The Chicago and Phoenix branch offices of Contoso, LTD. are connected to the corporate office by using persistent site-to-site VPN connections that stay connected 24 hours a day. The Windows Server 2003 routers in the Chicago and Phoenix offices are equipped with T1 WAN adapters that have a permanent connection to a local ISP to gain access to the Internet. In today’s communications market, many companies would use ADSL or cable modem for these purposes for two reasons: the cost is much cheaper on a recurring monthly basis because the cost of the Internet connection for ADSL or cable modem is less than $100 U.S. per month as opposed to greater than $1,000 U.S. per month for a T1 leased line, and they provide a decent amount of bandwidth—at a minimum, equivalent in bandwidth to a dual channel ISDN 128-kilobits per seconds (Kbps) link.
The Chicago branch office uses the IP network ID of 192.168.9.0 with a subnet mask of 255.255.255.0 (192.168.9.0/24). The Chicago branch office router uses the public IP address of 131.107.0.1 for its Internet interface. The Phoenix branch office uses the IP network ID of 192.168.14.0 with a subnet mask of 255.255.255.0 (192.168.14.0/24). The Phoenix branch office router uses the public IP address of 157.60.0.1 for its Internet interface.
The VPN connection is a two-way initiated connection. The connection is initiated from either the branch office router or the VPN server. Two-way initiated connections require the creation of demand-dial interfaces, remote access policies, and static IP address pools on the routers on both sides of the connection.
Figure 10-4 shows the Contoso, LTD. VPN server that provides persistent branch office connections.
Figure 10-4: The Contoso, LTD. VPN server that provides persistent branch office connections.
To deploy persistent site-to-site VPN connections to connect the Chicago and Phoenix branch offices to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” section of this chapter, the following additional settings are configured.
For the Chicago office VPN connection that is initiated by the Chicago router, the user account VPN_Chicago is created with the following settings:
Password of U9!j5dP(%q1.
For the account properties of the VPN_Chicago account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected.
For the dial-in properties on the VPN_Chicago account, the remote access permission is set to Control Access Through Remote Access Policy.
The VPN_Chicago account is added to the VPN_Routers group.
For the Phoenix office VPN connection that is initiated by the Phoenix router, the user account VPN_Phoenix is created with the following settings:
Password of z2F%s)bW$4f.
For the account properties of the VPN_Phoenix account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected.
For the dial-in properties on the VPN_Phoenix account, the remote access permission is set to Control Access Through Remote Access Policy.
The VPN_Phoenix account is added to the VPN_Routers group.
For the Chicago office VPN connection and the Phoenix office VPN connection that are initiated by the VPN server, the user account VPN_CorpHQ is created with the following settings:
Password of o3\Dn6@`-J4.
For the dial-in properties on the VPN_CorpHQ account, the remote access permission is set to Control Access Through Remote Access Policy.
The VPN_CorpHQ account is added to the VPN_Routers group.
Because these are two-way connections, remote access policies must be configured at the VPN server, the Chicago router, and the Phoenix router.
The remote access policy configuration for the VPN server is the same as described in the “On- Demand Branch Office” section of this chapter.
To define the authentication and encryption settings for the VPN connections, the following remote access policy is created:
Policy Name: VPN Routers
Access Method: VPN
User Or Group Access: Group, with the VPN_Routers group selected
Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected
Policy Encryption Level: Strong Encryption and Strongest Encryption selected
To define the authentication and encryption settings for the VPN connections, the following remote access policy is created:
Policy Name: VPN Routers
Access Method: VPN
User Or Group Access: Group, with the VPN_Routers group selected
Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected
Policy Encryption Level: Strong Encryption and Strongest Encryption selected
IP address pools must be configured at the VPN server, the Chicago router, and the Phoenix router as shown in the following sections.
The IP address pool configuration for the VPN server is the same as described in the “Common Configuration for the VPN Server” section of this chapter.
A static IP address pool with an IP address of 192.168.9.248 and an ending IP address of 192.168.9.253 is configured. This creates a static address pool for up to five VPN clients.
A static IP address pool with a starting IP address of 192.168.14.248 and an ending IP address of 192.168.14.253 is configured. This creates a static address pool for up to five VPN clients.
The following sections describe a PPTP-based persistent branch office connection for the Chicago office and an L2TP/IPSec-based persistent branch office connection for the Phoenix office.
The Chicago branch office is a PPTP-based branch office that uses a Windows Server 2003 VPN router to create a persistent, site-to-site VPN connection with the VPN server in New York. The connection is never terminated, even when idle.
To deploy a PPTP, two-way initiated, persistent, site-to-site VPN connection to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” and “Persistent Branch Office” sections of this chapter, the following settings are configured on the VPN server and Chicago router.
The VPN server is configured with a demand-dial interface, static routes, and PPTP packet filters.
To connect the VPN server to the Chicago router by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand- Dial Interface Wizard with the following settings:
Interface Name: VPN_Chicago
Connection Type: Connect Using Virtual Private Networking (VPN)
VPN Type: Point-to-Point Tunneling Protocol (PPTP)
Destination Address: 131.107.0.1
Protocols And Security: The Route IP Packets On This Interface check box is selected.
Static Routes For Remote Networks
To make all locations on the Chicago network reachable, the following static route is created:
Destination: 192.168.9.0
Network Mask: 255.255.255.0
Metric: 1
Dial-Out Credentials
User Name: VPN_CorpHQ
Domain: electronic.example.com
Password: o3\Dn6@`-J4
Confirm Password: o3\Dn6@`-J4
Once the demand-dial interface is created, one change needs to be made. For the properties of the demand-dial interface, on the Options tab, under Connection Type, Persistent Connection must be selected.
The Chicago router is configured with a demand-dial interface and static routes.
To connect the Chicago office router to the VPN server by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings:
Interface Name: VPN_CorpHQ
Connection Type: Connect Using Virtual Private Networking (VPN)
VPN Type: Point-to-Point Tunneling Protocol (PPTP)
Destination Address: 207.209.68.1
Protocols And Security: The Route IP Packets On This Interface check box is selected.
Static Routes For Remote Networks
To make all locations on the corporate intranet reachable, the following static route is created:
Destination: 172.16.0.0
Network Mask: 255.240.0.0
Metric: 1
To make all locations on Contoso, LTD. branch offices reachable, the following static route is created:
Destination: 192.168.0.0
Network mask: 255.255.0.0
Metric: 1
Dial-Out Credentials
User Name: VPN_Chicago
Domain: contoso.example.com
Password: U9!j5dP(%q1
Confirm Password: U9!j5dP(%q1
Once the demand-dial interface is created, one change needs to be made. For the properties of the demand-dial interface, on the Options tab, under Connection Type, Persistent Connection must be selected.
To make the Contoso, LTD. VPN server on the Internet reachable, the following static route is created:
Interface: The WAN adapter attached to the Internet
Destination: 207.209.68.1
Network Mask: 255.255.255.255
Gateway: 0.0.0.0
Metric: 1
Note | Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. (0.0.0.0 is known as the unspecified IP address.) |
The Phoenix branch office is an L2TP/IPSec-based branch office that uses a Windows Server 2003 router to create a persistent, site-to-site VPN connection with the VPN server in New York. The connection is never terminated, even when idle.
To deploy an L2TP/IPSec, two-way initiated, persistent, site-to-site VPN connection to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” and “Persistent Branch Office” sections of this chapter, the following settings are configured on the VPN server and Phoenix router.
The VPN server is configured with a demand-dial interface and a static route.
To connect the VPN server to the Phoenix router by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand- Dial Interface Wizard with the following settings:
Interface Name: VPN_Phoenix
Connection Type: Connect Using Virtual Private Networking (VPN)
VPN Type: Layer 2 Tunneling Protocol (L2TP)
Destination Address: 157.60.0.1
Protocols And Security: The Route IP Packets On This Interface check box is selected.
Static Routes For Remote Networks
To make all locations on the Phoenix network reachable, the following static route is created:
Destination: 192.168.14.0
Network Mask: 255.255.255.0
Metric: 1
Dial-Out Credentials
User Name: VPN_CorpHQ
Domain: contoso.example.com
Password: o3\Dn6@`-J4
Confirm Password: o3\Dn6@`-J4
After the demand-dial interface is created, one change needs to be made. For the properties of the demand-dial interface, on the Options tab, under Connection Type, Persistent Connection must be selected.
The Phoenix router was configured by the Contoso, LTD. network administrator while it was connected to the Contoso, LTD. intranet. It was then shipped to the Phoenix site. While the Phoenix router was connected to the Contoso, LTD. intranet, a computer certificate was installed through auto-enrollment. Additionally, the Phoenix router computer was configured with a demand-dial interface and a static route.
To connect the Phoenix office router to the VPN server by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings:
Interface Name: VPN_CorpHQ
Connection Type: Connect Using Virtual Private Networking (VPN)
VPN Type: Layer 2 Tunneling Protocol (L2TP)
Destination Address: 207.209.68.1
Protocols And Security: The Route IP Packets On This Interface check box is selected.
Static Routes For Remote Networks
To make all locations on the corporate intranet reachable, the following static route is created:
Destination: 172.16.0.0
Network Mask: 255.240.0.0
Metric: 1
To make all locations on Contoso, LTD. branch offices reachable, the following static route is created:
Destination: 192.168.0.0
Network Mask: 255.255.0.0
Metric: 1
Dial-Out Credentials:
User Name: VPN_Phoenix
Domain: contoso.example.com
Password: z2F%s)bW$4f
Confirm Password: z2F%s)bW$4f
Once the demand-dial interface is created, one change needs to be made. For the properties of the demand-dial interface, on the Options tab, under Connection Type, Persistent Connection must be selected.
To make the Contoso, LTD. VPN server on the Internet reachable, the following static route is created:
Interface: The WAN adapter attached to the Internet
Destination: 207.209.68.1
Network Mask: 255.255.255.255
Gateway: 0.0.0.0
Metric: 1
Note | Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. (0.0.0.0 is known as the unspecified IP address.) |