Introduction to:

Virtual Private Networking

(VPN) in Windows 2000
Visit www.firewall.cx for more information on
networking and powerpoint presentations.
Lets learn about networking .the right way !
2
VPN Introduction
Virtual private networking (VPN) in Microsoft
Windows 2000 allows mobile users to
connect over the Internet to a remote
network.
With virtual private networking, the user
calls the local ISP and then uses the Internet
to make the connection to the Network
Access Server (NAS).
Users only make a local call to the ISP
instead of expensive long distance
telephone calls to the remote access server.
3
Connecting Intranet Computers
In some corporate networks, the departmental
data is so sensitive that the department LAN
is physically disconnected from the corporate
network.
VPN allows the administrator to ensure that
only the users on the corporate network with
appropriate permissions can gain access to
the protected resources of the department.
4
Microsoft Layer 2 Tunneling
Protocols
PPTP Point-to-Point Tunneling Protocol
Uses a TCP connection for tunnel maintenance
and generic routing encapsulated PPP frames for
tunneled data.
The payloads of the encapsulated PPP frames can
be encrypted and/or compressed.
L2TP Layer 2 Tunneling Protocol
Uses UDP and a series of L2TP messages for
tunnel maintenance.
5
VPN Requirements
User authentication
Address management
Data encryption
Key management
Multi-protocol support
6
User Authentication
The solution must identify the users identity
and only allow access to authorized users.
The user account can be a local account on
the VPN server or, in most cases, a domain
account granted appropriate dial-in
permissions.
The default policy for remote access is
Allow access if dial-in permission is
enabled.
7
Address Management
VPN must assign the client an IP address on
the private network.
The VPN server can assign the clients IP
address using DHCP or a static pool of IP
addresses.
Clients typically will have an IP address from
the ISP and an IP on the private network after
the VPN connection is established.
8
Data Encryption
Data sent and received over the Internet must
be encrypted for privacy.
PPTP and L2TP use PPP-based data
encryption methods.
Optionally you can use Microsoft Point-to-
Point Encryption (MPPE), based on the RSA
RC4 algorithm.
Microsoft Implementation of the L2TP
protocol uses IPSec encryption to protect the
data stream from the client to the tunnel
server.
9
Key Management
VPN solution must generate and refresh
encryption keys for the client and server.
MPPE relies on the initial key generated
during user authentication, and then
refreshes it periodically.
IPSec negotiates a common key during the
ISAKMP exchange, and also refreshes it
periodically.
10
Multi-protocol Support
Microsoft Layer 2 Tunneling Protocol
supports multiple payload protocols, which
makes it easy for tunneling clients to access
their corporate networks using IP, IPX, and
NetBEUI.
11
VPN Server Configuration
A typical VPN is server is multihomed. It has
a one network interface that is connected to
the Internet and has an Internet IP address.
The second network adapter is connected to
the private corporate network and has an IP
address on the private network.
The default gateway needs to be assigned on
the public network or Internet interface on
the VPN Server. The private network should
not contain a default gateway. If you have to
route beyond the private network, you
should add static routes.
12
Configuring a VPN Server
The following slides show screen shots of
how to configure a VPN server to accept VPN
connections over the Internet.
The slides show a typical setup of a
multihomed VPN server with one network
adapter connected to the Internet and
another network adapter connected to the
private network.
13
First Step: Configure Routing and
Remote Access
14
On the Welcome screen, click
Next
15
Select Virtual private network
(VPN) server
16
Select Yes, all of the available
protocols are on this list
17
Select from the Internet connections
list. This creates custom filters on the
Internet connection.
18
IP Address Assignment lets you
pick your method for IP address
assignment.
19
For this example, we created a
static pool of IP addresses to
assign clients.
20
Allows you to specify a RADIUS
server, if you are using RADIUS
authentication.
21
Finish Routing and Remote Access
Server setup. Now you will be ready to
accept VPN connections.
22
Notes from Our Setup
When we selected our Internet connection,
the wizard automatically built input and
output filters on our Internet adapter. This
prevents you from being able to ping the
adapter and also limits other types of
communications. The following slides show
the screen shots of the filters that are
automatically created by the user.
23
Input Filters
24
Input Filters (2)
25
Output Filters
26
Output Filters (2)
The End !