• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Microsoft Networking Articles
• Understanding the OSI Model
• Understanding Department of Defense Network Model
• Understanding TCP/IP
• Understanding the Microsoft Model
• Consideration in Planning Network Infrastructure
• Analyzing Organizational Requirements for Network Infrastructure Planning
• Developing a Test Network
• Implementing Internet Connections
• Implementing NWLINK
• Implementing Public Key Infrastructure
• The Certificate Enrollment Process
• Implementing Smart Card Authentication
• Installing and Configuring NAT
• Installing and Configuring TCT/IP
• Installing IPv6
• LAN Switching and Switch Types
• Monitoring and Troubleshooting Internet Connectivity
• Monitoring Network Activity
• Network Load Balancing
• Routing Protocols
• The Windows Routing Table
• Understanding SSL
• SSL Applications
• Understanding VPN Tunneling
• The VPN Gateway
• Troubleshooting VPNs
• Understanding Ethernet LAN Segmentation
• Understanding Internet Connections
• Understanding IP Addressing
• Understanding IPv6
• Understanding NAT
• Understanding Network Protocols
• Understanding Routing
• Understanding Subnet Masking
• Understanding Subnetting
• Understanding Variable Length Subnet Masking
• Understanding Wireless Connections
• Understanding APIPA
• Understanding NetBIOS Name Resolution
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

The VPN Gateway

Understanding VPNs and the VPN Gateway

Virtual private networks (VPNs) enable users to connect to a remote private network through the Internet. Virtual private networks therefore span the Internet because the user connects over the Internet to the remote VPN server. With a VPN, data is first encrypted and encapsulated before it is sent to the remote VPN server. When the VPN server obtains the data, it decrypts the packet so that is can be interpreted.

VPNs are usually implemented to provide for the following scenarios:

• Enable remote access users to connect to and access the network.
• Provide connectivity between two or multiple private networks or LANs.

A VPN gateway, also called a VPN router, is a connection point that connects two LANs which are connected by a nonsecure network such as the Internet. A VPN gateway therefore connects to either a single VPN gateway, or to multiple VPN gateways to extend the LAN. This scenario is typically referred to as a router-to-router VPN. The corporate networks are connected through the VPN servers running Routing And Remote Access (RRAS). The actual medium that connects the LANs is usually the Internet. This means that the VPN gateway or router will be configured with the address on the LAN that it is connected to, and a public IP address.

A few factors that affect the design and implementation of VPN gateways are:

• IP address assignment
• Name resolution
• Dynamic routing
• Auto-static routing updates
• Maintenance of the routing table

Clients can receive IP addresses and name resolution server information from the VPN server or they can the information from a VPN server fulfilling the role of DHCP Relay Agent.

Most VPN gateways have a hub and spoke configuration design. The advantage of this configuration design is that the corporate network can manage Internet access. Another advantage of a hub and spoke configuration design is that a non-complicated network routing configuration can be used.

An important component of VPN gateway networks is name resolution. This is due to clients needing to query the appropriate name resolution servers to locate both local resources and remote resources. The DHCP server should provide the IP addresses of these name resolution servers for the VPN gateway networks to operate. WINS or DNS servers can provide name resolution services. These name resolution servers can be on the local LAN, or clients can use the VPN connection to forward their requests to access resources to the remote access servers. With DNS, name resolution can also be provided from Internet DNS servers.

Routing protocols enable routers to communicate between one another, and advertise available routes and their associated preference to other routers on the network. The routing protocols that you can add when using the Routing And Remote Access Service (RRAS) in Windows Server 2003 are:

• The Routing Information Protocol (RIP) dynamic routing protocol
• The Open Shortest Path First (OSPF) dynamic routing protocol
• The multicast routing protocol IGMP Router And Proxy
• The DHCP Relay Agent

Using dynamic routing protocols, such as RIP and OSPF adds the advantage of simplified administration because they share routing update information between the routers, and also manage the routing table so that it contains current, updated information. When routers need to forward packets, they interpret the addresses of the packets, and then use the information in the routing tables to pass the packet on. Data packets contain both source and destination addresses in their packet headers. This is the information that is used when routing decisions need to be made. The destination address is compared with the local address to determine whether the packet should be sent up the stack on the local host, whether the packet should be sent to a different destination, or whether the packet should simply be ignored.

OSPF is the dynamic routing protocol which is used to exchange routing information in large to very large networks. While configuring OSPF is more complex than it is to configure and administer RIP, OSPF is more efficient than RIP, and it also requires very minor network overhead. A few reasons to use OSPF rather than RIP is due to OSPF scaling well to large and very large internetworks, OSPF has no hop limit, OSPF calculated routes are loop-free routes, and OSPF utilizes less network bandwidth than the RIP routing protocol.

Routers that have RIP enabled; advertise the entire content of their routing tables to other routers, at 30 second intervals. From this, it is quite clear that RIP does incur quite an amount of network traffic. This could negatively impact your demand-dial connections because of the quantity of RIP traffic generated. Auto-static routing updates can be used for networks that use RIP. With auto-static routing updates, route update advertisements can be scheduled.

A few issues that need to be clarified before you create demand-dial VPN connections are:

• Select the VPN tunnel protocol to utilize:
  • Point-to-Point Tunneling Protocol (PPTP): PPTP encapsulates PPP frames into IP datagrams to transmit data over an IP internetwork. PPTP utilizes a TCP connection to create and manage the VPN tunnel to convey tunneled data. A modified version of Generic Route Encapsulation (GRE) deals with data transfer by encapsulating PPP frames for tunneled data. The encapsulated tunnel data can be encrypted and compressed. The authentication methods supported by PPTP are PAP, CHAP, MS-CHAP and EAP. PPTP encryption can only be utilized when the authentication protocol is EAP-TLS or MS-CHAP.
  • Layer 2 Tunneling Protocol (L2TP): L2TP encapsulates PPP frames, and sends encapsulated data over IP, frame relay, ATM and X.25 networks. With L2TP, the PPP and layer two end-points can exist on different devices. L2TP can also operate as a tunneling protocol over the Internet. L2TP uses UDP packets and a number of L2TP messages for tunnel maintenance. When L2TP is used with IPSec, the highest level of security is assured, including data confidentiality and integrity, data authentication, as well as replay protection. You have to use a Public Key Infrastructure (PKI) if you want to use L2TP as the encapsulating VPN protocol.
• Persistent Internet connection requirements: You might need to have a persistent Internet connection at each end of the VPN tunnel if a demand-dial circuit is going to be used:
  • If each of the two systems connects to the Internet via a persistent connection, you need to ascertain whether each end needs to start the demand-dial connection.
  • If one system connects to the Internet via a persistent connection, you have to configure a demand-dial VPN, and a standard demand-dial connection.

How to install Routing and Remote Access Service (RRAS)

1. Click Start, and then click Manage Your Server.
2. Select the Add or remove a role option.
3. The Configure Your Server Wizard starts.
4. On the Preliminary Steps page, click Next.
5. A message appears, informing you that the Configure Your Server Wizard is detecting network settings and server information.
6. When the Server Role page appears, select the Remote Access/VPN Server option and then click Next.
7. On the Summary of Selections page, click Next.
8. 8. The Welcome to the Routing and Remote Access Server Setup Wizard page is displayed.

How to configure a VPN Server

1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.
2. In the console tree, select the server that you want to configure.
3. Right-click the server, and then click Configure And Enable Routing And Remote Access from the shortcut menu.
4. The Routing and Remote Access Server Setup Wizard starts.
5. Click Next on the Routing and Remote Access Server Setup Wizard Welcome page.
6. On the Common Configuration page, select the Remote Access (Dial-Up Or VPN) option. Click Next.
7. On the Remote Access page, select the VPN checkbox.
8. On the VPN Connection page, choose the interface which is connected to the Internet and click Next.
9. On the IP Address Assignment page, select the Automatically option if you want use a DHCP server for IP address assignment for remote clients; or select the From A Specified Range Of Addresses option if you want to specify your own address range.
10. If you chose the From A Specified Range Of Addresses option, proceed to specify the address range for remote clients. Click Next.
11. On the Managing Multiple Remote Access Servers page, select the No, Use Routing And Remote Access To Authenticate Connection Requests option. Click Next.
12. Click Finish on the Completing the Routing and Remote Access Server Setup Wizard page

How to configure PPTP/ L2TP ports

1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.
2. In the console tree, expand the node for the server that you want to configure.
3. Right-click Ports and then select Properties from the shortcut menu to open the Ports Properties dialog box.
4. Select WAN Miniport (PPTP) or select WAN Miniport (L2TP).
5. Click the Configure button.
6. The Configure Device dialog box opens.
7. In the Maximum Ports box, specify the number of connections that the port type which you have selected can support. The default configuration setting when the RRAS is installed is 5 PPTP ports and 5 L2TP ports.
8. If you want to specify the IP address of the public interface to which VPN clients connect, use the Phone Number For This Device box on the Configure Device dialog box.
9. If you want to disable connections for the port type, deselect the Use the Remote Access Connections (Inbound Only) checkbox on the Configure Device dialog box.
10. If you do not want to allow the specific VPN type to be used for demand-dial connections, deselect the Demand-Dial Routing Connections (Inbound And Outbound) checkbox.
11. Click OK to close the Configure Device dialog box.
12. Click OK to close the Ports Properties dialog box.

How to install computer certificates on VPN routers

You have to install computer certificates on VPN routers when they authenticate through EAP-TLS, and connect using L2TP/IPSec as the encapsulating protocol.

You can install computer certificates using either of the following methods:

• Web browser computer certificate installation
• Auto-enrollment of computer certificates

To use a Web browser computer certificate installation:

1. Connect to the CA server using Internet Explorer 5.0 or above, and the credentials of the Administrator account.
2. You can use the following URL: http:// <servername>/certsrv.
3. Enter the appropriate user name and password if you are not automatically authenticated.
4. The Web based interface for manually requesting certificates opens, and the Welcome page is displayed.
5. Click the Request A Certificate option.
6. On the following page, click Advanced Certificate Request.
7. Click the Create And Submit A Request To This CA option.
8. On the Advanced Certificate Request page, in the Certificate Template list, choose Router (Offline request).
9. In the Name box, enter the user account name that the calling router utilizes.
10. Under Key Options, select the Mark keys as exportable checkbox, and select the Store certificate in the local computer certificate store checkbox.
11. Click the Submit button.
12. When the Certificate Issued page appears, click Install This Certificate.
13. On the Potential Scripting Violation warning dialog box, click Yes.

To install computer certificates through auto-enrollment:

1. Click Start, Administrative Tools and then click Active Directory Users and Computers to open the Active Directory Users and Computers management console.
2. In the console tree, expand Active Directory Users and Computers.
3. Locate and right-click the domain that contains the CA, and then select Properties from the shortcut menu.
4. Click the Group Policy tab.
5. Select Default Domain Policy and then click the Edit button.
6. In the console tree, right-click Automatic Certificate Request Settings and then select New from the menu.
7. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, expand Automatic Certificate and then click Request Settings.
8. The Automatic Certificate Request Wizard starts.
9. Click Next on the Automatic Certificate Request Wizard Welcome page.
10. In Certificate templates, click Computer. Click Next.
11. Select CA, and then click Next.
12. Click Finish.

How to configure a VPN router to enable connectivity between LANs

1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.
2. In the console tree, select the server that you want to configure.
3. Right-click the server, and then click Configure And Enable Routing And Remote Access from the shortcut menu.
4. The Routing and Remote Access Server Setup Wizard starts.
5. Click Next on the Routing and Remote Access Server Setup Wizard Welcome page.
6. On the Common Configuration page, select the Remote Access (Dial-Up Or VPN) option. Click Next.
7. On the Remote Access page, select the VPN server checkbox and then click Next.
8. On the VPN Connection page select the network interface for connecting the server to the Internet.
9. Leave the default setting that enables security on the selected interface unchanged, and then click Next.
10. On the Address Assignment page, select the From A Specified Range Of Addresses option and click Next.
11. On the Address Range Assignment page click New and then proceed to specify an address range for the remote VPN gateway. Click Next.
12. On the Managing Multiple Remote Access Servers page, select the No, Use Routing And Remote Access To Authenticate Connection Requests option. Click Next.
13. Click Finish when the Completing the Routing and Remote Access Server Setup Wizard page appears.
14. You will be notified that the DHCP Relay Agent has to be configured with the IP address of the DHCP server so that DHCP relay messages can be allowed from your remote clients.
15. Click OK to acknowledge this notification.
16. To configure the demand-dial interface, in the console tree of the Routing and Remote Access console, select Network Interfaces.
17. From the Action menu, click New Demand-dial Interface.
18. The Demand-dial Interface Wizard starts.
19. Click Next on the Demand-dial Interface Wizard Welcome page.
20. Enter a name for the demand-dial VPN interface and then click Next.
21. On the Connection Type page, choose the Connect using virtual private networking (VPN) option and click Next.
22. On the VPN Type page, select the VPN protocol which you want to use and then click Next. You can leave the Automatic selection default option unchanged.
23. On the Destination Address page, provide the IP address that corresponds to the public interface of the remote gateway and then click Next.
24. On the Protocols And Security Page, select the Route IP packets on this interface checkbox, and click Next.
25. On the Static Routes For Remote Networks page, click the Add button and then enter the LAN subnet address for the remote LAN on the Static Route dialog box.
26. Click OK and then click Next.
27. Specify the username, password and domain for authentication purposes and click Next.
28. Click Finish on the Completing the Demand-dial Interface Wizard page.
29. You now have to configure the interface for a persistent connection.
30. In the console tree of the Routing and Remote Access console, select the demand-dial interface that you want to configure, and then select the Action menu. Click the Options command on the Action menu.
31. Click Persistent Connection and click OK.
32. In the console tree of the Routing and Remote Access console, expand the IP Routing node.
33. Select Static Routes to verify that the static route to the remote LAN subnet is configured. The static route should be displayed in the Details pane.
34. To configure packet filtering properties, select the demand-dial interface and select Properties from the shortcut menu.
35. On the General tab, select Inbound Filters and then select New.
36. Specify the appropriate LAN subnet information. Click OK.
37. Select the Drop all packets except those that meet the criteria below option and then click OK.
38. Select the demand-dial interface and select Properties from the shortcut menu.
39. On the General tab, select Outbound Filters and then select New.
40. Specify the appropriate LAN subnet information. Click OK.
41. Select the Drop all packets except those that meet the criteria below option and then click OK.
42. Click OK again.
43. In the console tree of the Routing and Remote Access console, select the demand-dial circuit from Network Interfaces, and then select the Connect command from the Action menu.
44. Examine the information in the Status column and Connection State column to verify the status and state of the tunnel.

How to add a VPN connection (manually)

If you want to add a VPN connection through the Routing And Remote Access console, you have to manually add it to the Network Interfaces node.

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
2. In the console tree, select the Network Interfaces node.
3. Right-click the Network Interfaces node and then select New Demand-Dial Interface from the shortcut menu.
4. The Demand Dial Interface Wizard starts.
5. Follow the prompts of the Demand Dial Interface Wizard to manually add the VPN connection.

How to enable the DHCP Relay Agent on a router interface

1. Click Start, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console.
2. Expand the IP Routing node in the console tree.
3. Right-click the DHCP Relay Agent node and then select New Interface from the shortcut menu.
4. Select the interface that is on the same subnet as the DHCP clients.
5. Click OK.
6. In the DHCP Relay Properties dialog box, ensure that the Relay DHCP Packets checkbox is selected on the General tab.
7. You can change the Hop-Count Threshold and Boot Threshold values.
8. Click OK.

How to add a static route

1. Click Start, Administrative Tools, and then Routing And Remote Access to open the Routing And Remote Access management console.
2. In the console tree, right-click Static Routes and then select New Static Route from the shortcut menu.
3. When the Static Route dialog box opens, provide the appropriate information for the following settings:
   • Interface
   • Destination
   • Network Mask
   • Gateway
   • Metric parameters
4. Click OK.

How to create IP packet filters

You can configure demand-dial filters, and inbound and outbound packet filters to manage both inbound and outbound access to resources via the VPN tunnel. For packet filters, the rules used can be based on the following:

• Source address
• Destination address
• Source TCP port
• Destination TCP port
• Source UDP port
• Destination UDP port
• Protocol type

To configure inbound packet filters:

1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.
2. In the console tree, select the server that you want to configure.
3. Expand the IP Routing node to display the General sub-node.
4. Click the General sub-node.
5. In the details pane of the Routing And Remote Access console, select the demand dial interface.
6. Click the Action menu and then select the Properties command.
7. When the demand-dial interface Properties dialog box opens, select Inbound Filters on the General tab.
8. When the Inbound Filters dialog box opens, click New.
9. The Add IP Filter dialog box opens.
10. Specify the desired parameters for the inbound filter.
11. Click OK.

Troubleshooting Router-to-Router VPNs

A few guidelines for troubleshooting problems associated with router-to-router VPNs are summarized below:

• The Router option and the LAN option should be enabled on the remote access server. You can verify this through the Routing And Remote Access console, by checking the configuration on the General tab of Server Properties dialog box.
• Each remote access server should be configured to handle the appropriate number of connections. You need to verify that each server has the sufficient number of ports specified in the Ports node of the Routing And Remote Access console.
• Each remote access server must have the Enable IP Routing option selected. Verify this by accessing the Routing And Remote Access console, and checking the setting of this option on the IP tab of Server Properties dialog box.
• You have to ensure that the static routes are correctly configured on the remote access server for the traffic destined for the other network to be forwarded to the proper VPN router.
• The VPN connection should have the proper permissions on the dial-in properties of the user account and in your remote access policies.
• The settings specified in your remote access policies should not conflict with the remote access server’s configured properties.
• The demand-dial router, and answering remote access server and remote access policy should be using at least one common authentication method. They should also be using a common encryption level or strength.
• The remote access server at each end of the connection has to be part of the RAS And IAS Servers group in the local domain.

Bookmark The VPN Gateway

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum