/2012/02/22/windows-8-introduces-sr-iov-to-hyper-v/

First reboot the server and press “F2” to enter the “System Setup” and click on “System BIOS Settings”

System Setup Dell PowerEdge R620

System Setup Dell PowerEdge R620

 

In the main menu, please enter the menu for “Integrated Devices”

Main Menu BIOS Dell PowerEdge R620

Main Menu BIOS Dell PowerEdge R620

 

Now you should see the option “SR-IOV Global Enable”, per default it is set to “Disabled”. Please set it on “Enabled”.

Integrated Devices Dell PowerEdge BIOS

Integrated Devices Dell PowerEdge BIOS

 

Now click on “Back” in the lower right corner.

Back in the main menu click “Finish”.

In the popup box please click “yes” to save changes.

Dell BIOS Save Changes

Dell BIOS Save Changes

 

If you see the “Green Box” you can click “OK” and restart your server.

Dell BIOS Changes were saved

Dell BIOS Changes were saved

 

 

Dell KVM 1081ad – Internet Explorer is unable to connect to HTTPS // SSL webinterface

This article was written together with Florian Hilgenberg Dell Enterprise Engineer

Source: www.dell.com

When you are unable to connect to HTTPS // SSL Webinterface with your Internet Explorer please check if you have Microsoft update KB2661254  installed.

This update changes the “minimum certificate key length” and causes the issue.

 

 

 

 

 

 

 

Update information:

Microsoft has released a Microsoft security advisory for IT professionals. This advisory announces that the use of RSA certificates that have keys that are less than 1024 bits long will be blocked. To view the security advisory, go to the following Microsoft website:

To reduce the risk of unauthorized exposure of sensitive information, Microsoft has released a nonsecurity update (KB 2661254) for all supported versions of Microsoft Windows. This update will block cryptographic keys that are less than 1024 bits long. This update does not apply to Windows 8 Release Preview or Windows Server 2012 Release Candidate because these operating systems already include the functionality to block the use of weak RSA keys that are less than 1024 bits long.

Source: support.Microsoft.com (Microsoft Security Advisory: Update for minimum certificate key length)

 

To fix the issue, you can uninstall the update or use an other browser. The Dell KVM 1081ad can use 128bit encryption.

The SCS supports 128-bit SSL(ARCFOUR), AES, DES, and 3DES encryption of keyboard/mouse, video, and virtual media sessions.

Source: Dell™ Server Console Switch User’s Guide

Source: www.dell.com