Creating an Azure VPN with a Draytek Router

Posted on 10 CommentsPosted in Azure, cloud, draytek, exchange, firewall, ipsec, vpn

The Microsoft Azure cloud operating system can be connected to your network by way of a virtual private network or VPN. Azure lists some supported devices and provides configuration scripts for them, but does not include the Draytek range of devices. Draytek devices are common in the small business market and for techy home users. This blog post will show how to configure a site to site VPN between your network and your Azure tenant using a Draytek 2920 router. Other Draytek routers will work as well, just the screenshots and instructions here are from that model of router.

Collecting required information

Before you start you need the following information to hand:

  • The IP subnets of your network. For the purposes of this blog these are 192.168.5.0/24 and 192.168.6.0/24
  • The IP subnet that you wish to use in Azure. This needs to be different from the subnet(s) on your LAN. For the purpose of this blog this will be 192.168.4.0/24.

Configuring Azure Networks

To configure your VPN login to your Azure tenant at https://manage.windowsazure.com/ and from the services area on the left click Networks near the bottom. Add a new network by clicking Create a virtual network or from the bottom toolbar clicking + New and from the options select Custom Create. Note that Quick Create will not create a valid solution as it will note create a VPN gateway.

Enter the name of the VPN network and enter a name for the affinity group that you need to create. You will place virtual machines into this affinity group so that they get an IP address valid for this network. I’m based in the UK, so I choose West Europe (i.e. Dublin) as the datacentre to use.

VPN001

Click the right-hand arrow at the bottom of the screen and check Site to site VPN. You only need to add a DNS name and IP address (to an existing DNS server) on your LAN if your virtual machines need to use this DNS server to resolve on-premises resources. I will use Azure to do my name resolution, so will not enter them here.

VPN002

Click the right-hand arrow at the bottom of the screen and enter a name for your LAN and your external IP address (not shown here). This needs to be a static IP address that is not NAT’ed, so in my case this will be the external IP address of the Draytek router. Also enter the address space(s) for your LAN.

VPN003

Click the right-hand arrow at the bottom of the screen to go to page 4 of the wizard and select an address space that does not conflict with your LAN address spaces entered on the previous screen. In the picture below I have configured 192.168.4.0 as the subnet with a /24 CIDR range. You can edit the values provided if they do not suit. For the subnets within this network, you need one or more subnets for the address space. My final aim for the Azure tenant is to host a multisite Exchange Server lab, so I will create four subnets within the 192.168.4.0/24 address space. The first address space is going to be reserved for routing purposes back to my LAN. The routing subnet is configured by clicking the add gateway subnet button.

VPN004

Click the tick mark and wait for the network to be created. Once created click the network name and then Dashboard.

VPN005

You will see that the gateway is not created. To start the VPN gateway at Azure click the Create Gateway button on the lower black toolbar. Choose Static Routing and confirm the choice. In about 15 minutes time the status of the gateway will go blue and the VPN grey.

VPN006

We can now move onto configuring the router on your LAN as Azure is now waiting for the connection to take place.

Configuring a Draytek Router to Connect to Azure

On the VPN page in Azure you will see the status of the connection showing the amount of data that has crossed the connection to date and the IP address that you need to connect your VPN tunnel to. Make a note of this IP address (redacted in the above picture) and also make a note of the Shared Key, this you can get from the Manged Key button on the toolbar. Copy this to your clipboard and navigate to your Draytek admin page.

VPN007

Ensure that your router provides service for IPSec VPN’s and that this type of traffic is not being passed through the router to another device. This is available from VPN and Remote Access > Remote Access Control in the Draytek web admin pages.

DRAY001

Change to VPN and Remote Access > LAN to LAN and click an available LAN to LAN profile that is not being used. In section 1 give the profile a suitable name and enable it, disable Netbios naming packets from crossing the VPN and allow multicast if you will need it. Set the Call Direction to Dial-Out and check the Always on option if you require the connection to be up all the time. Scheduled connections are also possible.

DRAY002

Under Dial-Out Settings (section 2) ensure IPSec Tunnel is selected and the Server IP/Host Name for VPN matches the Gateway IP Address provided on the Azure management page. Under IKE Authentication ensure Pre-Shared Key is selected. Click the IKE Pre-Shared Key button and paste the pre-shared key from Azure.

DRAY003

Under IPSec Security Method select High (ESP) and ensure AES with Authentication is selected. Azure requires AES encryption. The Advanced options do not need changing as they are valid for Azure already.

DRAY004

Scroll down to section 5 (sections 3 and 4 do not need completing) and enter the network address space in use at Azure as the value for Remote Network IP and ensure the Remote Network Mask value is correct. This ensures that connections to this subnet are routed down this VPN tunnel. If you have multiple address spaces created at Azure then click the More button and add the rest of the Azure networks (not the individual subnets within the address space) if you added additional address spaces.

DRAY005

Save the VPN profile and navigate to VPN and Remote Access > Connection Management. In about 10 seconds you will see this page refresh and you should see the connection to Azure has been made.

DRAY006

Back on the Azure management console the VPN at the LAN side should be green and the Data In and Data Out values increasing. At the time of writing, an Azure VPN costs £1.44 per day and this does not include any network traffic across the link.

DRAY007

Creating Azure Virtual Machines on Your VPN

Ensure that your link is up by pinging the VPN endpoint at Azure. This will be the second IP address on the gateway subnet that was created earlier. In my example this is 192.168.4.197.

DRAY008

Virtual machines in Azure will get an IP address from your VPN and will be directly reachable to and from your LAN if they are associated with the VPN network created when the VPN was created. To do this either create a virtual machine from the gallery option (not Quick Create) to make a new virtual machine from a template or one of your existing unused VHDs or images and set the region/affinity group to the VPN network.

VM001

Note that you cannot change the network that an existing machine is associated with – you need to delete the virtual machine (but without deleting the disks) and also delete the associated cloud service. Then you can make the VM again and choose My Disks from the gallery and select the VPN as the Region/Affinity Group/Virtual Network value.

VM002

That is it. You virtual machines will come online and be provisioned and get an IP address on your virtual network. To see the IP address click the virtual machine and view the dashboard. Note that shutting down the virtual machine will release the IP and you cannot assign static IP’s in Azure or the machine will not be reachable – all connectivity to Azure machines is via resolved names.

IPv6 Routed LAN with Windows

Posted on 2 CommentsPosted in DNS, draytek, exchange, iis, ip, ipv4, ipv6, mcm, mcsm, rras, windows

This blog is written to note down the steps needed to configure IPv6 on the whole of your LAN using Windows Server 2008 R2 as the router, but without installing RRAS.

It also uses Hurricane Electric’s IPv6 tunnel broker service to provide the IPv6 connectivity via an IPv4 tunnel as my internet provider (Virgin Media in the UK) does not provide direct IPv6 connectivity at the time of writing (Dec 2012).

Originally the plan was to do all this with the Draytek 2920 router on my network, but after days of trying I gave up as it was unable to connect to SixXS over AICCU or Freenet6/gogo via TSPC even though I had made accounts and entered the information as shown on various websites and forum. Draytek do not provide a 6in4 tunnel mode, so I needed to move to using Windows or Linux, as I have both on my LAN – though I am way more familiar with Windows!

Configuring Your Internet Router

You will need control over your internet connection as you will need to enable inbound PING responses before you can create an IPv6 tunnel. On a Draytek router this is System Maintenance > Management > untick Disable PING from the internet.

Also to allow a tunnel to traverse a NATed router, you need to allow Protocol 41 to pass the firewall. On a Draytek router this involves creating a new rule in the Default Call Filter rule set and the same under the Default Data Filter set. The settings are Direction: WAN –> LAN/RT/VPN; Source IP: Any; Destination IP: Any; Service Type: Protocol: 41; Filter: Pass Immediately.

Getting a Hurricane Electric Tunnel

Visit http://tunnelbroker.net and create an account and request a tunnel. Once you have requested a tunnel you will get the following information on the IPv6 Tunnel tab (of which only the important information is shown, and where I have changed the values to be generic):

  • IPv6 Tunnel Endpoints
    • Server IPv4 Address: a.b.c.d (the endpoint of the tunnel at Hurricane Electric)
    • Server IPv6 Address: 2001:xxxx:wwww:65b::1/64 (this has wwww shown in bold and is the Hurricane Electric end of the tunnel they have created for you, and it will end in a 1.)
    • Client IPv4 Address: w.x.y.z (this is your external IP address of your internet connection)
    • Client IPv6 Address: 2001:xxxx:wwww:65b::2/64 (this has wwww shown in bold and is your end of the tunnel they have created for you, and it will end in a 2.)
  • Routed IPv6 Prefixes
    • Routed /64: 2001:xxxx:yyyy:65b::/64 (this has yyyy in bold and yyyy is one number higher than wwww in the IPv6 tunnel endpoints above).

On the Example Configurations tab you will get the choice of operating system to use, and you need to select Windows Vista/2008/7 from the dropdown list. This will present you with some netsh commands as shown (where the values will be your specific values rather than the generic values I show here):

netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel w.x.y.z a.b.c.d
netsh interface ipv6 add address IP6Tunnel 2001:xxxx:wwww:65b::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:xxxx:wwww:65b::1

If you are behind a NATed router then you need to change the w.x.y.z value which will show your public IP address for the private IP address of the Windows Server you are going to run this set of commands on.

Run these commands from an elevated command prompt. Once complete you should be able to reach the IPv6 internet from that machine. Try ping www.facebook.com and you should get back the IPv6 address for Facebook (showing your DNS server is IPv6 aware – Windows DNS will return AAAA, the IPv6 version of the A record, responses if your client has a valid global IPv6 address). Another destination you can attempt to ping is ipv6.google.com.

You now have working IPv6 from a single server on your LAN.

Configuring The Windows Router

The next step is to enable this single server as a router. This will allow the forwarding of packets between the LAN and the IPv6 Tunnel that exists on this server.

NOTE: This series of steps does not use RRAS, and therefore there is no firewall on this router. Therefore these steps should be for lab environments only, as you need to ensure that Windows Firewall on all your endpoints is secure (remote admin [DCOM], RPC Endpoing and 445 have default rules for open to anyone) – these will need securing to a suitably valid range, or implment IPSec on the servers so connections cannot be made from non domain members. A good IPv6 port scanner is available at ipv6.chappell-family.com

Continuing in your elevated command prompt on the tunnel Windows machine enter the following command:

netsh interface ipv6 set route ::/0 IP6Tunnel publish=yes

This adds a route for the entire IPv6 address space to go via this machine, and publishes it so that it can be see by other machines on the LAN. The publish=yes command is the only bit of this that is different from the commands provided by Hurricane Electric.

The next command to enter is:

netsh interface ipv6 add address interface=”Local Area Connection” address=2001:xxxx:yyyy:65b::1

This command adds an IP address from the Routed /64 range to the network card on the machine (called “Local Area Connection” here. If your network card has a different name then change the name, and use the correct address that you want to use rather than the generic one I show here). I have chosen to end my routers IPv6 address with ::1. This means that the full address in my example is 2001:xxxx:yyyy:065b:0000:0000:0000:0001 and therefore I could choose anything for the 0000:0000:0000:0001 bit, remembering that one long list of zero’s can be collapsed to :: and leading zero’s can be removed.

Continue with:

netsh interface ipv6 set interface “Local Area Connection” forwarding=enabled advertise=enabled routerdiscovery=enabled advertisedefaultroute=enabled privacy=disabled

The command (which is long and probably wrapped on your web browser) enables forwarding on the Local Area Connection interface (forwards packets arriving on this interface to others, i.e. makes this box a router) and it will also advertise it’s routes and that it is a router. Router advertisement (both advertise=enabled routerdiscovery=enabled) allow clients on your network to find the router and generate their own IPv6 address. In this example this will therefore turn on IPv6 for your entire LAN. If you wish to do this test on just a few servers then add a valid IPv6 address using DHCPv6 with reservations or add the addresses manually on the machines you want to test IPv6 from (valid addresses are 2001:xxxx:yyyy:065b:z:z:z:z, where z:z:z:z is up to four blocks of four hex digits each). Privacy (see later) is disabled for this NIC as well.

NOTE: For any website that is IPv6 enabled, any computer that gets an IPv6 address will now use the tunnel to get to the internet. If the tunnel is down or slow then internet connectivity on all your machines will suffer. Your tunnel will be slower than your WAN speed and latency is likely to be higher. Consider carefully the advertise and routerdiscovery settings. You can always change them to disabled later if you wish (and reset your client network card to pick up the changes with netsh int ipv6 reset). I managed two days with IPv6 for every client before I changed back to IPv4. There are steps on line to change the prefix policy (netsh int ipv6 show prefix) to put IPv4 above IPv6 as an alternative to turning advertising and router discovery off.

The next command to enter is:

netsh interface ipv6 set route 2001:xxxx:yyyy:65b::/64 “Local Area Connection” publish=yes

This command publishes the route to your LAN so that the IP6Tunnel network that you created earlier can route packets to the correct interface. This is the opposite command the the first publish command you ran previously, as that one published the outbound route, this publishes the inbound route.

Finally you need to run this last command:

netsh int ipv6 set interface “IP6Tunnel” forwarding=enabled

This allows packets arriving on the IP6Tunnel from the internet to be forwarded to other networks on the machine. Again, this is the opposite of the earlier forwarding=enabled command and allows forwarding of packets arriving on the IP6Tunnel adapter to be forwarded into the LAN.

Connecting to the IPv6 Internet

Finally you are ready to go. If you open a command prompt on a Windows Vista or later client on the LAN and run ipconfig you should see an IPv6 address (and maybe a temporary IPv6 address) as well as a default gateway listing your newly configured router (reached via the Link Local address rather than the global IP address of the router if routerdiscovery is enabled on the router).

The IPv6 address you have is calculated from your Routed /64 subnet (the network portion of the address) and your MAC address. This local portion will therefore always be the same for you. This means that you are therefore trackable on the internet, as your local portion does not change. Therefore Windows 7 generates a temporary address which changes every 7 days (netsh int ipv6 show addresses and the Pref. Life column for Preferred Lifetime). After seven days the temporary address is recreated.

Open your web browser and visit http://test-ipv6.com/ to see if you have IPv6 connectivity.

You should now be able to ping www.facebook.com or ping ipv6.google.com and get a response back from the IPv6 internet.

Note that if you reboot your router or your client they will take a short while to pick up a valid IPv6 configuration from the Router Advertisements (RADV) that are running on the router (advertising the Routed /64 range you have – no requirement for DHCPv6 in this example).

Having the IPv6 Internet Connect To You (i.e. Publishing IPv6 Services)

On any machine with a valid global IPv6 address you should be able to enable the File and Printer Sharing (Echo Request – ICMPv6-In) rule in Windows Firewall and then visit http://centralops.net/co/Ping.aspx (or another IPv6 online ping test tool) and be able to ping your server or client.

Disable the ping firewall rule if needed and enable or create a firewall rule to allow a port of your choice to be published over IPv6. Configure the server to support listening on IPv6 if needed and then attempt to browse that service from another IPv6 enabled client.

Got this far – have a go at the IPv6 certification at Hurricane Electric

IPv6 Certification Badge for brainier

Building An Exchange Unified Messaging Lab (Part 3)

Posted on 2 CommentsPosted in 2010, draytek, exchange, firewall, rtp, sip, unified messaging, voicemail

This blog is part of a series on creating a unified messaging lab for Microsoft Exchange Server. Configuring Unified Messaging was not as easy as I thought it would be and there was a lack of information that brought all the settings into one place, and a lot of incorrect information! The series started with Part 1 for the requirements and Part 2 for the initial configuration of AsteriskNOW and FreePBX.

Up until now the changes you have made have been pretty much the same for everyone. Sure, you have set an IP, keyboard and timezone that are different but everything else has been pretty much standard. Now we need to change some Asterisk configuration files to support Exchange Server Unified Messaging.

Configuring Asterisk for Internal and External Calls

As we have chosen to install FreePBX as well, we will edit the configuration files that FreePBX does not control. If you are doing your configuration without FreePBX installed there will be different files to change.

Before we make the changes though, you need to decide a few things. Some of these will be determined by your current environment. The first thing you will need to know is the number of digits in your dialplan. A dialplan is the internal extension number configuration at your office. For example if you dial 1xxx to reach one office and 2xxx to reach another then you have a four digit dialplan and sequences starting 1 and 2 are already reserved. In my lab I am going to use a four digit dialplan where 8xxx is going to be allocated to physical telephone handsets (extensions) and 8000 is going to be the number I call to listen to my voicemail (the Pilot Number) when I am using Exchange 2010 and 8500 when I am using Exchange 2013. Two numbers for voicemail allows me to use two different Exchange labs from one set of SIP phones.

Once you have picked your dialplan you can start to configure the various components of your PBX for your telephone network. These changes include forwarding your pilot number (8000 and 8500 in this blog) to Exchange and configure your telephone extensions.

In Asterisk we need to do these configuration changes by editing the config files. We can do this in a few different ways. We can edit the config files directly in the Linux console (using text editors such as vi), use WinSCP from a Windows PC if you don’t want to edit the files in Linux directly or use FreePBX for some of the changes. You must use FreePBX to change any file that has the FreePBX banner at the top of the config file.

SIP.Conf Changes for NAT and Exchange Server

Firstly, if you have a NAT’ed network you need to tell Asterisk your external IP address. Edit /etc/asterisk/sip_general_custom.conf to contain:

nat=yes
;externip needs to be your public IP
externip=w.x.y.z
;localnet=internal_IP_network/subnet_mask
localnet=192.168.5.0/255.255.255.0

You also need to add the following to the same file:

context = default
bindport = 5060
bindaddr = 0.0.0.0
tcpbindaddr = 0.0.0.0
tcpenable = yes
promiscredir = yes

Amongst these changes some of them tell Asterisk to listen on TCP, bind to all IP addresses and listen on port 5060 for UDP. Exchange Server and Lync Server require TCP support from the IP PBX that they connect to and without these settings Asterisk will only do UDP. Asterisk 1.8 will only listen on 5060 for TCP and there is no config setting to change this. The bindport setting controls the listening port for UDP.

Notice that we changed the sip_general_custom.conf file and not sip.conf. If you did not have FreePBX installed you would make all your changes to Asterisk in the config files and so could edit sip.conf directly. FreePBX overwrites some config files with its settings whenever you click Apply Config in the web GUI. To avoid having your settings overwritten you need to make them to files that are referenced by include statements in the master file.

For this example, if you open sif.conf (in /etc/asterisk) then in the [general] section (where the above edits are needed) you will see #include sip_general_custom.conf. This tells Asterisk to load sip_general_custom.conf as part of sip.conf, and we know that sip_general_custom.conf will not be overwritten by FreePBX because it does not tell us this at the top of the file.

To determine the file that you need to make the change in for other config files open the master file that you need to edit (i.e. sip.conf in this example) and see if there is a FreePBX banner at the top of the file. If not, then edit the file as required. If there is a banner telling you not to make changes then look for the section that your change will be inside (for example in sip.conf above we made our initial changes in the [general] section) and locate the #include statement that follows that section. This statement tells Asterisk the name of additional config files to load and to consider as part of the master file that you are currently reading. Some of these include files contain the FreePBX banner as well but others don’t for example to make changes to the [general] section of sip.conf we will edit sip_general_custom.conf, the custom config file for the general section in the sip.conf file.

RTP.Conf Changes For Your Network

SIP is the protocol that is used to manage connections between the parties involved in the call. RTP is the protocol used to transfer the voice data. You need to edit /etc/asterisk/rtp.conf so that the rtpstart and rtpend values are suitable for your network.

For each call connections will be made to 5060 and two additional ports. These two additional ports need to be sequential, and the odd numbered port will carry RTP data (voice traffic) into your PBX and the even numbered port carries RTCP packets (data about the connection). Outbound SIP/RTP traffic is determined by settings on the other parties PBX, so you typically need to allow all outbound ports from your PBX.

Therefore you need to configure Asterisk to have a start and end range for RTP that is a minimum of two ports (for one concurrent call) and a max of the number of concurrent calls you can make to through your PBX. Your external firewall will need to be configured to publish all these ports to your IP PBX so don’t make the range too big – but equally you need two ports per concurrent call so don’t make the range too small.

The range will always be the higher of the max number of calls your SIP Trunk provider allows and the number of physical handsets you have (plus some overhead to allow for parked calls). So if you have a five call SIP trunk, ten staff members, and 12 handsets you would need to support at least 12 concurrent calls. Therefore configure RTP to start at 10010 and finish at 10034 (two ports for each of the twelve concurrent calls you can support). Then increase it a bit for your sanity!

Edit /etc/asterisk/rtp.conf so:

rtpstart=10110
rtpend=your calculated value

 

Make sure your firewall forwards these ports to this PBX server and if you have other PBX servers ensure that you do not use the same port range. The following shows an example firewall configuration for this PBX. In the picture and in my config files I am using 5065 for SIP as I have two PBX’s and the other is using 5060.

 

image

 

Once we test calls to the outside world, if you start getting “one way traffic” (that is you can be heard but you cannot hear the caller or the reverse) then you need to check your firewall rules.

 

In Part 4 the fun will start. In this part we will configure a few telephone extensions so that we can make internal calls and then configure a SIP Trunk provider so we can make external calls. Part 5 will look at configuring Exchange Server 2010 and Part 6 the same, but for Exchange Server 2013. Part 7 will look at connecting these calls to your Exchange Server when we want to record a voicemail message.