Вы находитесь на странице: 1из 27

Introduction to:

Virtual Private Networking -

VPN in Windows

Let’s learn about networking ….the right way !

VPN Introduction

 Virtual private networking (VPN) in Microsoft

Windows 2000 allows mobile users to
connect over the Internet to a remote
 With virtual private networking, the user
calls the local ISP and then uses the Internet
to make the connection to the Network
Access Server (NAS).
 Users only make a local call to the ISP
instead of expensive long distance
telephone calls to the remote access server.
Connecting Intranet Computers
 In some corporate networks, the departmental
data is so sensitive that the department LAN is
physically disconnected from the corporate
 VPN allows the administrator to ensure that
only the users on the corporate network with
appropriate permissions can gain access to
the protected resources of the department.

Microsoft Layer 2 Tunneling
 PPTP – Point-to-Point Tunneling Protocol
 Uses a TCP connection for tunnel maintenance
and generic routing encapsulated PPP frames for
tunneled data.
 The payloads of the encapsulated PPP frames can
be encrypted and/or compressed.
 L2TP – Layer 2 Tunneling Protocol
 Uses UDP and a series of L2TP messages for
tunnel maintenance.

VPN Requirements
 User authentication
 Address management
 Data encryption
 Key management
 Multi-protocol support

User Authentication
 The solution must identify the user’s identity
and only allow access to authorized users.
 The user account can be a local account on
the VPN server or, in most cases, a domain
account granted appropriate dial-in
 The default policy for remote access is
“Allow access if dial-in permission is

Address Management
 VPN must assign the client an IP address on
the private network.
 The VPN server can assign the clients IP
address using DHCP or a static pool of IP
 Clients typically will have an IP address from
the ISP and an IP on the private network after
the VPN connection is established.

Data Encryption
 Data sent and received over the Internet must
be encrypted for privacy.
 PPTP and L2TP use PPP-based data
encryption methods.
 Optionally you can use Microsoft Point-to-
Point Encryption (MPPE), based on the RSA
RC4 algorithm.
 Microsoft Implementation of the L2TP
protocol uses IPSec encryption to protect the
data stream from the client to the tunnel

Key Management
 VPN solution must generate and refresh
encryption keys for the client and server.
 MPPE relies on the initial key generated
during user authentication, and then
refreshes it periodically.
 IPSec negotiates a common key during the
ISAKMP exchange, and also refreshes it

Multi-protocol Support
 Microsoft Layer 2 Tunneling Protocol
supports multiple payload protocols, which
makes it easy for tunneling clients to access
their corporate networks using IP, IPX, and

VPN Server Configuration
 A typical VPN is server is multihomed. It has
a one network interface that is connected to
the Internet and has an Internet IP address.
The second network adapter is connected to
the private corporate network and has an IP
address on the private network.
 The default gateway needs to be assigned on
the public network or Internet interface on
the VPN Server. The private network should
not contain a default gateway. If you have to
route beyond the private network, you
should add static routes.

Configuring a VPN Server
 The following slides show screen shots of
how to configure a VPN server to accept VPN
connections over the Internet.
 The slides show a typical setup of a
multihomed VPN server with one network
adapter connected to the Internet and
another network adapter connected to the
private network.

First Step: Configure Routing and
Remote Access

On the Welcome screen, click

Select “Virtual private network
(VPN) server”

Select “Yes, all of the available
protocols are on this list”

Select from the “Internet connections”
list. This creates custom filters on the
Internet connection.

IP Address Assignment lets you
pick your method for IP address

For this example, we created a
static pool of IP addresses to
assign clients.

Allows you to specify a RADIUS
server, if you are using RADIUS

Finish Routing and Remote Access
Server setup. Now you will be ready to
accept VPN connections.

Notes from Our Setup
 When we selected our “Internet connection,”
the wizard automatically built input and
output filters on our Internet adapter. This
prevents you from being able to ping the
adapter and also limits other types of
communications. The following slides show
the screen shots of the filters that are
automatically created by the user.

Input Filters

Input Filters (2)

Output Filters

Output Filters (2)

The End !