The uses and types of virtual private networks were described earlier in this chapter and in some detail in Chapter 17. This section outlines the steps involved in configuring and using a VPN for PPTP connections across the Internet.
Your connection to the Internet will be over a dedicated line of some sort— most typically T1, Fractional T1, or Frame Relay. You'll need to be sure that the WAN adapter is on the Windows 2000 HCL. The WAN adapter includes drivers that are installed in the Windows 2000 operating system, allowing the WAN adapter to appear as a network adapter.The WAN adapter will need to be configured with the IP address and subnet mask assigned for your domain or supplied by an ISP, as well as with the default gateway of the ISP router.
For the remote access server to forward traffic properly inside your network, you must configure it as a router with either static routes or routing protocols, so that all of the locations of the intranet are reachable from the remote access server.
To configure the server as a router, open Routing And Remote Accesss, right-click the server name, and choose Properties. On the General tab, select the Enable This Computer As A Router option. Then indicate whether you want the router to handle local area network routing only or LAN and demand-dial routing. Click OK to close the Properties window.
You'll need to confirm that you have the number of PPTP ports you need. To verify the number of ports or to add more, follow these steps:
Figure 31-15. Configuring the PPTP ports.
MORE INFO
An excellent overview of routing concepts can be found in Microsoft TCP/IP Training (Microsoft Press, 1997).
Most networks need to filter packets based on their incoming or outgoing addresses. To set the PPTP filters, follow these steps:
CAUTION
Filtering can be a tricky business, so proceed with caution. It's all too easy to filter too much or too little. Consult the online Help files of Windows 2000 Server for additional information.
A router-to-router VPN is typically used to connect remote offices over a permanent link such as a dedicated T1 line. However, a router-to-router VPN can also be configured to be available on demand, which means that the connection is made only when needed. This section describes the components of a Windows 2000 router-to-router VPN connection.
The client is the calling router that initiates the VPN connection. For router-to-router connections, you can use computers running Windows 2000 Server, or Windows NT Server 4 with RRAS, as VPN clients.
The VPN server is the answering router that accepts the connection from the calling router. Computers running Windows 2000 Server and computers running Windows NT Server 4 with RRAS can be set up as VPN servers.
LAN protocols such as TCP/IP and IPX are used to transport information. Windows 2000 Server supports the routing of LAN protocol packets by using the PPP remote access protocol in a router-to-router VPN connection.
Tunneling protocols encapsulate one network protocol inside another. VPN clients and VPN servers use tunneling protocols to manage tunnels and send tunneled data. Windows 2000 includes PPTP and L2TP. Windows NT Server 4 with RRAS includes only PPTP.
The VPN client (the calling router) must have a demand-dial interface configured for
The answering router (the VPN server) must have a demand-dial interface with the same name as the user account being used by the calling router (the VPN client). The interface must be configured for a PPTP port (for a PPTP-based VPN connection) or an L2TP port (for an L2TP-based connection). The section "Adding a Demand-Dial Interface," later in this chapter, describes how to set up a demand-dial interface.
The calling router needs a user account with dial-in permissions either through the user account or through remote access policies.
To be able to forward packets across the router-to-router VPN connection, each router has to have the appropriate routes in the routing tables. Routes are added to the routing tables of both routers either as static routes or by enabling a routing protocol to operate across a persistent router-to-router VPN connection. Static routing is best for a small, single-path internetwork. The section "Setting Up Routing Tables or a Static Route," later in this chapter, describes how to add routes to the routing tables.
Because a Windows 2000 remote access router validates the router-to-router VPN connection, you can use all of the security features of Windows 2000 remote access, including data encryption, RADIUS, smart cards, and callback. See Chapter 18 for more on security considerations.
To add a demand-dial interface to a router, follow these steps:
Figure 31-16. Supplying a name for the demand-dial interface.
Enter the phone number to be called. In addition to the primary number, you can click Alternates and specify additional numbers to be tried automatically if the primary number can't be reached.
In the Destination Address screen, provide either the host name or the IP address for the remote router. Click Next.
As was mentioned earlier, for routers to be able to forward packets across the router-to-router VPN connection, each router has to have the appropriate routes in the routing table. Routes can be added as static routes to the routing tables of both routers. To add a static route to the routing table, follow these steps:
Figure 31-17. Configuring a static route to be added to the routing table.
The route must also be configured on the corresponding router at the other end of the VPN. For a persistent connection, you can add a routing protocol instead of a static route. To do so, right-click General under IP Routing and choose New Routing Protocol from the shortcut menu.