Virtual Private Networking

You know that you can use dial-up networking to connect to your office LAN or home computer from afar. But, with the Internet providing network connections and local modem access nearly all over the world, why can't you reach your network through the Internet instead of placing a possibly expensive long-distance call?

Well, in fact, you can. Microsoft networking can use the Internet's TCP protocol to conduct its business, so you can use an Internet connection to access shared files and printers, if the computer you want to reach has an Internet connection up and running.

But the Internet is not a friendly place. With tens of millions of people using it every day, you must expect that some percentage of them are up to no good. Network break-ins are everyday news now. If your computer's file sharing services are exposed to the Internet, any number of people thousands of miles away could just try password after password in the hope of guessing one that will give them access to your files. How do you take advantage of the convenience of accessing network services over the Internet without, figuratively speaking, putting out a big welcome mat that says "Please Rob Me?"

The answer is by the use of firewalls and Virtual Private Networking. I'll describe these concepts in detail in Chapter 21, but in a nutshell, a Virtual Private Network (VPN) lets you connect to a remote network in a secure way. Access by random hackers is blocked by a network firewall, but an authorized user can penetrate the firewall. Authorized data is encapsulated in special packets that are passed through the firewall and inspected by a VPN server before being released to the protected network. VPNs create what is effectively a tunnel between your computer and a remote network, a tunnel that can pass data freely and securely through potentially hostile intermediate territory.

Figure 18.18 illustrates the concept, showing a Virtual Private Network connection between a computer out on the Internet and a server on a protected network. The figure shows how the computer sends data (1) through a VPN connection which encapsulates it (2) and transmits it over the Internet (3). A firewall (4) passes VPN packets but blocks all others. The VPN Server verifies the authenticity of your data, extracts the it (5) and transmits the original packet (6) on to the desired remote server. The encapsulation process allows for encryption of your data, and allows "private" IP addresses to be used as the endpoints of the network connection.

On Windows XP, VPN connections work like dial-up connections. Once you have an Internet connection established (via modem or a dedicated service), a dial-up connection icon establishes the link between your computer and a VPN server on the remote network. Once connected, the VPN service transmits data between your computer. In effect, you are part of the distant LAN.

You can use Windows XP's VPN service to allow incoming connections to your computer as well. You can use the Internet Connection Firewall or a firewall on your LAN to protect against hackers, yet still connect to your computer through the Internet to retrieve files from afar.

Windows XP supports two VPN encapsulation or repackaging technologies. The Point-to-Point Tunneling Protocol, or PPTP, was developed by Microsoft and was provided with previous versions of Windows. The Layer Two Tunneling Protocol, or L2TP, is an industry standard technology, and is faster and better than PPTP. L2TP requires a certificate for its IPSec-based encryption, so if you don't have Windows 200x Server, Windows will automatically use PPTP for VPN connections.

Setting Up for Virtual Private Networking

To establish a VPN connection from your computer to another network, you must know the hostname or IP address of the remote VPN server. This information corresponds to the telephone number in a dial-up connection; it lets you specify the endpoint of the tunnel. VPN connections are set up by the New Connection Wizard. Just follow these steps:

NOTE

You can delete a connection shortcut later if you don't want it and can drag the connection icon from Network Connections to your desktop later if you do.

Windows immediately opens the Dialer dialog. Before establishing the connection for the first time, verify the connections properties pages.

VPN Connection Properties

To modify a VPN connection's properties, click the Properties button on the dialer dialog, or right-click the connection icon in Network Connections and select Properties.

The properties page has five tabs. Most of the time, the default settings will work correctly, but you should check some of them. In this section, I'll walk you through the most important parameters.

General Properties

The General tab of the Properties dialog holds the hostname or IP address of your VPN connection server, and if needed, the name of a dial-up connection to use to carry the VPN connection. If you are establishing the VPN connection over a LAN or dedicated Internet connection, you can uncheck Dial Another Connection First.

Options

The Options tab includes dialing and redialing options. The two important options are

• Prompt for name and password If you tell Windows to remember your username and password when dialing, and after you've made a successful connection once, you can uncheck this option to bypass the Dialing dialog. When you select the connection icon, Windows will just make the connection.

• Include Windows logon domain If the VPN server is a Windows 2003, NT, or 2000 server, you may need to provide your login domain name with your username. You can also enter domain\username or, with Windows 200x servers only, username@domain.

Security

It's unlikely that you will need to change any security settings. The data in a VPN connection is usually carried across the Internet, and a high level of security is required. Your password and data should be encrypted in the strongest fashion possible. Be sure that Require Secured Password and Require Data Encryption are set on the Security tab.

If you use the same logon name, password, and domain name on your local computer as you use on the remote network, you can check Automatically Use My Windows Logon Name and Password so that you don't have to enter it whenever you use the connection.

Networking

It's likely that you want to participate as a full member of the remote network, so leave all Components checked on the Networking tab of the Properties dialog.

As I mentioned, Windows XP and 2000 use two types of VPN protocols. Generally, you can leave the Type of VPN server set to Automatic, and Windows will determine to which type it's connected when it makes each call.

If the remote network is a complex, multi-subnet network, or if you want to browse the Internet while you're using the VPN, you also must deal with the gateway issue, which I'll discus later in this chapter under "Routing Issues." To change the gateway setting

Dialing a VPN Connection

Making a VPN connection follows the same procedure as making a dial-up connection:

You can use the remote network now, access shared files and folders, access printers, synchronize offline folders, and so on.

When you're finished, right-click the connection icon, and select Disconnect.

Routing Issues

If the remote network you want to use is a simple, small network with only one subnet or range of IP addresses, you can skip this section. Otherwise, I must address an issue with TCP/IP routing here, as much as I fear it's a real can of worms.

When you establish a VPN connection to another network, your computer is assigned an IP address from that other network for the duration of your connection. This address might be a private, non-Internet-routable address like 192.168.1.100. All data destined for the remote network is packaged up in PPTP or L2TP packets and sent to the remote host. But what happens if you want to communicate with two serversa private server through the tunnel and a public Web site on the Internetat the same time?

When you send data to an IP address that doesn't clearly belong to the private network's range, Windows has two choices: It can pass the data through the tunnel and let the network on the other end route it on, or it can pass the data without encapsulation and let it travel directly to the Internet host.

It would seem sensible that Windows should always use the second approach because any IP address other than, say, 192.168.1.xxx obviously doesn't belong to the private network and doesn't need protection. That's right as long as the remote network has only one such subnet. Some complex corporate networks have many, with different addresses, so Windows can't always know just from the address of the VPN connection which addresses belong to the private network and which go direct.

If you plan to use a VPN connection and the Internet at the same time, you must find out whether your remote network has more than one subnet. Then follow this advice:

• If the remote network has only one subnet, tell Windows not to use the remote network as the gateway address for unknown locations. This is the easy case.

• If the remote network has more than one subnet, tell Windows to use the remote network as its gateway, so you can connect to all servers on the remote network. But Internet access goes through the tunnel, too, and from there to the Internet. It slows things down.

• Alternatively, you can tell Windows not to use the remote network gateway and you can manually set routes to other subnets while you're connected. It's tricky and inconvenient. I'll show you how I do it at the end of the chapter, under "Tips from the Windows Pros."

When you know how you'll resolve the gateway issue, refer to the VPN Connection Properties earlier in this chapter to make the appropriate settings on the connection's Networking properties tab.

Enabling VPN Access to Your Computer

You can enable incoming VPN connections to your computer if it has a dedicated Internet connection. Your Windows XP computer can act as a VPN server for one incoming connection at a time. You can connect to your computer through the Internet from home or in the field from a computer running Windows 9x, NT, 2000, or of course, XP.

To function correctly, however, your computer must have a known IP address, and if its Internet connection is made through a router, Internet Connection Sharing or a connecting sharing device, then PPTP packets must be forwarded to your computer. I'll discuss this in more detail shortly, under "Enabling Incoming VPN Connections with NAT."

The process for enabling VPN access is exactly the same as for enabling dial-in access, so see the section "Enabling Dial-In Access to Your Computer" earlier in this chapter. Follow those instructions, being sure to enable an incoming VPN connection. You don't need to choose any modems to receive incoming modem calls.

When Incoming Calls is configured, your computer can be contacted as the host of a VPN connection. To connect to it, establish a VPN connection as you learned in the preceding section, using your computer's public IP address or hostname as the number to dial.

NOTE

You must configure the Internet protocol to assign valid IP addresses for incoming connections. This topic, which was discussed in "Enabling Dial-Up Access to Your Computer," applies to VPN access, too.

NOTE

Windows Firewall doesn't have to be told to permit incoming VPN connections, as it knows to let them in.

Enabling Incoming VPN Connections with NAT

Microsoft's Internet Connection Sharing and the commercial DSL/cable sharing routers known as Residential Gateways use an IP addressing trick called Network Address Translation or NAT to serve an entire LAN with only one public IP address. Incoming requests, as from a VPN client to a VPN server, have to be directed to a single host computer on the internal network.

This means if you use a shared Internet connection, only one computer can be designated as the recipient of incoming VPN connections. If you use Microsoft's Internet Connection Sharing, that computer should be the one sharing its connection. It will receive and properly handle VPN requests.

If you use a hardware sharing router, the VPN server can be any computer you wish to designate. (Remember that once the VPN connection is established, you can communicate with any of the computers on the LAN.) Your router must be set up to forward the following packet types to the designated computer:

TCP port 1723

GRE (protocol 47. This is not the same as port 47!)

Unfortunately, many of the inexpensive commercial DSL/cable connection sharing routers (residential gateways) don't always have a way to explicitly forward GRE packets. There are several ways around this:

• Some routers know about Microsoft's PPTP and you can specify the computer that is to receive incoming VPN connections.

• If you enable Universal Plug and Play (UPnP) on your router, and also install the optional UPnP User Interface network component, Windows can tell the router to forward incoming VPN connections. UPnP is discussed in Chapter 19, "Connecting Your LAN to the Internet."

• If neither of these options is available, you may designate the VPN computer as a DMZ host, so that it receives all unrecognized incoming packets.

CAUTION

If you designate a computer as a DMZ host, that computer can be vulnerable to hacker attacks. You must enable Windows firewall on this computer's network connection, and must disable exceptions. You must also configure your router to block Microsoft File Sharing packets, at the very least. Set up filtering to block TCP and UDP ports 137 through 139 and 445.

To learn more about forwarding network requests on a shared Internet connection, p. 769.