Working with Virtual Private Networks

Another possibility for remote connections to the company network involves the use of a Virtual Private Network (VPN) . A VPN is a secure, dedicated, point-to-point connection over a public IP internetwork, such as the Internet. Using a VPN means that you don't have to configure the RAS server with a modem pool or other WAN connection type. The RAS server just needs to be connected to the Internet, and the remote client will connect to the company network by tunneling through the Internet.

A VPN connection has both a client and server side (as do remote access dial-up connections). The tunnel server provides the server side of the connection. Most network operating systems provide support for VPNs in their remote access software. The VPN client is referred to as the tunnel client and will need remote access software configured to connect to a VPN tunnel server. The actual connection between the server and the client is referred to as the tunnel .

VPN connections or tunnels are managed by the Point-to-Point Tunneling Protocol (PPTP) . PPTP is an extension of the PPP protocol and provides for the encapsulation of the data that moves between the remote client and the RAS server over the Internet. Basically, your data frames (such as Ethernet frames) are encapsulated by PPP and then encapsulated again by PPTP. This means that any frame types can be transmitted over the Internet between the remote client and the RAS server. When encapsulated data frames reach their destination, they are "unencapsulated," meaning the PPP and PPTP "baggies" are stripped from the data frames .



A VPN can also be used to create a connection between a branch office and the main corporate office. As long as the branch office can connect to the Internet, data can be securely routed over a VPN tunnel to and from the corporate network. This can actually be a cost-saving measure because a dedicated line, such as a leased phone line or some other WAN connection, doesn't have to be maintained between the branch and main offices.

Configuring a Tunnel Server

A number of network operating systems provide support for VPN remote access. In some cases, the Remote Access Service that is configured for remote dial-up connections can also be configured for VPN. For example, the Windows Server 2003 Routing and Remote Access snap-in provides a wizard (just like it does for dial-up connections) that can be used to quickly configure the VPN.

Figure 17.7 shows the Windows Server 2003 wizard for configuring VPNs. The NIC that provides the connection to the Internet for the server must be specified as the connection for incoming VPN connections.

Figure 17.7. Network operating systems such as Windows Server 2003 also provide remote access to the network via VPN.


The remote access server can also be configured to supply IP addresses to VPN clients that connect to the RAS server (or the RAS server will allow the network DHCP server to assign appropriate addresses). Such an IP address is actually assigned to the PPP virtual adapter that is created on the tunnel client (once it has been configured for VPN). This assigned IP address does not mess up the IP address that has been assigned to the client's dial-up adapter by the ISP used by the client to connect to the Internet. The client will actually be simultaneously connecting to two different IP networks because of the VPN tunnel (one network being the ISP's network; the other being the Windows network that the client is connecting to via the VPN).



Windows Server 2003 VPNs also provide a second tunneling protocol. L2TP is an industry standard tunneling protocol that can also be used to create VPN connections over the Internet. L2TP does not require IP communication between the client and the server, as does PPTP. This means that L2TP can be used with other media than the Internet such as X.25, Frame-Relay, and Asynchronous Transfer Mode (ATM).

Configuring a Tunnel Client

Once the tunnel server is configured on the network (and connected to the Internet), the tunnel client needs to be set up. The client needs to be outfitted with a modem or some other connectivity medium and have an account with an ISP for a connection to the Internet.

The tunnel client is configured using the dial-up client software provided by the client's operating system. For example, on a Windows 2000 VPN tunnel client, the VPN connection (and the addition of PPTP to the computer's protocol list) is handled by the Network Connection Wizard (in the same manner as a dial-up connection is created). During the configuration process of the client, the IP address of the tunnel server (the RAS server on the network) must be specified, as shown in Figure 17.8.

Figure 17.8. The IP address of the tunnel server must be specified when the tunnel client is being configured.


Once the tunnel client is configured, it's just a matter of double-clicking the VPN connection icon that is created during the client setup (on the client computer, it is found in the Network Connections window of the Control Panel). The username and password of the tunnel client are verified by the tunnel server when the connection is requested by the remote client.

Monitoring VPN Connections

Once the tunnel client has connected to the tunnel server, the VPN connection can be used to move data between the two computers. In essence, the tunnel client is now connected to the network just like any other LAN clients are connected. The user will have access to any network resources that she has the appropriate privileges for.

Remote access servers that provide VPN support also supply you with the ability to monitor remote connections (as do remote access servers that supply dial-in access). Not only can you view the number of total connections but you can view statistics related to each individual connection such as the time connected and the activity (such as the amount of data moved) that has taken place on the connection.

Both dial-up and VPN connections allow you to expand your network beyond the confines of your LAN infrastructure. This allows you to accommodate employees on the road, employee telecommuters, and employees working at remote corporate sites.



RAS servers supplying dial-up or VPN connections can also control these remote connections. As the network administrator, you can actually close a connection if you wish. You can also monitor connection time and the amount of data that has been moved on a remote connection.

Absolute Beginner's Guide to Networking
Absolute Beginners Guide to Networking (4th Edition)
ISBN: 0789729113
EAN: 2147483647
Year: 2002
Pages: 188
Authors: Joe Habraken © 2008-2017.
If you may any questions please contact us: