Configuring a Virtual Private Network

Previous page
Table of content
Next page

The uses and types of virtual private networks were described earlier in this chapter and in some detail in Chapter 18. This section outlines the steps involved in configuring and using a VPN for PPTP connections across the Internet.

Configuring the Internet Connection

Your connection to the Internet will be over a dedicated line of some sort—most typically T1, Fractional T1, or Frame Relay. You'll need to be sure that the WAN adapter is in the Windows 2000 HCL. The WAN adapter includes drivers that are installed in the Windows 2000 operating system, allowing the WAN adapter to appear as a network adapter. The WAN adapter needs to be configured with the IP address and subnet mask assigned for your domain or supplied by an ISP, as well as with the default gateway of the ISP router.

Configuring the Remote Access Server as a Router

For the remote access server to forward traffic properly inside your network, you must configure it as a router with either static routes or routing protocols, so that all of the locations of the intranet are reachable from the remote access server.

To configure the server as a router, open Routing And Remote Access, right-click the server name, and choose Properties from the shortcut menu. In the General tab, select the Enable This Computer As A Router option. Then indicate whether you want the router to handle local area network routing only or LAN and demand-dial routing. Click OK to close the Properties dialog box.

Configuring PPTP Ports

You'll need to confirm that you have the number of PPTP ports you need. To verify the number of ports or to add more, follow these steps:

  1. Launch Routing And Remote Access from the Administrative Tools folder.
  2. In the console tree, click the appropriate server, and then right-click Ports and choose Properties from the shortcut menu.
  3. In the Ports Properties dialog box (Figure 32-15), select WAN Miniport (PPTP), and click Configure.

    Figure 32-15. Configuring the PPTP ports.

  4. In the Configure Device dialog box, you can set a maximum number of ports for the device and specify whether the device is to be used for incoming connections only or for both incoming and outgoing connections.
  5. Click OK when you're finished.

Configuring PPTP Filters

Most networks need to filter packets based on their incoming or outgoing addresses. To set the PPTP filters, follow these steps:

  1. Launch Routing and Remote Access from the Administrative Tools folder.
  2. In the console tree, expand the appropriate server, then IP Routing, and then General.
  3. In the details pane, right-click the interface to be filtered, and choose Properties from the shortcut menu.
  4. Click either Input Filters or Output Filters and supply the source, destination, and/or protocol to be filtered. (The last step in configuring a VPN is to set up remote access policies, as described earlier in this chapter.)

Filtering can be a tricky business, so proceed with caution. It's all too easy to filter too much or too little. Consult the online Help files of Windows 2000 Server for additional information.

Elements of a Router-to-Router VPN Connection

A router-to-router VPN is typically used to connect remote offices over a permanent link such as a dedicated T1 line. However, a router-to-router VPN can also be configured to be available on demand, which means that the connection is made only when needed. This section describes the components of a Windows 2000 router-to-router VPN connection.

VPN Clients

The client is the calling router that initiates the VPN connection. For router-to-router connections, you can use computers running Windows 2000 Server, or Windows NT Server 4 with RRAS, as VPN clients.

VPN Servers

The VPN server is the answering router that accepts the connection from the calling router. Computers running Windows 2000 Server and computers running Windows NT Server 4 with RRAS can be set up as VPN servers.

LAN and Remote Access Protocols

LAN protocols such as TCP/IP and IPX are used to transport information. Windows 2000 Server supports the routing of LAN protocol packets by using the PPP remote access protocol in a router-to-router VPN connection.

Tunneling Protocols

Tunneling protocols encapsulate one network protocol inside another. VPN clients and VPN servers use tunneling protocols to manage tunnels and send tunneled data. Windows 2000 includes PPTP and L2TP. Windows NT Server 4 with RRAS includes only PPTP.

Demand-Dial Interfaces

The VPN client (the calling router) must have a demand-dial interface configured for

  • The host name or IP address of the interface of the VPN server on the Internet.
  • A PPTP port (for a PPTP-based VPN connection) or an L2TP port (for an L2TP-based connection).
  • The user account credentials (user name, domain, password) for a user account that can be validated by the VPN server.

The answering router (the VPN server) must have a demand-dial interface with the same name as the user account being used by the calling router (the VPN client). The interface must be configured for a PPTP port (for a PPTP-based VPN connection) or an L2TP port (for an L2TP-based connection). The section entitled Adding a Demand-Dial Interface, later in this chapter, describes how to set up a demand-dial interface.

User Accounts

The calling router needs a user account with dial-in permissions either through the user account or through remote access policies.

Static Routes or Routing Protocols

To be able to forward packets across the router-to-router VPN connection, each router has to have the appropriate routes in the routing tables. Routes are added to the routing tables of both routers either as static routes or by enabling a routing protocol to operate across a persistent router-to-router VPN connection. Static routing is best for a small, single-path internetwork. The section entitled Setting Up Static Routes and Routing Protocols later in this chapter, describes how to add routes to the routing tables.

Security Options

Because a Windows 2000 remote access router validates the router-to-router VPN connection, you can use all of the security features of Windows 2000 remote access, including data encryption, RADIUS, smart cards, and callback. See Chapter 19 for more on security considerations.

Adding a Demand-Dial Interface

To add a demand-dial interface to a router, follow these steps:

  1. Launch Routing and Remote Access from the Administrative Tools folder.
  2. In the console tree, click the appropriate router.
  3. Right-click Routing Interface. Choose New Demand-Dial Interface from the shortcut menu to start the Demand Dial Interface Wizard. Click Next.
  4. Enter a name for the demand-dial interface (Figure 32-16). Use a name that will help you recall the connection being made, such as the name of the branch office or network to which you're connecting. Click Next.

    Figure 32-16. Supplying a name for the demand-dial interface.

  5. Choose a connection type:
    • If you're not using VPN on this interface, select the Connect Using A Modem option, and click Next.

      Enter the phone number to be called. In addition to the primary number, you can click Alternates and specify additional numbers to be tried automatically if the primary number can't be reached.

    • If you select Connect Using Virtual Private Networking (VPN), click Next to open the VPN Type screen. Choose the tunneling protocol appropriate for your needs. Click Next.

      In the Destination Address screen, provide either the host name or the IP address for the remote router. Click Next.

  6. Under Protocols And Security, select all of the conditions that apply to the connection. If you select either the Add A User Account So A Remote Router Can Dial In option or the Use Scripting To Complete The Connection With The Remote Router option (this second option is not a valid option for the VPN interface type) or if you select both options, the wizard presents a screen to configure each of the items.
  7. Supply the Dial Out Credentials requested, including the user account name and password.
  8. When you're finished, the new interface is added to the routing interfaces in Routing and Remote Access. Right-click the name of the interface and choose Properties to change or add to the configuration.

Setting Up Static Routes and Routing Protocols

As mentioned earlier, for routers to be able to forward packets across the router-to-router VPN connection, each router has to have the appropriate routes in the routing table. Routes can be added as static routes to the routing tables of both routers. To add a static route to the routing table, follow these steps:

  1. Launch Routing And Remote Access from the Administrative Tools folder.
  2. Click the appropriate router, and then click IP Routing.
  3. Right-click Static Routing and choose New Static Route from the shortcut menu. (You can also view the existing IP routing table from this menu.)
  4. In the Static Route dialog box, select the interface and supply the IP address for the destination router (Figure 32-17).

Figure 32-17. Configuring a static route to be added to the routing table.

The route must also be configured on the corresponding router at the other end of the VPN. For a persistent connection, you can add a routing protocol instead of a static route. To do so, right-click General under IP Routing and choose New Routing Protocol from the shortcut menu.


Previous page
Table of content
Next page
Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320
Authors: Charlie Russel, Sharon Crawford, Jason Gerend
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Introduction to 80x86 Assembly Language and Computer Architecture
Competency-Based Human Resource Management
Mastering Delphi 7
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy