Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


November 1997

Create a Virtual Private Network with RRAS


From the November 1997 Edition
of Windows IT Pro
Douglas Toombs
Feature
InstantDoc #70
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Routing and Remote Access Service (RRAS) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

You're almost finished with the PPTP configuration. RRAS tells you that you need to create the same configuration on the other router (i.e., AMERICA) to complete this connection. In the configuration box, select the Enable router-discovery advertisements checkbox.

Now, repeat the same configuration for the AMERICA server. Configure your dial-up ISP connection and verify it. Build a PPTP connection on the AMERICA server and call it PPTP-EUROPE. For the IP address, enter the Internet IP address of the EUROPE server. At the prompt, to set up dial-in and dial-out credentials, define the dial-out credentials as PPTP-AMERICA with no password and set the dial-in credentials as PPTP-EUROPE with no password.

Are We There Yet?
You're not quite there yet. Don't try connecting now. You still have a bit of work to do, including setting up static routing and security.

This time, work with the AMERICA server first. Click the IP Routing option in the left pane of the RRAS Administration program. Right-click the Static Routes to bring up the dialog box that you see in Screen 6. Define a static route to the destination address of the EUROPE server, that is, its Internet IP address (here, 172.16.77.46). Give it a subnet mask of 255.255.255.255 and any gateway address you want; I usually use 101.101.101.101. Set the Metric to 2, and choose your ISP Connection as the interface. This setting directs your system to go through the ISP connection to access the interface on the EUROPE server.

Build a secondary static route to the internal network in EUROPE by defining a route to the destination address 172.16.10.0, a subnet mask of 255.255.255.0, and a gateway of the Internet IP address of the EUROPE server. Set the Metric to 1, and choose your RASPPTPM device as the interface.

You have just built two static routes for your server that will direct all packets for the 172.16.10.x network to 172.16.77.46. However, your server needs to know how to get to 172.16.77.46, and your first static route entry gives it directions. Any packets destined for 172.16.77.46 will be directed to the ISP Connection demand-dial interface. Now, build the same configuration on the EUROPE server, but with routes pointing to the AMERICA server, with an internal address of 172.16.1.0.

Let's check this work before going any further. Verify that your Internet connections are active on each side of the network. Ping each server from the other through the Internet to make sure the connection is working. Once everything is in place, right-click your PPTP connection (from either server) and choose Connect. If you've done everything correctly, your connection will negotiate, and you'll have a VPN connection running between the two servers at 10,000,000 baud. I've seen the negotiation take up to a minute, so give it time.

If you run into trouble at this point and can't connect, don't worry; you're not alone. This part is the trickiest of the entire system and had me tripped up for a while. Keep working at it, and test your configuration at each logical checkpoint along the way.

Not Yet Secure
Okay, so you're connected. Take a break and have fun playing with the connection. From the workstation, try to connect to a share on your AMERICA server, and watch it connect across the Internet. If you have a print queue defined on this server, print a job to it. Ping the 172.16.1.1 address of the AMERICA server directly. For even more fun, run the tracert program and notice that the Internet never appears in the trace--you just get a hop from your EUROPE server to your AMERICA server. When you're finished, right-click the PPTP interface and choose Disconnect to end the VPN connection.

You have a connection, but it's not yet secure. To secure it, edit the PPTP interface on each server and click the Security tab. Choose Accept only Microsoft encrypted authorization and Require data encryption. You can select Require strong data encryption if you want, but this option requires you to have the 128-bit version of NT 4.0 on each end.

Just for verification, reestablish your VPN connection to make sure everything is still functioning normally. If not, go back and double-check the changes you just made, or remove and retry them if necessary.

Next, you might want to enable packet filters if this server will perform only PPTP functions. If so, right-click the Summary option under IP Routing in the left pane of the RRAS Administration program and select Configure IP Parameters. Select the Enable packet-filtering box on the General tab, as you see in Screen 7. The program will set up on the ISP Connection interface and will block anything but PPTP packets. Right-click the ISP Connection interface and choose Configure interface.

At the bottom of the window in a section labeled Packet filters, you see two buttons: one for input filters and one for output filters. For the input filters, add a filter for protocol type Other and protocol ID number 47. Then create a filter for protocol TCP with source port 1723 and a destination port 0, and create another filter with source port 0 and destination port 1723. Make sure to select Drop all except listed below, and then repeat the same operation for the output filters. When you're finished, your filter screen will look like Screen 8. Now, repeat the same operation on your other server.

One last time, reestablish your VPN connection to make sure everything is still functioning properly. If so, congratulations! You've just built a sample VPN across the Internet.

Great...Now What Do I Do with It?
Now that you've built this great prototype, you'll still have to face some design issues, particularly with the use of routing protocols. Microsoft's RRAS documentation is comprehensive, so it's a good place to start.

Even if you don't decide to connect remote offices as VPNs, RRAS has a robust set of features that let you do other things, such as establish demand-dial routing to the Internet so that your clients can have direct Internet access. Or perhaps you'd like to set up a demand-dial interface for your corporate network to a home network to support a virtual office.

A Word About 1.0 Software
Finally, a word about bugs. With any first-edition software, you are bound to find a few rough edges. Please keep that caveat in mind while you're trying to implement any solutions with RRAS. While writing this article, I encountered a few annoying behaviors I'd classify as bugs.

One bug you need to keep an eye out for is in the option to add a static route. After working in the RRAS Administration program for a while, I found that sometimes when I tried to add a static route, it never appeared in the list. Exiting the program and restarting seemed to correct the problem, but this bug is definitely something to watch for. Nothing is more annoying than plowing forward without realizing that one critical change you implemented never took effect.

End of Article

   Previous  1  2  [3]  Next  


Reader Comments
I recently came across this article and found it to be excellent. However, because of technological changes that have occurred during the past two and a half years. Has this article been updated? If not, is there any plans to do so? finally if there are no plans to update this article, is there other sources where more current information on this subject can be obtaine?


James H. Barnes February 15, 2000

I agree with James H. Barnes, this is meant to be Windows & .NET Magazine, not Windows 95 magazine

William King March 13, 2002

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Related Articles Point-to-Point Tunneling Protocol
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Managing IT Across Multiple Locations

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement