HP ProCurve Network Config - New DHCP Scope and Default Gateway


Recommended Posts

I've been looking into Always-On VPN from Microsoft and started to implement it for testing. I'm looking at networking section and it recommends having a DHCP scope set up for VPN clients. I have created the scope, set the pool and set the default gateway address. Now...I have no network config set up for this traffic and I've gotten a bit stuck. So I have the following:

VPN server with 2x NIC; 1x 10.22.0.x on our DMZ and 1x 10.22.11.0 on our server VLAN. Route created between the NICs.
Certificate server configured as per Microsoft's documentation.
NPS server configured as per Microsoft's documentation.
Firewall rules created to our DMZ IP
Internet DNS created to our Internet facing VPN URL
DHCP range set up for; 10.22.220.x/24 with 10.22.220.1 as the default gateway and 10.22.220.2-254 as client addresses.

 

We have a HP ProCurve 5406Rzl2.


1) How do I create a default gateway, so that our authenticated clients on the VPN DHCP scope can talk to the rest of our site and access their home folder, shared drives, etc?
2) Do I need to VLAN this traffic off? If so, what commands are needed for this?

Thanks!

Edited by Daedroth
1 hour ago, Daedroth said:

VPN server with 2x NIC; 1x 10.22.0.x on our DMZ and 1x 10.22.11.0 on our server VLAN. Route created between the NICs.

Huh?  A device with multiple nics on different networks does not need a route create, any device would automatically know what networks its connected too..  What you need to tell such a device is what other gateway it might use connected to these 2 networks it might use to get to some other network.  A default route is just telling the device hey if you want to get to some other network that is different than what your directly connected to.. Or have a specific route to, send the traffic to the default.

 

What is always helpful in such discussions is a map of your network(s)..

 

With a vpn client connecting to any vpn you have 2 options you send it a default route and say any network you do not have some other route for send down the vpn... Or you send the vpn client specific routes that say hey if you want to get to network XYZ send it down the vpn.

 

So is this 10.22.220 network your vpn tunnel network?  And you want these vpn clients to be able to get to your 10.22.0 or 10.22.11 that are directly connected to the vpn server?  Having a hard time getting what your actually trying to accomplish.

Sorry, I should have been more clear. I work in a school and we have RDS and Direct Access at the moment for remote access from home for staff. RDS isn't great and Direct Access is down-right awful for our needs. This is why I'm investigating Microsoft's DA replacement, Always-On VPN.

 

We have a HP ProCruve 5406Rzl2 as a core switch, with various other HP ProCurve edge switches. The 5406 has some static routes enabled to route traffic between the various different VLANs. To be clear, this isn't being used as a router (for the Internet), we have a specific Juniper router for that.

 

You'll have to forgive the (very) crude drawing in Paint! I've attached it to this post.

 

Our main VLANs are as follows (there are more, but I haven't included them here as they are for IP phones, WiFi Management, WiFi BYOD, WiFi Guest, etc):

 

Servers on the ESXi Hosts are on VLAN 11 (10.22.11.x/24)

Switches are on VLAN 10 (10.22.10.x/24)

Client PCs are on VLAN 100 (10.22.100.x/22)

Wireless staff devices are on VLAN 160 (10.22.100.x/22)

Wireless students devices are on VLAN 180 (10.22.100.x/22)

 

Our VPN server is virtual on one of our ESXi hosts, with two NICs as previously stated. The idea is that staff can take their school provided laptops home and connect to our services to work from home. At the moment, they can use RDS, which is limited as we can't provide more resources to the RDS VM. Direct Access wasn't able to meet our requirements, so we aren't using that any more.

 

I hope that makes more sense.

 

Network Layout.png

So this juniper is connected to your 5406 which is doing all your intervlan routing, and therefore a downstream router from your edge.. And this is connected via a transit network which is what?

 

Whatever your infrastructure/admin vlan the access switches, not edge.. If they do not have another network touching them they are not at the edge of anything ;)

 

Putting your vpn server inside your network is very problematic since if not done correctly you end up with asymmetrical routing and hairpins... This vpn server needs to be on a transit network, or you would need to do source natting, or specific host routing on every device the vpn clients are going to talk to telling them to talk back to the vpn server for your vpn client tunnel network vs their default gateway if the vpn server is directly connected to that network, etc..

 

So this 10.22.0 that your calling a dmz is a transit network?  And then the Servers are on VLAN 11 (10.22.11.x/24) directly connected to the vpn server.  What is the default gateway of these servers?  Clients coming through the vpn that want to talk to these servers would cause asymmetrical traffic (what is the default gateway for these servers?) IP address of your 5406 router I would assume, so traffic would come from the vpn server directly to the server, but then the server would send the traffic back to its gateway because how else would it get to the vpn clients IP other than its default gateway.. Which you didn't mention.. So no not only do you have asymmetrical you have a hairpin..

 

With a downstream router and you want to hang a vpn server off this router via a transit or off your edge via a transit, to avoid any asymmetrical routing. 1 transit to the edge, you can call this your dmz if you want.. And then a transit network to get to the rest of your networks..

 

Normally the "dmz" or firewalled segment that would be used for access from the internet would hang off your edge router/firewall - in this case your juniper, then you would connect it to the rest of your network via anther transit..

 

So like this..

downstreamvpn.thumb.png.83da005ea05402a8c0ccb8c680979689.png

 

Your transit networks B a C could both be connected to your router (5406) in your case...  The point is to avoid hairpins and asymmetrical routing.. You could also skin that cat with source natting, But in my example you never have asymmetrical routes or hairpins... So coming from the internet you hit vpn public side on transit B, if your vpn traffic would then flow down transit C to get to any of your downstream networks.  Reverse traffic would go back the same way.. And you do not have any hairpins in such a setup.. ie traffic entering and leaving the same interface..

 

Your example is how I believe it is conifgured at the moment.

 

Internet traffic > Juniper Firewall

Firewall NATs traffic to 10.22.0.31 (VPN server external NIC)

VPN Server Authenticated traffic > Core switch (and rest of network) via internal NIC

 

We have a couple of other servers in the 'DMZ' for AD FS and a Gateway server for RDS.

 

However, when external clients connect through the VPN connection, they are assigned internal IP addresses from DHCP. This is where I am stuck. Here is one of the guides I've been using: http://www.thewindowsclub.com/always-on-vpn-windows-10. See the section underneath the diagram.

Edited by Daedroth
1 hour ago, Daedroth said:

VPN Server Authenticated traffic > Core switch (and rest of network) via internal NIC

Is there anything on this network that is on the internal network?  If so what are they pointing to for their gateway?

 

What IP/network are you vpn clients getting?

8 minutes ago, BudMan said:

Is there anything on this network that is on the internal network?  If so what are they pointing to for their gateway?

 

What IP/network are you vpn clients getting?

I haven't gotten as far as getting the clients connected yet. I am still in the configuration setup. I was planning on having the DHCP scope configured before I commenced testing.

 

Basically, the default gateway is 10.22.x.1 (the first IP of the subnet). For example:

Any device in our 'DMZ' on 10.22.0.x has a default gateway of 10.22.0.1

Any internal server on 10.22.11.x has a default gateway of 10.22.11.1

Any device on our staff wireless has a default gateway of 10.22.160.1

 

I have the DHCP scope of 10.22.220.0/24 configured in DHCP (Windows Server 2012 R2), with the default gateway specified as 10.22.220.1. I just need the VPN clients on 10.22.220.0 to be able to communicate with our servers on 10.22.11.0/24.

 

So I am assuming that I need to tell the HP switch that traffic is allowed to pass from 10.22.220.0/24 to 10.22.11.0/24? This is where I am stuck.

 

 

On 12/8/2017 at 11:26 AM, Daedroth said:

Any device in our 'DMZ' on 10.22.0.x has a default gateway of 10.22.0.1

Which makes it asymmetrical and a problem..

 

So your NOT setup like I stated via 2 transits...  If your vpn server has leg on a network that your vpn clients will be talking to... And devices on this network do not use the vpn server as gateway then you have asymmetrical routing which is going to be a problem...

On 12/8/2017 at 11:26 AM, Daedroth said:

So I am assuming that I need to tell the HP switch that traffic is allowed to pass from 10.22.220.0/24 to 10.22.11.0/24? This is where I am stuck.

No you need to fix the bad routing...

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.