Azure Stack VPN for MAC OS X

Microsoft release the latest version of their Azure Stack during the Ignite 2016 conference in Atlanta. The new version has a lot of great features. One thing that I was not able to find is how to establish a VPN Session from your MAC OS X to Azure Stack.

You will ask why do we need it? Well one of the groups that will benefit the most from Azure Stack are the developers. As azure brings a lot of the services available from the Azure Cloud to the Enterprise On-Premise environment. Now the developers with Windows or MAC OS X environments can start testing in the latest TP2 version connecting directly and using their tools.

There is a very good PowerShell module that will do all the steps on Windows but it does not work in MAC OS X so here are all the steps to gather the details

Ebook Version (Click the book to get the PDF version)

azurestackebook

Video

Azure Stack VPN for MAC OS X

Watch this video on YouTube.

Download Scripts to collect required information

Login to your Azure Stack Hyper-V host with your administrator account. ex: azurestack\administrator

Download the scripts. Ex: Invoke-WebRequest -Uri https://github.com/carlosvargasvip/azurestackmacvpn/archive/master.zip -OutFile master.zip

azurestackvpn1

Expand the downloaded file. Expand-Archive master.zip

azurestackvpn2

 

Gathering Certificates for Azure Stack

Azure Stack has its own internal certificate authority. All services and websites use SSL certificates and you need to download the Root CA certificate to your MAC in order to access all the resources.

Execute the Get-AzureStackRootCACert.ps1 script to get the certificate

.\Get-AzureStackRootCAcert.ps1

azurestackvpn4

Gather external IP from the MAS-BGPNAT VM

In order to establish a connection to your Azure Stack you need the external IP address of the MAS-BGBNAT VM hosted in your Hyper-V host.

.\Get-AzureStackNATIP.ps1

azurestackvpn5

 

Transfer certificate and VPN IP output out

The certificate and VPN IP address are saved in the %userprofile%\downloads folder.

azurestackvpn6

You need to copy it out. I will use my On-Premise File Sync And Share HCP Anywhere for this function.

azurestackvpn7

Install Azure Stack Root CA certificate in your MAC OS X

Now we need to install the Azure Stack Root CA certificate in the MAC OS X.  My files are automatically synchronized to my MAC OS X with the HCP Anywhere client. You see two files: CA.cer is the root certificate, the natip.txt is the file with the IP address for the VPN server.

Double click the CA.Cer file

azurestackvpn8

Open your Keychain  and you will see a new certificate with a red x. Double click the certificate with the name AzureStackCertificationAuthority.

azurestackvpn9

Because all the services use SSL certificates our MAC OS X need to trust the Azure Stack Certificate Authority. Click the first option and switch to Always Trust. And then click the close button (red dot).

azurestackvpn10

azurestackvpn11

Type your password

azurestackvpn12

Now will the Azure Stack Certification Authority is trusted.

azurestackvpn13

Configure Static Routes for Azure Stack in MAC OS X

In order to access all the services in the Internal Azure Stack you need to add two static routes that will be executed when you connect with the VPN profile

Create a new script in /etc/ppp/ip-up. Ex: sudo vi /etc/ppp/ip-up

https://gist.github.com/carlosvargasvip/8d02dc64f0a6647476886b5dc9001e81

Configure VPN Connection in your MAC OS X

Now we need to configure our new VPN connection to the Azure Stack MAS-BGPNAT01 VM.

Click your System Preferences

azurestackvpn25

Click Network

azurestackvpn14

Click the plus sign (+) in the lower left corner of the network screen

azurestackvpn15

Select VPN in the Interface drop down, LT2P over IPSec for VPN Type and a name for your VPN connection.

azurestackvpn16

Type the External IP for BGPNAT VM in the server Address. (This is located in the natip.txt file you copied before). Account Name is administrator and click Authentication Settings.

azurestackvpn17

Then type the Azure Stack administrator password in the Password field and Shared Secret and click OK.

azurestackvpn18

Click the Advanced button for your VPN connection.

azurestackvpn19

Click the DNS tab and add azurestack.local as a search domain for your VPN connection and click OK.

azurestackvpn20

Click connect

azurestackvpn21

Type your Azure Stack administrator password

azurestackvpn22

Open your browser and type: https://portal.azurestack.local and login to with an account that has access to Azure Stack.

azurestackvpn23

You are now connected to your Azure Stack environment.

azurestackvpn24

 

Windows 10 Preview with Cisco AnyConnect VPN Client

Microsoft released the Technical preview of their new Operating Systems. (Details Here) If you are like most IT Professionals, you may have downloaded the preview and try to use it for your basic computing environment. After playing with the new UI for a little bit, I installed the Cisco Anyconnect client and tried to connect to my office VPN. The connection failed with the following error: “Failed to initialized connection subsystem”.

After troubleshooting the issue for a little bit, I found a fix for the issue. Here are the steps to fix your Cisco AnyConnect client running on Windows 10 Preview.

1 . Open and explorer window and go to c:program files (x86)CiscoCisco AnyConnect Secure Mobility Client

2 . Right click vpnui.exe and click properties.

3 . Click the Compatibility tab, then click Run this program in compatibility mode for: and select Windows 8. Then Click OK.

4 . Click the Windows Logo and Click the Cisco AnyConnect Icon.

5 . In the Cisco AnyConnect client type your VPN server FQDN or IP address. Ex: vpn.domain.com

6. Type your username and password

VPN connect

 

7. Your client should connect successfully to your Cisco VPN appliance.

8 . After your client finishes the connection you should see a green check mark in the lock.

 

Hope this helps you test Windows 10 with your corporate images. If you have any questions please leave a comment.

Configure Network for Windows 8.1 Client Hyper-V

In this post I will go thru the steps to configure the network for your Windows 8.1 Client Hyper-V. This is needed so your VM’s can connect to the network.

1. Open your start screen and look for the Hyper-V Management Tools group. And click Hyper-V Manager

 

2. Click the Virtual Switch Manager option under Actions.

 

3. Because this is a new installation there is no network defined.

 

4. Type a name for your internal switch. In this example I use “Internal” as the name for the switch. Press OK.

 

Now you have your Hyper-V feature installed and network is configured. In my next post I will share how to configure a base virtual machine.

Are you ready to build your Client Hyper-V VM’s?

Virtual Router with VLAN Support

Vyatta Virtual VLAN Router Configuration

I was trying to build a network with several VLAN’s and found that a Layer 3 switch cost a lot of money and it was out of my budget. After looking for a solution that was in my budget I used the Vyatta Open Source Router platform to build my router.  This configuration will allow you to create a router with several VLAN’s on a physical or virtual.

Default User accounts for Vyatta

user: vyatta
pass: vyatta  (change the default password thru the installation)

Configuration of  Interfaces IPv4

configure
set interfaces ethernet eth0 address 192.168.1.5/24
set interface ethernet eth0 description “Description”
set system gateway-address 192.168.1.1
commit
save
exit

Configurationof Interfaces IPv6

configure
set interface ethernet eth1 2001:db8:2::2/64
commit
save
exit

Configure IPv6 Tunnel

configure
edit interfaces tunnel tun0
set encapsulation sit
set local-ip 192.168.1.1
set remote-ip 123.123.123.123
set address 2001:wwww:xxxx:yyyy::2/64
set description “HE.NET IPv6 Tunnel”
exit
set protocols static interface-route6 ::/0 next-hop-interface tun0
commit
save
exit

Configure DNS Servers

configure
set system name-server 4.2.2.2
set system name-server 8.2.2.2
commit
save
exit

Create Trunk

Configure
set interfaces ethernet eth1 description VLAN-TRUNK
set interfaces ethernet eth1 vif ## description VLAN-DESCRIPTION
set interfaces ethernet eth1 vif ## address 192.168.2.1/24
commit
save
exit

Configure DHCP

configure
set service dhcp-server
set service dhcp-server shared-network-name VLAN2_Pool subnet 192.168.2.0/24 start 192.168.2.100 stop 192.168.2.254
set service dhcp-server shared-network-name VLAN2_Pool subnet 192.168.2.0/24 default-router 192.168.2.1
set service dhcp-server shared-network-name VLAN2_Pool subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name VLAN2_Pool subnet 192.168.2.0/24 domain-name domain.com
commit
save
exit

Configure DNS forwarding

configure
set service dns forwarding listen-on eth1.vlanID (ex. eth1.1, eth1.2)
set service dns forwarding name-server 192.168.1.10
commit
save
exit

Enable SSH

configure
set service ssh
commit
exit

Configure NTP

configure
set service time-zone US/Central
commit
save
exit

Configure Hostname

configure
set system host-name r1
commit
save
exit

Vyatta Documentation is located: http://www.vyatta.com/download/docdl

Hyper-V Network Configuration

In order for the Virtual Machines to access the physical lab network and the internet we will create a virtual switch called MSLAN. It is important that the Switch name is the same in all the Hyper-V host or your VM’s will have problems when they Live Motion from one host to another.

  1. Open Hyper-V Manager
  2. On the Right side click Virtual Network Configuration

     

  3. Select the type of network and press Create Virtual Switch

     

  4. Select a name for your Virtual Switch. The name must be the same on each Hyper-V host. Then Select the network card that you want to assign this switch. Then press OK.

  5. After that you will have your new virtual switch available for your virtual machines.