Lesson 4: Securing Communications Using a VPN
A virtual private network (VPN) provides a secure transport for network services over a public network, such as the Internet. This is accomplished by using a tunneling protocol to encapsulate private data and pass it in encrypted form through the public network. VPNs provide a low-cost alternative to dedicated WAN links. Windows 2000 Server includes dedicated support for VPN networking, as do the Microsoft Windows 2000 Professional and Windows XP clients.
Understand virtual private networking and VPN protocols
Understand VPN protocol security
Manage and troubleshoot VPN protocols
Understanding Virtual Private Networks
A Virtual Private Network (VPN) allows you to create an encrypted link between computers over the Internet as if the two computers were connected by a single, private link such as a dial-up connection.
There are two basic configurations for a VPN, client-to-gateway and gateway-to-gateway. A client-to-gateway connection is used when a traveling user connects to a private network using a VPN. This is similar to using dial-up RRAS access, but the user can connect through any dial-up provider or a separate LAN with Internet access rather than over the phone system. A gateway-to-gateway connection is used to form a permanent link between two RRAS servers on separate networks, each with its own Internet connectivity. Gateway-to-gateway connections are also used to connect RRAS servers to VPN devices from third-party vendors.
VPN connections use a tunneling protocol to encrypt packets of data and pass them over the public network. Windows 2000 supports two tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
PPTP
PPTP is a tunneling protocol based on the dial-up PPP protocol. It supports the same authentication methods as PPP, such as PAP, MS-CHAP, and EAP. PPTP uses the Microsoft Point-to-Point Encryption (MPPE) protocol for encryption. PPTP is not considered as secure as L2TP.
New VPN server installations should use L2TP rather than PPTP. Microsoft provides the Microsoft L2TP/IPSec VPN client for Windows 98, Windows Me, and Windows NT 4, so there is no longer any reason to use PPTP to support clients running these operating systems. Download the client from http://www.microsoft.com/windows2000/downloads/tools/.
L2TP
L2TP is a more secure tunneling protocol that extends PPTP with additional features. L2TP supports the same authentication methods as PPTP. It also supports and requires Certificate Services, which are used to provide the encryption keys necessary to establish the encrypted session and ensure the identity of both parties. L2TP uses IPSec for encryption. L2TP is supported natively by Windows 2000 and Windows XP clients and by the Microsoft L2TP/IPSec VPN client for earlier versions of Windows.
Configuring VPN Protocols
Before you configure L2TP, you need to deploy machine certificates to all participanting machines (clients and servers). Refer to Chapter 6 for detailed instructions about how to deploy machine certificates. You also need to enable RRAS services as described in Lesson 1. Once you have deployed machine certificates and enabled RRAS, you're ready to configure L2TP.
Configuring VPN protocols is handled through the RRAS manager. If you are enabling RRAS to provide VPN services, you can select the VPN Server option in the RRAS Setup Wizard to configure all the required settings automatically. Otherwise, you will need to enable L2TP manually and configure L2TP filtering.
Enabling L2TP Filtering on the Server
Enabling L2TP in RRAS permits a server to answer L2TP connections, but it doesn't block other traffic from being routed by the RRAS server onto your network. Because RRAS servers must be connected to the Internet to receive L2TP connections, the RRAS server itself is vulnerable to attack by hackers who will attempt to connect using other protocols. To prevent unwanted traffic from reaching your RRAS server or being routed onto your private network, you must also enable L2TP filtering.
Enabling L2TP filtering prevents the public interface from passing traffic other than the L2TP protocol. L2TP runs over UDP port 1701. Kerberos is also required, so you will have to open UDP port 500. You'll learn how to open these ports in the exercise in this lesson.
Configuring Client VPN Settings
Windows 2000 Professional and Windows XP clients include built-in VPN clients. To create a VPN connection at a client, open the Network And Dial-up Connections window and double-click Make New Connection. In the Network Connection Wizard, select Connect To A Private Network Through The Internet, and specify the IP address or host name of the RRAS server.
You can create an automated installer to set up a VPN connection using the CMAK, described earlier in this chapter.
You can also specify VPN protocol settings on the client. Click Properties in the Connect dialog box, select Advanced on the Security tab, and click Settings. The Advanced Security Settings dialog box appears. In this dialog box, you can choose which authentication methods can be used to connect to the VPN, and whether the client will request an encrypted connection or require encryption. If the server does not offer the level of encryption required, the connection cannot continue.
If a client and server cannot negotiate a compatible set of encryption and authentication protocols for L2TP, they will subsequently attempt to establish a PPTP connection unless you disable PPTP on the RRAS server or filter the PPTP port.
After you have created a VPN connection and established an Internet connection, click the VPN entry in the Network And Dial-up Connections window and, when prompted, enter a user name and password to connect to the private network.
Practice: Configuring and Troubleshooting VPN Protocols
In this practice, you configure an RRAS server to provide L2TP VPN service to Internet clients. The RRAS server must have two network adapters to provide VPN service: one adapter for the private network and one adapter to connect to the public network. In this example, Local Area Connection is the private interface and Local Area Connection 2 is the public interface.
Exercise 1: Configuring an RRAS Server
In this exercise, you configure an RRAS server to support L2TP. This exercise builds on Lesson 3 of this chapter and shows you how to configure an L2TP server without using the Routing And Remote Access Server Setup Wizard.
If you are only configuring RRAS to create a VPN, using the Routing And Remote Access Server Setup Wizard is easier than manually configuring L2TP.
To enable routing on the RRAS server
Click Start, point to Programs, point to Administrative Tools, and click Routing And Remote Access Service. The Routing And Remote Access management console appears.
Right-click DC01 (local), and choose Properties. The DC01 (Local) Properties dialog box appears, as shown in Figure 9.28.
Figure 9-28. The DC01 (Local) Properties dialog box
Select Router, ensuring that Local Area Network Routing Only and Remote Access Server remain selected.
Click the Security tab.
Click Authentication Methods to open the Authentication Methods dialog box shown in Figure 9.29.
Figure 9-29. The Authentication Methods dialog box
Select Extensible Authentication Protocol (EAP), and clear the other check boxes.
Click OK to close the Authentication Methods dialog box.
Click the IP tab, shown in Figure 9.30.
Figure 9-30. The IP tab
Ensure that the Enable IP Routing and Allow IP-Based Remote Access And Demand-Dial Connections check boxes are selected.
Select Static Address Pool.
Click Add. The New Address Range dialog box appears as shown in Figure 9.31.
Figure 9-31. The New Address Range dialog box
Type 192.168.241.160 as the Start IP Address, and type 192.168.241.169 as the End IP Address.
Click OK to close the New Address Range dialog box.
Click OK to close the DC01 (Local) Properties dialog box.
If a message box appears asking if you want to view help, click No. L2TP is now enabled on the RRAS server.
To configure L2TP filters on the public interface
In the Routing And Remote Access management console, expand DC01, IP Routing, and select General.
Right-click Local Area Connection 2, and choose Properties. Local Area Connection 2 is the public interface for this RRAS server.
The Local Area Connection 2 Properties dialog box appears, as shown in Figure 9.32.
Figure 9-32. The Local Area Connection 2 Properties dialog box
Click Input Filters. The Input Filters dialog box appears.
Click Add to open the Add IP Filter dialog box, as shown in Figure 9.33.
Figure 9-33. The Add IP Filter dialog box
Select the Destination Network check box.
Type 10.0.0.80 in the IP Address box and 255.255.255.255 in the Subnet Mask box. (The IP address is the IP address of the Local Area Connection 2 adapter.)
Select UDP in the Protocol list.
Type 500 in the both the Source Port and Destination Port boxes.
Click OK. The newly added filter appears in the filter list.
Click Add. The Add IP Filter dialog box appears again.
Select the Destination Network check box.
Type 10.0.0.80 in the IP Address box and 255.255.255.255 in the Subnet Mask box.
Select UDP in the Protocol list.
Type 1701 in both the Source Port and Destination Port boxes.
Click OK. The newly added filter appears in the filter list.
In the Input Filters dialog box, select Drop All Packets Except Those That Meet The Criteria Below. Your settings should appear as shown in Figure 9.34.
Figure 9-34. The completed Input Filters dialog box
Click OK to close the Input Filters dialog box.
Click Output Filters in the Local Area Connection 2 Properties dialog box. The Output Filters dialog box appears.
Click Add. The Add IP Filter dialog box appears.
Select the Source Network check box.
Type 10.0.0.80 in the IP Address box and 255.255.255.255 in the Subnet Mask box.
Select UDP in the Protocol list box.
Type 500 in the Source Port and Destination Port boxes.
Click OK to close the Add IP Filter dialog box.
Click Add in the Output Filters dialog box.
Select the Source Network check box.
Type 10.0.0.80 in the IP Address box and 255.255.255.255 in the Subnet Mask box.
Select UDP in the Protocol list box.
Type 1701 in the Source Port and Destination Port boxes. Your dialog box should appear as in Figure 9.35.
Figure 9-35. The finished source and destination ports
Click OK to close the Add IP Filter dialog box.
Select the Drop All Packets Except Those That Meet The Criteria Below option in the Output Filters dialog box. Your dialog box should appear as in Figure 9.36.
Figure 9-36. The Output Filters dialog box
Click OK to close the Output Filters dialog box.
Click OK to close the Local Area Connection 2 Properties dialog box.
The L2TP filters are now configured.
To configure remote access VPN policy
Click Start, point to Programs, point to Administrative Tools, and click Internet Authentication Service. The IAS management console appears.
Right-click Remote Access Policies, and choose New Remote Access Policy. The Add Remote Access Policy Wizard appears, as shown in Figure 9.37.
Figure 9-37. The Add Remote Access Policy Wizard
Type L2TP VPN Policy as the Policy Friendly Name, and click Next. The Conditions page appears.
On the Conditions page, click Add. The Select Attribute dialog box appears as shown in Figure 9.38.
Figure 9-38. The Select Attribute dialog box
Double-click NAS-Port-Type. The NAS-Port-Type dialog box appears as shown in Figure 9.39.
Figure 9-39. The NAS-Port-Type dialog box
Select Virtual (VPN) in the Available Types list, and click Add.
Click OK to close the NAS-Port-Types dialog box.
On the Conditions page of the Add Remote Access Policy Wizard, click Add. The Select Attribute dialog box appears.
In the Select Attribute dialog box, double-click Tunnel Type.
In the Tunnel-Type dialog box, select Layer Two Tunneling Protocol, and click Add.
Click OK to close the Tunnel-Type dialog box. The Conditions page of the Add Remote Access Policy Wizard now shows two conditions, as shown in Figure 9.40.
Figure 9-40. The Add Remote Access Policy page with two conditions
Click Next. The Permissions page appears.
On the Permissions page, select Grant Remote Access Permissions, and click Next. The User Profile page appears.
On the User Profile page, click the Edit Profile button. The Edit Dial-In Profile dialog box appears.
In the Edit Dial-In-Profile dialog box, click the Encryption tab. The dialog box is shown in Figure 9.41.
Figure 9-41. The Encryption tab of the Edit Dial-In Profile dialog box
Clear all the check boxes except Strongest. This specifies 3DES encryption for L2TP connections.
Click OK to close the Edit Dial-In Profile dialog box.
Click Finish to close the Add Remote Access Policy Wizard.
Exercise 2: Creating a Secure Connection to the L2TP VPN Server
In this exercise, you securely connect to the L2TP VPN server using a Windows 2000 Professional client.
To connect to the VPN from Windows 2000 Professional
Right-click My Network Places, and click Properties to open the Network And Dial-up Connections window.
Double-click the Make New Connection icon. The Network Connection Wizard starts.
Click Next to continue. A list of network connection types is displayed in the Network Connection Type page, as shown in Figure 9.42.
Figure 9-42. Selecting a network connection type
Select Connect To A Private Network Through The Internet, and click Next.
When prompted whether to dial an Internet connection before making the VPN link, select Do Not Dial The Initial Connection, and click Next. The Destination Address page is displayed, as shown in Figure 9.43.
Figure 9-43. The Destination Address page
Type 10.0.0.80 in the Host Name Or IP Address box, and click Next.
You are prompted whether to use a smart card.
Select Do Not Use My Smart Card, and click Next.
On the Connection Availability page, click Next to continue. The Completing The Network Connection Wizard page appears.
Click Finish to create the connection. The Connect Virtual Private Connection dialog box appears, as shown in Figure 9.44.
Figure 9-44. The Connect Virtual Private Connection dialog box
Type Administrator in the User Name box, type the Administrator's password in the Password box, and click Connect.
A message box confirms that the connection was successful. Click OK to exit.
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
Which of the VPN protocols supported by Windows 2000 Server is considered more secure?
Which utility can quickly configure an RRAS server to act as a VPN server?
Where do you add a VPN connection from a Windows 2000 Professional client?
Which VPN protocol requires certificate-based authentication?
What information is required from a client to connect to a remote VPN?
Lesson Summary
A Virtual Private Network (VPN) uses a tunneling protocol to encrypt data on a private network and pass it across a public network, such as the Internet. Windows 2000 Server supports two main VPN protocols: PPTP (Point-to-Point Tunneling Protocol) and L2TP (Level 2 Tunneling Protocol).
To quickly set up VPN access, you can specify VPN Server as the server role when you initially configure an RRAS server, or you can manually configure VPN access using the Routing And Remote Access console. An RRAS server can act as a dial-up server, VPN server, and router concurrently.
Windows 2000 and Windows XP clients can easily connect to a VPN using the Add New Connection Wizard from the Network And Dial-up Connections window. Specify a VPN connection and the IP address of the VPN server. You need to establish an Internet connection, such as a dial-up or LAN connection, on the client before attempting to connect to a VPN.