Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


September 2000

Configure a Win2K VPN


From the September 2000 Edition
of Windows IT Pro
Douglas Toombs
Feature
InstantDoc #9650
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Creating the Demand-Dial Interface
After you've selected which protocols the remote office system will route over the Internet, you must define on the remote system a demand-dial interface to the main office system to create an Internet connection between the two. In the MMC Routing and Remote Access window, right-click the Routing Interfaces option under the REMOTE-OFFICE server and select New Demand-Dial Interface.

The first wizard step—naming the interface—is very important. Although most Win2K wizards use a supplied name simply as the item description, the name of the demand-dial interface at the remote office must be exactly the same as a dial-in user account at the main office. The reason for this consistency is simple: When the main office server receives an incoming call (a call is just another computer connecting to the server over the Internet), Win2K must determine whether the caller is a user or a router. To do this, Win2K compares the name of the user calling in with its list of demand-dial interfaces. If an exact match exists, Win2K assumes that the incoming caller is a router and reacts accordingly. Otherwise, Win2K simply assumes that the incoming caller is a typical remote-access user.

Because naming is such an important step, I repeat the following: You must give the demand-dial interface on one system the exact name you give the dial-in user account on the other system. For the remote office server in the example network, you must call the demand-dial interface MAIN-OFFICE because you'll use the interface to connect to the main office.

After choosing a name for your demand-dial interface, click Next. You can use demand-dial interfaces to route traffic over standard analog telephone lines and ISDN circuits or across the Internet (as with a VPN). You're building a VPN, so select the second option—to connect using a VPN. Click Next.

Figure 3 shows the wizard dialog box in which you choose a protocol. Microsoft included two VPN protocols with Win2K Server: PPTP and Layer 2 Tunneling Protocol (L2TP). Microsoft developed PPTP, which Internet Engineering Task Force (IETF) Request for Comments (RFC) 2637 defines, and released it with NT 4.0 in 1996. PPTP uses TCP port 1723 and IP protocol 47 (Generic Routing Encapsulation—GRE). At about the same time, Cisco Systems developed the Layer 2 Forwarding (L2F) VPN protocol for use on its devices. Eventually, Microsoft and Cisco combined their respective protocols to form L2TP (RFC 2661), which uses UDP ports 500 and 1701. I prefer L2TP to PPTP because the former relies on IP Security (IPSec) for its encryption routines instead of Microsoft Point-to-Point Encryption (MPPE). However, according to Microsoft's online Help files, PPTP is a bit easier to set up, so in this example, let's use PPTP.

After selecting a VPN protocol to use, click Next. Demand-dial interfaces need to know a number to "dial," so enter the public IP address of the MAIN-OFFICE system (i.e.,10.0.0.130), as Figure 4 shows. Win2K will attempt to make a VPN connection at this address to route LAN-based workstation traffic from the remote office to the main office.

The next step in defining a demand-dial interface is to select the protocols to route across this interface. You previously configured the protocols the server could route; now you define protocols for a specific demand-dial interface. Figure 5 shows the screen for selecting the desired protocols. You can also select the option to create an account for a remote router to dial in, but I prefer to perform that step manually. Click Next.

When your remote office system "dials in" to the main office router, the main office system must authenticate the remote system before routing the remote system's traffic to the main office network. Thus, you need to set up a special set of Dial Out Credentials for Win2K Server to use when the server demand-dials into remote systems. The name and password you choose are important because you must create an account on the main office system that uses the same name and password. Your demand-dial interface at the main office will use this name as well.

After you've named your remote system, your demand-dial interface from the remote office to the main office is complete. The next step is to define on the remote office server a static route to the main office network.

Building a Static Route
To build a static route, open the MMC Routing and Remote Access window and expand the server container and the IP Routing option. Right-click Static Routes, and select New Static Route to open the dialog box that Figure 6, page 102, shows. You use this dialog box to tell Win2K Server to use the demand-dial interface to deliver any packets sent to this range of IP addresses. For the example network, you want the remote office Win2K server to use the previously defined MAIN-OFFICE interface to route any packets with a destination address of 172.16.0.1 to 172.16.0.254 to the main office. Therefore, to make sure the correct demand-dial interface appears in the Interface field, enter the appropriate IP address and subnet mask, and select the Use this route to initiate demand-dial connections check box.

You've now completed the routing configuration of your remote office system, but you still must add a user. When one server wants to connect to another server to route traffic, it must provide a username and password combination so that the receiving system can authenticate the sending system. On the remote office server, create a user with the name MAIN-OFFICE, the same name you used for the demand-dial interface. Give the user standard permissions (clear the User must change password at next logon check box, the Password never expires check box, and the User cannot change password check box). Then, configure the user's dial-in properties as Figure 7, page 102, shows.

Select the Allow access option to grant the user "dial-in" access. I also recommend assigning a fixed IP address for the incoming traffic. Although I've made a VPN configuration without a permanent IP address work, I prefer to specify the IP address Win2K will use. Click OK to save the user property modifications.

The last step at the remote office location is to configure all the client workstations to use the address 192.168.0.1 as the default gateway. This setting will cause the workstations to hand off to the Win2K server any packets headed for another network segment (i.e., packets headed to an address outside the 192.168.0.1 to 192.168.0.254 range). The server then determines the best way to deliver the packets. For packets addressed to the main office, the server connects the demand-dial interface and establishes the VPN connection.

Configuring the Main Office System
If you've come this far, take a break for a moment—you've reached the halfway point. You now need to repeat on the main office system the entire configuration routine you just performed on the remote office system. Follow the same steps, but enter the correct name and address information for the main office system. For example, name the demand-dial interface REMOTEOFFICE this time. After you've configured the main office system (including defining the correct static routes, user accounts, and IP addresses), you should have a functional VPN.

To test your configuration, go to the left pane of the MMC Routing and Remote Access window on the remote or main office system and navigate to the list of routing interfaces on the system. Right-click the demand-dial interface you defined, and select Connect. If you see a connection status of "Connected" in the MMC, your VPN should be fully functional. If the connection isn't successful, review the steps and troubleshoot your configuration for any possible errors before proceeding any further. (For more information about VPN troubleshooting, see Paula Sharick, "15 Tips for Troubleshooting VPN Connections," April 2000.)

When you obtain a valid connection, go to a workstation and use the Ping command to test connectivity. Have the workstation ping itself, its default gateway (the local Win2K server), the public IP address of the VPN server at the other office, and the address of a device at the other office.

If your pings travel from one end of the VPN to the other, the last thing to test is the demand-dial functionality. At the MMC Routing and Remote Access window, disconnect your VPN connection by right-clicking the demand-dial interface and selecting Disconnect. When the interface has been disconnected, go back to the workstation you used earlier to ping from and try to ping a device at the other office again. Although your first few pings might fail, you should ultimately see a response from the remote system if everything is working correctly. If you refresh the MMC Routing and Remote Access window on your server, you should see that your demand-dial interface has a connection. If the ping isn't receiving a response, try again; I've seen a VPN connection take from 2 to 12 seconds to be established, depending on network conditions.

More Information
If a firewall protects your LAN from the Internet at either or both ends of your planned VPN, ask your firewall vendor whether the firewall supports L2TP or PPTP connections. I assumed that firewalls were configurable to allow any connection type, but a client of mine discovered that some firewalls don't support some configurations. A quick call to your firewall's support line before you set up a VPN will let you know where you stand and save you from configuring a VPN only to find that your firewall won't let it work.

The configuration walk-through in this article should provide enough information for you to set up your VPN. However, if you want more information, Microsoft included a significant amount of online VPN documentation in Routing and Remote Access MMC Help. Look for the documents "L2TP-based router-to-router VPN," "PPTP-based router-to-router VPN," "Tunneling protocols," "Troubleshooting demand-dial routing," and "An on-demand router-to-router VPN." Although setting up a VPN can be a complex task, after it's working, it will be a reliable, cost-effective means of keeping your offices connected.

End of Article

   Previous  1  [2]  Next  


Reader Comments
I'm an employee of a large aerospace company, and I've been reading a copy of Windows 2000 Magazine that the company provides through its periodicals library. I received the September issue (my name was third on the routing slip), and in the table of contents, I found several articles I wanted to read. Turning to Douglas Toombs' "Configure a Win2K VPN," I was very disappointed to find that someone else had cut out the article­--a testament to the usefulness of the magazine! <br><br>
Today I ordered the magazine for myself at home­--no more missing articles or receiving the magazine after other people have gone through it. The online access is a definite bonus.<br><br>

Jim Benedict November 02, 2000

Great Article!! I only wish It would have been published about 2 months ago while wrestling to establish a VPN in record time without to much knowledge. It was a Bear trying to sift through all the Info Microsoft has out there on VPNs and to simplify the steps needed to accomplish this. Douglas Toombs does a super job on simplifying the process for setting the VPN up and he is right: Although setting up a VPN can be a complex task, after it's working, it's a very cost-effective means of keeping offices connected.

During my progress with the VPN one questions popped up: What toll does the PPTP / L2TP encryption overhead exact on the speed of let's say a T-1?...

Patrick Pieters-Kwiers December 22, 2000

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Related Articles PPTP vs. L2TP
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement