Virtual Private Networking (VPN) in Windows 2000

Virtual Private Networking Virtual Private Networking (VPN) in Windows 2000(VPN) in Windows 2000

Lee GibsonLee GibsonSupport ProfessionalSupport ProfessionalPremier SupportPremier SupportMicrosoft CorporationMicrosoft Corporation

2

VPN IntroductionVPN Introduction

Virtual private networking (VPN) in Virtual private networking (VPN) in MicrosoftMicrosoft®® Windows Windows®® 2000 allows mobile 2000 allows mobile users to connect over the Internet to a users to connect over the Internet to a remote network.remote network.

With virtual private networking, the user With virtual private networking, the user calls the local ISP and then uses the Internet calls the local ISP and then uses the Internet to make the connection to the Network to make the connection to the Network Access Server (NAS). Access Server (NAS).

Users only make a local call to the ISP Users only make a local call to the ISP instead of expensive long distance instead of expensive long distance telephone calls to the remote access server.telephone calls to the remote access server.

3

Connecting Intranet ComputersConnecting Intranet Computers

In some corporate networks, the departmental In some corporate networks, the departmental data is so sensitive that the department LAN is data is so sensitive that the department LAN is physically disconnected from the corporate physically disconnected from the corporate network.network.

VPN allows the administrator to ensure that VPN allows the administrator to ensure that only the users on the corporate network with only the users on the corporate network with appropriate permissions can gain access to appropriate permissions can gain access to the protected resources of the department. the protected resources of the department.

4

Microsoft Layer 2 Tunneling Microsoft Layer 2 Tunneling ProtocolsProtocols

PPTP – Point-to-Point Tunneling ProtocolPPTP – Point-to-Point Tunneling Protocol Uses a TCP connection for tunnel maintenance Uses a TCP connection for tunnel maintenance

and generic routing encapsulated PPP frames for and generic routing encapsulated PPP frames for tunneled data. tunneled data.

The payloads of the encapsulated PPP frames can The payloads of the encapsulated PPP frames can be encrypted and/or compressed.be encrypted and/or compressed.

L2TP – Layer 2 Tunneling ProtocolL2TP – Layer 2 Tunneling Protocol Uses UDP and a series of L2TP messages for Uses UDP and a series of L2TP messages for

tunnel maintenance.tunnel maintenance.

5

VPN RequirementsVPN Requirements

User authenticationUser authentication Address managementAddress management Data encryptionData encryption Key managementKey management Multi-protocol supportMulti-protocol support

6

User AuthenticationUser Authentication

The solution must identify the user’s identity The solution must identify the user’s identity and only allow access to authorized users.and only allow access to authorized users.

The user account can be a local account on The user account can be a local account on the VPN server or, in most cases, a domain the VPN server or, in most cases, a domain account granted appropriate dial-in account granted appropriate dial-in permissions.permissions.

The default policy for remote access is The default policy for remote access is “Allow access if dial-in permission is “Allow access if dial-in permission is enabled.”enabled.”

7

Address ManagementAddress Management

VPN must assign the client an IP address on VPN must assign the client an IP address on the private network.the private network.

The VPN server can assign the clients IP The VPN server can assign the clients IP address using DHCP or a static pool of IP address using DHCP or a static pool of IP addresses.addresses.

Clients typically will have an IP address from Clients typically will have an IP address from the ISP and an IP on the private network after the ISP and an IP on the private network after the VPN connection is established.the VPN connection is established.

8

Data EncryptionData Encryption Data sent and received over the Internet must Data sent and received over the Internet must

be encrypted for privacy.be encrypted for privacy. PPTP and L2TP use PPP-based data PPTP and L2TP use PPP-based data

encryption methods.encryption methods. Optionally you can use Microsoft Point-to-Optionally you can use Microsoft Point-to-

Point Encryption (MPPE), based on the RSA Point Encryption (MPPE), based on the RSA RC4 algorithm.RC4 algorithm.

Microsoft Implementation of the L2TP Microsoft Implementation of the L2TP protocol uses IPSec encryption to protect the protocol uses IPSec encryption to protect the data stream from the client to the tunnel data stream from the client to the tunnel server.server.

9

Key ManagementKey Management

VPN solution must generate and refresh VPN solution must generate and refresh encryption keys for the client and server.encryption keys for the client and server.

MPPE relies on the initial key generated MPPE relies on the initial key generated during user authentication, and then during user authentication, and then refreshes it periodically.refreshes it periodically.

IPSec negotiates a common key during the IPSec negotiates a common key during the ISAKMP exchange, and also refreshes it ISAKMP exchange, and also refreshes it periodically.periodically.

10

Multi-protocol SupportMulti-protocol Support

Microsoft Layer 2 Tunneling Protocol Microsoft Layer 2 Tunneling Protocol supports multiple payload protocols, which supports multiple payload protocols, which makes it easy for tunneling clients to access makes it easy for tunneling clients to access their corporate networks using IP, IPX, and their corporate networks using IP, IPX, and NetBEUI.NetBEUI.

11

VPN Server ConfigurationVPN Server Configuration A typical VPN is server is multihomed. It has A typical VPN is server is multihomed. It has

a one network interface that is connected to a one network interface that is connected to the Internet and has an Internet IP address. the Internet and has an Internet IP address. The second network adapter is connected to The second network adapter is connected to the private corporate network and has an IP the private corporate network and has an IP address on the private network.address on the private network.

The default gateway needs to be assigned on The default gateway needs to be assigned on the public network or Internet interface on the public network or Internet interface on the VPN Server. The private network should the VPN Server. The private network should not contain a default gateway. If you have to not contain a default gateway. If you have to route beyond the private network, you route beyond the private network, you should add static routes. This is documented should add static routes. This is documented in our Knowledge Base article Q217079.in our Knowledge Base article Q217079.

12

Configuring a VPN ServerConfiguring a VPN Server

The following slides show screen shots of The following slides show screen shots of how to configure a VPN server to accept VPN how to configure a VPN server to accept VPN connections over the Internet.connections over the Internet.

The slides show a typical setup of a The slides show a typical setup of a multihomed VPN server with one network multihomed VPN server with one network adapter connected to the Internet and adapter connected to the Internet and another network adapter connected to the another network adapter connected to the private network.private network.

13

First Step: Configure Routing and First Step: Configure Routing and Remote AccessRemote Access

14

On the Welcome screen, click On the Welcome screen, click NextNext

15

Select “Virtual private network Select “Virtual private network (VPN) server”(VPN) server”

16

Select “Yes, all of the available Select “Yes, all of the available protocols are on this list”protocols are on this list”

17

Select from the “Internet connections” Select from the “Internet connections” list. This creates custom filters on the list. This creates custom filters on the Internet connection. Internet connection.

18

IP Address Assignment lets you IP Address Assignment lets you pick your method for IP address pick your method for IP address assignment.assignment.

19

For this example, we created a For this example, we created a static pool of IP addresses to static pool of IP addresses to assign clients.assign clients.

20

Allows you to specify a RADIUS Allows you to specify a RADIUS server, if you are using RADIUS server, if you are using RADIUS authentication.authentication.

21

Finish Routing and Remote Access Finish Routing and Remote Access Server setup. Now you will be ready to Server setup. Now you will be ready to accept VPN connections.accept VPN connections.

22

Notes from Our SetupNotes from Our Setup

When we selected our “Internet connection,” When we selected our “Internet connection,” the wizard automatically built input and the wizard automatically built input and output filters on our Internet adapter. This output filters on our Internet adapter. This prevents you from being able to ping the prevents you from being able to ping the adapter and also limits other types of adapter and also limits other types of communications. The following slides show communications. The following slides show the screen shots of the filters that are the screen shots of the filters that are automatically created by the user.automatically created by the user.

23

Input FiltersInput Filters

24

Input Filters Input Filters (2)(2)

25

Output FiltersOutput Filters

26

Output Filters Output Filters (2)(2)