270 likes | 423 Views
Introduction to:. Virtual Private Networking (VPN) in Windows 2000. Prepared By. Anoop Narang. VPN Introduction. Virtual private networking (VPN) in Microsoft Windows 2000 allows mobile users to connect over the Internet to a remote network.
E N D
Introduction to: Virtual Private Networking (VPN) in Windows 2000 Prepared By Anoop Narang
VPN Introduction • Virtual private networking (VPN) in Microsoft Windows2000 allows mobile users to connect over the Internet to a remote network. • With virtual private networking, the user calls the local ISP and then uses the Internet to make the connection to the Network Access Server (NAS). • Users only make a local call to the ISP instead of expensive long distance telephone calls to the remote access server.
Connecting Intranet Computers • In some corporate networks, the departmental data is so sensitive that the department LAN is physically disconnected from the corporate network. • VPN allows the administrator to ensure that only the users on the corporate network with appropriate permissions can gain access to the protected resources of the department.
Microsoft Layer 2 Tunneling Protocols • PPTP – Point-to-Point Tunneling Protocol • Uses a TCP connection for tunnel maintenance and generic routing encapsulated PPP frames for tunneled data. • The payloads of the encapsulated PPP frames can be encrypted and/or compressed. • L2TP – Layer 2 Tunneling Protocol • Uses UDP and a series of L2TP messages for tunnel maintenance.
VPN Requirements • User authentication • Address management • Data encryption • Key management • Multi-protocol support
User Authentication • The solution must identify the user’s identity and only allow access to authorized users. • The user account can be a local account on the VPN server or, in most cases, a domain account granted appropriate dial-in permissions. • The default policy for remote access is “Allow access if dial-in permission is enabled.”
Address Management • VPN must assign the client an IP address on the private network. • The VPN server can assign the clients IP address using DHCP or a static pool of IP addresses. • Clients typically will have an IP address from the ISP and an IP on the private network after the VPN connection is established.
Data Encryption • Data sent and received over the Internet must be encrypted for privacy. • PPTP and L2TP use PPP-based data encryption methods. • Optionally you can use Microsoft Point-to-Point Encryption (MPPE), based on the RSA RC4 algorithm. • Microsoft Implementation of the L2TP protocol uses IPSec encryption to protect the data stream from the client to the tunnel server.
Key Management • VPN solution must generate and refresh encryption keys for the client and server. • MPPE relies on the initial key generated during user authentication, and then refreshes it periodically. • IPSec negotiates a common key during the ISAKMP exchange, and also refreshes it periodically.
Multi-protocol Support • Microsoft Layer 2 Tunneling Protocol supports multiple payload protocols, which makes it easy for tunneling clients to access their corporate networks using IP, IPX, and NetBEUI.
VPN Server Configuration • A typical VPN is server is multihomed. It has a one network interface that is connected to the Internet and has an Internet IP address. The second network adapter is connected to the private corporate network and has an IP address on the private network. • The default gateway needs to be assigned on the public network or Internet interface on the VPN Server. The private network should not contain a default gateway. If you have to route beyond the private network, you should add static routes.
Configuring a VPN Server • The following slides show screen shots of how to configure a VPN server to accept VPN connections over the Internet. • The slides show a typical setup of a multihomed VPN server with one network adapter connected to the Internet and another network adapter connected to the private network.
Select “Yes, all of the available protocols are on this list”
Select from the “Internet connections” list. This creates custom filters on the Internet connection.
IP Address Assignment lets you pick your method for IP address assignment.
For this example, we created a static pool of IP addresses to assign clients.
Allows you to specify a RADIUS server, if you are using RADIUS authentication.
Finish Routing and Remote Access Server setup. Now you will be ready to accept VPN connections.
Notes from Our Setup • When we selected our “Internet connection,” the wizard automatically built input and output filters on our Internet adapter. This prevents you from being able to ping the adapter and also limits other types of communications. The following slides show the screen shots of the filters that are automatically created by the user.