There are four steps to implementing and testing Windows Network Virtualization in the System Center 2012 Virtual Machine Manager R2 evaluation.
1. Establish site-to-site VPN connections between the simulated customer on-premise environments running on WNVHOST4 and the Network Virtualization Gateway running on WNVHOST3.
2. Deploy tenant virtual machines to a VMM host to leverage Windows Network Virtualization and cross-premises VPN connectivity.
Step 1: Establish site-to-site VPN connections
In this step, you will install and configure RRAS on the EDGE1 servers for both Contoso and Fabrikam. These servers will be used to establish cross-premise VPN connections to make hosted cloud resources available to the on-premise customer corpnet environments.
Install RRAS on Contoso EDGE1 and create a site-to-site VPN connection to GatewayVM1 running on WNVHOST3
To install RRAS on EDGE1
|
1. On the WNVHOST4 server, connect to the Contoso EDGE1 virtual machine. 2. Sign in as CORP\User1. 3. On the Server Manager Dashboard screen, under Configure this local server, click Add roles and features. 4. Click Next three times to get to the server role selection screen. 5. On the Select Server Roles page, select Remote Access and then click Next. 6. On the Features selection screen, click Next. 7. On the Remote Access screen, click Next. 8. On the Role Services selection screen, click to select the DirectAccess and VPN (RAS) and the Routing role services. Click Add Features when prompted, and then click Next. 9. Click Next twice to accept the default settings for Web Server Role and Role Services, and then click Install. 10. Verify that the installation was successful, and then click Close. |
To establish a site-to-site VPN connection
between EDGE1 and WNVHOST3
|
1. On the Contoso EDGE1 server running on WNVHOST4, click Start, and then click Routing and Remote Access. 2. In Routing and Remote Access, right-click EDGE1 (local) in the console tree, and then click Configure and Enable Routing and Remote Access. 3. The Routing and Remote Access Server Setup Wizard appears. Click Next. 4. On the Configuration page, select Secure connection between two private networks. Connect this network to a remote network such as a branch office, and then click Next. 5. On the Demand-Dial Connections page, verify that Yes is selected, and then click Next. 6. On the IP Address Assignment page, select Automatically. Click Next. 7. Click Finish. 8. The Demand-Dial Interface Wizard will start. Click Next. 9. On the Interface Name page, type GatewayVM. Click Next. 10. On the Connection Type page, select Connect using virtual private networking (VPN). Click Next. 11. On the VPN Type page, select IKEv2. Click Next. 12. On the Destination Address page, type 131.107.0.15, and then click Next. 13. On the Protocols and Security page, select Route IP packets on this interface. Click Next. 14. On the Static Routes for Remote Networks page, click Add. In Destination, type 10.0.1.0. In Network Mask, type 255.255.255.0. In Metric, type 1. Click OK, and then click Next. 15. On the Dial-Out Credentials page, click Next. 16. On the Completing the Demand-Dial Interface Wizard page, click Finish. 17. In the Routing and Remote Access console, click Network Interfaces. 18. Right-click the GatewayVM demand dial interface listed in the details pane, and then click Properties. 19. Select the Security tab, and then under Authentication, select Use preshared key for authentication. Type your administrator password next to Key (this is the administrator password used for the CORP\User1 account). 20. Under Data encryption, change the option to No encryption allowed (server will disconnect if it requires encryption). Click OK. 21. Right-click the GatewayVM demand dial interface, and click Connect. Verify that Connection State is listed as Connected. |
Install RRAS on Fabrikam EDGE1 and create a site-to-site VPN connection to WNVHOST3
To install RRAS on EDGE1
|
1. On the WNVHOST4 server, connect to the Fabrikam EDGE1 virtual machine. 2. Sign in as CORP\User1. 3. On the Server Manager Dashboard screen, under Configure this local server, click Add roles and features. 4. Click Next three times to get to the server role selection screen. 5. On the Select Server Roles page, select Remote Access and then click Next. 6. On the Features selection screen, click Next. 7. On the Remote Access screen, click Next. 8. On the Role Services selection screen, click to select the DirectAccess and VPN (RAS) and the Routing role services. Click Add Features when prompted, and then click Next. 9. Click Next twice to accept the default settings for Web Server Role and Role Services, and then click Install. 10. Verify that the installation was successful, and then click Close. |
To establish a site-to-site VPN connection
between EDGE1 and WNVHOST3
|
1. On the Fabrikam EDGE1 server running on WNVHOST4, click Start, and then click Routing and Remote Access. 2. In Routing and Remote Access, right-click EDGE1 (local) in the console tree, and then click Configure and Enable Routing and Remote Access. 3. The Routing and Remote Access Server Setup Wizard appears. Click Next. 4. On the Configuration page, select Secure connection between two private networks. Connect this network to a remote network such as a branch office, and then click Next. 5. On the Demand-Dial Connections page, verify that Yes is selected, and then click Next. 6. On the IP Address Assignment page, select Automatically. Click Next. 7. Click Finish. 8. The Demand-Dial Interface Wizard will start. Click Next. 9. On the Interface Name page, type GatewayVM. Click Next. 10. On the Connection Type page, select Connect using virtual private networking (VPN). Click Next. 11. On the VPN Type page, select IKEv2. Click Next. 12. On the Destination Address page, type 131.107.0.15, and then click Next. 13. On the Protocols and Security page, select Route IP packets on this interface. Click Next. 14. On the Static Routes for Remote Networks page, click Add. In Destination, type 10.0.1.0. In Network Mask, type 255.255.255.0. In Metric, type 1. Click OK, and then click Next. 15. On the Dial-Out Credentials page, click Next. 16. On the Completing the Demand-Dial Interface Wizard page, click Finish. 17. In the Routing and Remote Access console, click Network Interfaces. 18. Right-click the GatewayVM demand dial interface listed in the details pane, and then click Properties. 19. Select the Security tab, and then under Authentication, select Use preshared key for authentication. Type your administrator password next to Key (this is the administrator password used for the CORP\User1 account). 20. Under Data encryption, change the option to No encryption allowed (server will disconnect if it requires encryption). Click OK. 21. Right-click the GatewayVM demand dial interface, and click Connect. Verify that Connection State is listed as Connected. |
View the site-to-site VPN connections on GatewayVM1
After you configure GatewayVM1 as a multitenant S2S VPN server using VMM, it cannot be managed from the RRAS user interface on GatewayVM1. You can use the following Windows PowerShell commands to display the RRAS configuration.
To view the S2S VPN
connections on GatewayVM1
|
1. On the WNVHOST3 server, connect to the GatewayVM1 virtual machine. Sign in as CORP\User1. 2. From the Server Manager console Tools menu, click Windows PowerShell. 3. In the Windows PowerShell window, type the following command and press ENTER to display the VPN S2S connections configured by VMM as part of the tenant VM Network creation steps. Get-VpnS2SInterface | fl Note that there are two VPN interfaces created, one for the Contoso Routing Domain, and one for the Fabrikam Routing Domain. 4. Type the following commands to display the network routing compartments configured for each Routing Domain, and the network information associated with the WNV adapter network compartments. Get-NetCompartment ipconfig /allcompartments |