Section 6.6: Virtual Private Networks (VNP)


A VPN can be used to allow users working at home or in the field to connect securely to a remote corporate server by using the routing infrastructure provided by a public network such as the Internet, or to allow a company to connect with its branch offices or with other companies over a public network while maintaining secure communications. Thus, you can use VPN software in addition to dialing in to the network and to place remote access servers outside the internal firewall. In this scenario, users dial in or request a dial-back to a remote access server that gives them access to the Internet and Tunneling, which is also known as

initiates a VPN connection with the firewall to gain access to the encapsulation, is a meth°d °f using а ртЫк

internal network network infrastructure to transfer a

payload. The payload may be the frames (or packets) of another protocol. Instead of sending the frame as produced by the

When you set up a private network that spans multiple locations, you can use one or more private wide area network (WAN) links, such as T1 lines, to connect the various locations. This provides secure high-speed communication between the locations but is relatively expensive. An alternative strategy is to implement a Virtual Private Network (VNP). A VPN eliminates the need for dedicated WAN links by using virtual links that take advantage of readily available connections to the public Internet. These virtual tunneling to encrypt private data and encapsulate it in packets to be VPN can also be used to allow users working at home or in the field server on the corporate network via the Internet.

originating node, the frame is encapsulated with an additional header. The additional header provides routing information so that the encapsulated payload can traverse the intermediate internetwork. The

encapsulated packets are then routed between tunnel endpoints over the transit internetwork.

connections use a technology called transmitted over the public network. A to connect securely to a remote access

Windows Server 2003 includes VPN functionality as part of RRAS. You can configure a Windows Server 2003 computer to act as a VPN server, which manages the VPN connections between clients or networks. When you use a VPN connection, your RRAS servers should be located in the perimeter network, and should not be joined to the domain. Under these circumstances, Windows-integrated authentication is not a good option for dial-up users. You can configure your RRAS servers to connect to an IAS RADIUS server inside your firewall to support integrated account names and passwords, but you should consider having a separate set of user accounts on the remote access computers. Credentials for dial-up networking are frequently stored on network laptops where they can be retrieved and decrypted by laptop thieves, which would subsequently allow access to your entire network if those credentials worked with your VPN solution.

There are two basic configurations for a VPN:

• A client-to-gateway connection, which is also referred to as an Internet-based VNP, and is used when a telecommuter connects to the corporate network using VPN. This is similar to using dial-up RRAS access, but the user can connect through any dial-up provider or a separate LAN with Internet access rather than over the telephone system.

• A gateway-to-gateway connection, which is also referred to as a router-to-router VNP and is used to form a permanent link between two RRAS servers on separate networks, each with its own Internet connectivity. Gateway-to-gateway connections are also used to connect RRAS servers to VPN devices from third-party vendors. A router-to-router VPN can either use demand-dial connections, creating the VPN only when it is required for traffic between the networks, or persistent connections for an always-on VPN.

6.6.1: VPN Protocols

VPN connections use a tunneling protocol to encrypt packets of data and pass them over the public network.

Windows Server 2003 supports two tunneling protocols:

• Point-to-Point Tunneling Protocol (PPTP), which is an extension of PPP. It encapsulates PPP frames into IP datagrams for transmission over an IP network such as the Internet or in private LAN-to-LAN networking. PPTP tunnels must be authenticated by using the same authentication mechanisms as PPP connections (PAP, MS-CHAP, CHAP, and EAP). PPTP inherits encryption and compression of PPP payloads from PPP. In Windows Server 2003, PPP encryption can be used only when the authentication protocol is EAP-TLS or MS-CHAP. PPP encryption provides confidentiality between the endpoints of the tunnel only. If stronger security or end-to-end security is needed, IPSec.

• Layer 2 Tunneling Protocol (L2TP), which is a combination of PPTP and Layer 2 Forwarding (L2F). It is a more secure tunneling protocol that extends PPTP with additional features. L2TP supports the same authentication methods as PPTP. It also supports and requires Certificate Services. L2TP encapsulates PPP frames to be sent over IP, X.25, Frame Relay, or ATM networks. When utilizing IP as its datagram transport, L2TP can be used as a tunneling protocol over the Internet or in private LAN-to-LAN networking. L2TP tunnels must be authenticated by using the same authentication mechanisms as PPP connections and inherits PPP compression but not encryption. PPP encryption is not used because it does not meet the security requirements of L2TP as PPP encryption can provide confidentiality but not per packet authentication, integrity, or replay protection; instead data encryption is provided by IPSec. However, using PPP connection encryption with an IPSec encrypted payload, increases processing overhead with little to no added benefit. New VPN server installations should use L2TP rather than PPTP. Microsoft provides the Microsoft L2TP/IPSec VPN client for Windows 98, Windows ME, and Windows NT 4. The Microsoft L2TP/IPSec VPN client can be downloaded from You should use this rather than PPTP to support Windows 98, Windows ME, and Windows NT 4 clients.

In addition to these two protocols, you can also use:

• IPSec, which is an OSI layer 3 tunneling protocol. It is a series of standards that support the secured transfer of information across an IP internetwork. IPSec Encapsulating Security Payload (ESP) Tunnel mode supports the encapsulation and encryption of entire IP datagrams for secure transfer across a private or public IP internetwork. When IPSec is used, the two computers involved in the communication negotiate the highest common security policy. Then the computer initiating communication uses IPSec to encrypt the data before it sends the data across the network. On receiving the data, the destination computer decrypts the data before passing it to the destination process. This encryption and decryption process is done transparently.

• IP-IP, or IP in IP, which is an OSI layer 3 tunneling technique. It is created by encapsulating an IP packet with an additional IP header. The primary use of IP-IP is for tunneling multicast traffic over sections of a network that does not support multicast routing.

6.6.2: Configuring VPN Protocols

Before you configure L2TP, you need to deploy computer certificates to all participating clients and servers. You also need to enable RRAS services. Configuring VPN protocols is accomplished through the RRAS manager. If you are enabling RRAS to provide VPN services, you can select the VPN Server option in the RRAS Setup Wizard to configure all the required settings automatically. Otherwise, you will need to enable L2TP manually and configure L2TP filtering.

Enabling L2TP in RRAS permits a server to answer L2TP connections, but it does not block other traffic from being routed by the RRAS server onto your network. Because RRAS servers must be connected to the Internet to receive L2TP connections, the RRAS server itself is vulnerable to attack by hackers who will attempt to connect using other protocols. To prevent unwanted traffic from reaching your RRAS server or being routed onto your private network, you must also enable L2TP filtering.

Network Address Translation (NAT)

In Windows Server 2003, Network Address Translation (NAT) allows private IP addresses to be translated into public IP

addresses for traffic to and from the

Internet. This prevents internet traffic from passing directly to the internal network, while saving the small office or home office user the time and expense of getting and maintaining a public address range. NAT accomplishes this by allowing computers on a small network to share a single Internet connection with only a single public IP address. The computer on which NAT is installed can act as a network address translator, a simplified DHCP server, a DNS proxy, and a Windows Internet Name Service (WINS) proxy.

6.6.3: IPSec and NAT Transversal

By default, a Network Address Translation (NAT) translates IP addresses and TCP/UDP ports. These modifications to the IP datagram require the modification and recalculation of the fields in the IP, TCP, and UDP headers. However, IPSec encrypts not only the data payload, but also the UDP header. The UDP header specifies the UDP port number for packet forwarding to a specific service. Encryption of the UDP header means encryption of the UDP port number information, and consequently NAT cannot forward the L2TP/IPSec traffic. The solution to this problem is a technology called NAT traversal (NAT-T), which uses UDP encapsulation, placing the IPSec packet inside a UCP/IP header. This way, NAT devices can change the IP address or port number without changing the IPSec packet. However, both the VNP client and server must support NAT-T.

Windows Server 2003 provides special NAT-T capabilities. Microsoft offers a new VPN client that supports client-side NAT-T for Windows NT 4.0, Windows 98, and Windows ME clients, to be used when connecting to a Windows Server 2003 server.

6.6.4: Integrating VPN in a Routed Network

In some corporate internetworks, the data of a department within an organization can be so sensitive that the department's LAN is physically disconnected from the rest of the corporate internetwork. Although this protects the department's data, it creates information accessibility problems for those users not physically connected to the separate LAN.

VPNs allow the department's LAN to be physically connected to the corporate internetwork but separated by a VPN server. In this arrangement the VPN server does not act as a router between the corporate internetwork and the department LAN. Users on the corporate internetwork must have the appropriate permissions and authority to establish a VPN with the VPN server and gain access to the isolated resources of the department. In addition, all communication across the VPN can be encrypted to ensure data confidentiality.

6.6.5: Integrating VPN Servers with the Internet

VNP allows remote users to create virtual private networks to the corporate network through the internet. This allows remote users to make local calls to a local Internet service provider (ISP) rather than having remote users make a long distance calls to connect to a corporate network, the user can call his or her local). Using the connection to the local ISP, a VPN is created between the dial-up user and the corporate VPN server across the Internet. You can either use dedicated lines or dial-up lines to connect to an ISP when creating a VPN connection.

6.6.6: Configuring Client VPN Settings

Windows 2000 Professional and Windows XP Professional and Windows Server 2003 clients include built-in VPN clients. To create a VPN connection at one of these clients:

• Click on the START button to open the Start Menu

• On the Start Menu, click on CONTROL PANEL

• In Control Panel, double-click network connections

• Click CREATE A NEW CONNECTION to open the New Connection Wizard

• On the Welcome page of the New Connection Wizard, click next

• On the Network Connection Type page of the New Connection Wizard, select the CONNECT TO A PRIVATE NETWORK THROUGH THE INTERNET radio button

• Then click NEXT

• On the On the VNP Server Selection page of the New Connection Wizard, specify the IP address or host name of the RRAS server

• Then click NEXT

• On the Completing the New Connection Wizard page, click FINISH

You can also specify VPN protocol settings on the client. After you have created a VPN connection and established an Internet connection, click the VPN entry in the Network And Dial-up Connections window and, when prompted, enter a user name and password to connect to the private network.