Persistent Branch Office

The Chicago and Phoenix branch offices of Contoso, LTD. are connected to the corporate office by using persistent site-to-site VPN connections that stay connected 24 hours a day. The Windows Server 2003 routers in the Chicago and Phoenix offices are equipped with T1 WAN adapters that have a permanent connection to a local ISP to gain access to the Internet. In today’s communications market, many companies would use ADSL or cable modem for these purposes for two reasons: the cost is much cheaper on a recurring monthly basis because the cost of the Internet connection for ADSL or cable modem is less than $100 U.S. per month as opposed to greater than $1,000 U.S. per month for a T1 leased line, and they provide a decent amount of bandwidth—at a minimum, equivalent in bandwidth to a dual channel ISDN 128-kilobits per seconds (Kbps) link.

The Chicago branch office uses the IP network ID of 192.168.9.0 with a subnet mask of 255.255.255.0 (192.168.9.0/24). The Chicago branch office router uses the public IP address of 131.107.0.1 for its Internet interface. The Phoenix branch office uses the IP network ID of 192.168.14.0 with a subnet mask of 255.255.255.0 (192.168.14.0/24). The Phoenix branch office router uses the public IP address of 157.60.0.1 for its Internet interface.

The VPN connection is a two-way initiated connection. The connection is initiated from either the branch office router or the VPN server. Two-way initiated connections require the creation of demand-dial interfaces, remote access policies, and static IP address pools on the routers on both sides of the connection.

Figure 10-4 shows the Contoso, LTD. VPN server that provides persistent branch office connections.

Figure 10-4: The Contoso, LTD. VPN server that provides persistent branch office connections.

Additional Configuration

To deploy persistent site-to-site VPN connections to connect the Chicago and Phoenix branch offices to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” section of this chapter, the following additional settings are configured.

Domain Configuration

For the Chicago office VPN connection that is initiated by the Chicago router, the user account VPN_Chicago is created with the following settings:

• Password of U9!j5dP(%q1.

• For the account properties of the VPN_Chicago account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected.

• For the dial-in properties on the VPN_Chicago account, the remote access permission is set to Control Access Through Remote Access Policy.

• The VPN_Chicago account is added to the VPN_Routers group.

For the Phoenix office VPN connection that is initiated by the Phoenix router, the user account VPN_Phoenix is created with the following settings:

• Password of z2F%s)bW$4f.

• For the account properties of the VPN_Phoenix account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected.

• For the dial-in properties on the VPN_Phoenix account, the remote access permission is set to Control Access Through Remote Access Policy.

• The VPN_Phoenix account is added to the VPN_Routers group.

For the Chicago office VPN connection and the Phoenix office VPN connection that are initiated by the VPN server, the user account VPN_CorpHQ is created with the following settings:

• Password of o3\Dn6@`-J4.

• For the dial-in properties on the VPN_CorpHQ account, the remote access permission is set to Control Access Through Remote Access Policy.

• The VPN_CorpHQ account is added to the VPN_Routers group.

Remote Access Policy Configuration

Because these are two-way connections, remote access policies must be configured at the VPN server, the Chicago router, and the Phoenix router.

Remote access policy configuration at the VPN server

The remote access policy configuration for the VPN server is the same as described in the “On- Demand Branch Office” section of this chapter.

Remote access policy configuration at the Chicago router

To define the authentication and encryption settings for the VPN connections, the following remote access policy is created:

• Policy Name: VPN Routers

• Access Method: VPN

• User Or Group Access: Group, with the VPN_Routers group selected

• Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected

• Policy Encryption Level: Strong Encryption and Strongest Encryption selected

Remote access policy configuration at the Phoenix router

To define the authentication and encryption settings for the VPN connections, the following remote access policy is created:

• Policy Name: VPN Routers

• Access Method: VPN

• User Or Group Access: Group, with the VPN_Routers group selected

• Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected

• Policy Encryption Level: Strong Encryption and Strongest Encryption selected

IP Address Pool Configuration

IP address pools must be configured at the VPN server, the Chicago router, and the Phoenix router as shown in the following sections.

IP address pool configuration at the VPN server

The IP address pool configuration for the VPN server is the same as described in the “Common Configuration for the VPN Server” section of this chapter.

IP address pool configuration at the Chicago router

A static IP address pool with an IP address of 192.168.9.248 and an ending IP address of 192.168.9.253 is configured. This creates a static address pool for up to five VPN clients.

IP address pool configuration at the Phoenix router

A static IP address pool with a starting IP address of 192.168.14.248 and an ending IP address of 192.168.14.253 is configured. This creates a static address pool for up to five VPN clients.

The following sections describe a PPTP-based persistent branch office connection for the Chicago office and an L2TP/IPSec-based persistent branch office connection for the Phoenix office.

PPTP-Based Persistent Branch Office

The Chicago branch office is a PPTP-based branch office that uses a Windows Server 2003 VPN router to create a persistent, site-to-site VPN connection with the VPN server in New York. The connection is never terminated, even when idle.

To deploy a PPTP, two-way initiated, persistent, site-to-site VPN connection to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” and “Persistent Branch Office” sections of this chapter, the following settings are configured on the VPN server and Chicago router.

VPN Server Configuration

The VPN server is configured with a demand-dial interface, static routes, and PPTP packet filters.

Demand-dial interface for site-to-site VPN connection

To connect the VPN server to the Chicago router by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand- Dial Interface Wizard with the following settings:

• Interface Name: VPN_Chicago

• Connection Type: Connect Using Virtual Private Networking (VPN)

• VPN Type: Point-to-Point Tunneling Protocol (PPTP)

• Destination Address: 131.107.0.1

• Protocols And Security: The Route IP Packets On This Interface check box is selected.

• Static Routes For Remote Networks

  To make all locations on the Chicago network reachable, the following static route is created:

  • Destination: 192.168.9.0

  • Network Mask: 255.255.255.0

  • Metric: 1

• Dial-Out Credentials

  • User Name: VPN_CorpHQ

  • Domain: electronic.example.com

  • Password: o3\Dn6@`-J4

  • Confirm Password: o3\Dn6@`-J4

Once the demand-dial interface is created, one change needs to be made. For the properties of the demand-dial interface, on the Options tab, under Connection Type, Persistent Connection must be selected.

Chicago Router Configuration

The Chicago router is configured with a demand-dial interface and static routes.

Demand-dial interface for site-to-site VPN connection

To connect the Chicago office router to the VPN server by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings:

• Interface Name: VPN_CorpHQ

• Connection Type: Connect Using Virtual Private Networking (VPN)

• VPN Type: Point-to-Point Tunneling Protocol (PPTP)

• Destination Address: 207.209.68.1

• Protocols And Security: The Route IP Packets On This Interface check box is selected.

• Static Routes For Remote Networks

  To make all locations on the corporate intranet reachable, the following static route is created:

  • Destination: 172.16.0.0

  • Network Mask: 255.240.0.0

  • Metric: 1

  To make all locations on Contoso, LTD. branch offices reachable, the following static route is created:

  • Destination: 192.168.0.0

  • Network mask: 255.255.0.0

  • Metric: 1

• Dial-Out Credentials

  • User Name: VPN_Chicago

  • Domain: contoso.example.com

  • Password: U9!j5dP(%q1

  • Confirm Password: U9!j5dP(%q1

Once the demand-dial interface is created, one change needs to be made. For the properties of the demand-dial interface, on the Options tab, under Connection Type, Persistent Connection must be selected.

Static route for the Contoso, LTD. VPN server

To make the Contoso, LTD. VPN server on the Internet reachable, the following static route is created:

• Interface: The WAN adapter attached to the Internet

• Destination: 207.209.68.1

• Network Mask: 255.255.255.255

• Gateway: 0.0.0.0

• Metric: 1

  Note

  Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. (0.0.0.0 is known as the unspecified IP address.)

L2TP/IPSec-Based Persistent Branch Office

The Phoenix branch office is an L2TP/IPSec-based branch office that uses a Windows Server 2003 router to create a persistent, site-to-site VPN connection with the VPN server in New York. The connection is never terminated, even when idle.

To deploy an L2TP/IPSec, two-way initiated, persistent, site-to-site VPN connection to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” and “Persistent Branch Office” sections of this chapter, the following settings are configured on the VPN server and Phoenix router.

VPN Server Configuration

The VPN server is configured with a demand-dial interface and a static route.

Demand-dial interface for site-to-site VPN connection

To connect the VPN server to the Phoenix router by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand- Dial Interface Wizard with the following settings:

• Interface Name: VPN_Phoenix

• Connection Type: Connect Using Virtual Private Networking (VPN)

• VPN Type: Layer 2 Tunneling Protocol (L2TP)

• Destination Address: 157.60.0.1

• Protocols And Security: The Route IP Packets On This Interface check box is selected.

• Static Routes For Remote Networks

  To make all locations on the Phoenix network reachable, the following static route is created:

  • Destination: 192.168.14.0

  • Network Mask: 255.255.255.0

  • Metric: 1

• Dial-Out Credentials

  • User Name: VPN_CorpHQ

  • Domain: contoso.example.com

  • Password: o3\Dn6@`-J4

  • Confirm Password: o3\Dn6@`-J4

After the demand-dial interface is created, one change needs to be made. For the properties of the demand-dial interface, on the Options tab, under Connection Type, Persistent Connection must be selected.

Phoenix Router Configuration

The Phoenix router was configured by the Contoso, LTD. network administrator while it was connected to the Contoso, LTD. intranet. It was then shipped to the Phoenix site. While the Phoenix router was connected to the Contoso, LTD. intranet, a computer certificate was installed through auto-enrollment. Additionally, the Phoenix router computer was configured with a demand-dial interface and a static route.

Demand-dial interface for site-to-site VPN connection

To connect the Phoenix office router to the VPN server by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings:

• Interface Name: VPN_CorpHQ

• Connection Type: Connect Using Virtual Private Networking (VPN)

• VPN Type: Layer 2 Tunneling Protocol (L2TP)

• Destination Address: 207.209.68.1

• Protocols And Security: The Route IP Packets On This Interface check box is selected.

• Static Routes For Remote Networks

  To make all locations on the corporate intranet reachable, the following static route is created:

  • Destination: 172.16.0.0

  • Network Mask: 255.240.0.0

  • Metric: 1

  To make all locations on Contoso, LTD. branch offices reachable, the following static route is created:

  • Destination: 192.168.0.0

  • Network Mask: 255.255.0.0

  • Metric: 1

• Dial-Out Credentials:

  • User Name: VPN_Phoenix

  • Domain: contoso.example.com

  • Password: z2F%s)bW$4f

  • Confirm Password: z2F%s)bW$4f

Once the demand-dial interface is created, one change needs to be made. For the properties of the demand-dial interface, on the Options tab, under Connection Type, Persistent Connection must be selected.

Static route for the Contoso, LTD. VPN server

To make the Contoso, LTD. VPN server on the Internet reachable, the following static route is created:

• Interface: The WAN adapter attached to the Internet

• Destination: 207.209.68.1

• Network Mask: 255.255.255.255

• Gateway: 0.0.0.0

• Metric: 1

  Note

  Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. (0.0.0.0 is known as the unspecified IP address.)