How do I set up a VPN? 5

[dieselBREATH]

I have a LAN with 5 users and 1 W2k server. Of course 3 employees want access to the network from home. On this lan, is a cable modem connected to the LAN through a linksys cable/DSL router with a built in firewall. I am new to VPN's. Can anyone help?

 

[peterve]

the configuration of a PPTP based VPN is pretty straightforward,
using L2TP over IPSec will be more difficult to employ because you will need a CA for it.

This is a step-by-step guide to set up PPTP based VPN using MS Chapv2 :

Setting up the server
You will need a multihomed server. Use Windows 2000 Server or Advanced Server with 2 network cards
If you want the remote users to connect to the VPN through the internet, one of the NIC’s on the server will need a public registered internet address.
The internal NIC that connects our VPN server to the private network (or to an additional Firewall if your server is in a DMZ) has a statically configured IP address, that is excluded from your DHCP address pool.
If you want your users to connect using a direct RAS connection (analog modem, ISDN), you will need only 1 NIC, but you will need sufficient phone lines & RAS equipment.
Remark
My advise is not to connect to a VPN server that uses NAT…
Do not specify a gateway address on any of the interface cards

Go to the Routing & Remote Access snap-in in MMC
Right-click on the servername and choose ‘Configure and Enable Routing & Remote Access’
A wizard will be launched, but we are not going to use it, so choose ‘Manually Configured Server’ + finish to start the server with default settings.
Again, right click on the server name and select Properties
In the ‘general’ tab, make sure the ‘Remote Access Server’ checkbox is enabled.
In the ‘security’ tab, you can set the authentication methods.
If you have a RADIUS server, you can set the parameters to enable authentication against the RADIUS server.
If not, you will have to use Windows authentication (against the Active Directory)
Click ‘authentication methods’ and choose only Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and click OK
This will enable the Internet connection server to become capable of handling remote access and VPN.
In the ‘IP’ tab, enable IP routing.
You can also specify how you want to provide your users with an IP address.
Maybe it’s not a bad idea to assign a static address pool on the RAS server. This way you can put your server in a DMZ and handle DHCP requests independently of the LAN. Also, you can define rules on your firewall to only allow the IP address you’ve assigned…
The adapter that has to be used to assign DHCP, DNS, WINS, … parameters has to be the LAN interface !! Do not specify the internet interface !!!
In the ‘PPP’ tab, enable all settings
In the ‘Event logging’ tab, enable PPP logging, and log max. amount of information (Could be helpful when you want to troubleshoot the connection)
Click OK to save these settings

Now doubleclick on the server name and righ-click on ‘Ports’
Choose ‘properties’
Select the WAN miniport (PPTP) adapter and choose ‘properties’
Enable ‘Remote Access connections (inbound only)’, disable Demand-Dial routing
Set the maximum ports to the number of concurrent users you want to be connected (e.g. 25)
If the port is a Modem Card, you can set a phonenumber for the card specified.
For network interfaces, do not specify a phone number
Click OK, 25 WAN Miniport (PPTP) ports will be generated. The device type is VPN
Select WAN Miniport (L2TP) and set the number of ports to 0 and/or deselect both of the checkboxes in from of the ‘Remote Access connections (inbound only)’ and ‘Demand-dial routing connections (inbound and outbound)’ options.


Go to the ‘Remote Access Policies’ item, open it, select the default rule ‘Allow access if dial-in permission is enabled’, right click on it and choose ‘properties’
Grant remote access permissions on the conditions you want to be matched :
Phone number called by user
Phone number from which call originated
Friendly name for the RADIUS client (IAS only)
IP address of RADIUS client (IAS only)
Manufacturer or RADIUS proxy or NAS (IAS only)
Day-and-time restrictions
Protocol to be used
String identifying the NAS originated the request (IAS only)
IP address of the NAS originating the request
Type of physical port used by the NAS originating the request
Type of service the user has requested
Tunneling protocols to be used
Windows groups that user belongs to

Before experimenting with these restrictions, set day-and-time restriction to allow access All days at all times, and specify ‘Grant remote access permission’ if a user matches this condition.
After specifying the rule(s), click ‘Edit profile’
Dial-in constraints : make sure you don’t restrict any dail-in media (unless you know what you are doing…)
IP tab : choose ‘Server settings define policy’
Here, you can also specify a IP packet filter (inbound and outbound) -> some sort of built-in firewall
Multilink tab : Default to server settings
Authentication tab : only select ‘Microsoft Encrypted Authentication version 2 (MS-CHAP v2)’
Encryption tab : only enable ‘Strong’ and ‘Strongest’

At this point, your server is configured to accept VPN connections over PPTP, using MS-CHAP v2
If you change something to the server configuration, make sure you restart the RRAS service
(Right click on the server name, All tasks, Restart)

Configuring client accounts
Configuring the server is not enough to allow clients to connect to the network over a tunnel.
We’ve configured the server to allow account to connect if they have dial-in permissions.
All we have to do is to create users in active directory, set a strong password, and enable remote access
Open the ‘Active Directory Users and Computers’ from the Administrative Tools folder in the start menu.

Configuring client software
Windows 2000 professional / Windows 2000 server
Add a network connection to connect to the VPN :
Open the ‘Network and Dial-up Connections’ folder from either ‘Control Panel’ or from ‘Settings’ on the Start menu
Opent the option for ‘Make new connection’
Click next at the welcome message
Choose ‘Connect to a private network through the internet’ when you want to connect through the internet
If you want to dial into the VPN server using a modem, use the option ‘Dial-up to private network’
* Connect to a private network through the internet :
If you need a additional connection through the internet, you can enable the connection to dial into the internet first, and log onto the VPN server afterwards.
If you have a non-dial-up connection to the internet (xDSL, Cable, Leased Line, …), don’t choose the initial connection.
Specify the IP address of the VPN server you want to connect to (use the public internet IP address of the VPN server !!).
Choose between using this connection for ‘all users’ or just for yourself. + next
DO not enable internet sharing for this connection + next
Assign a name to this connection and click Finish
The Connection will be started. Click ‘Properties’
On the options tab, enable ‘Display progress while connecting’, ‘Prompt for name and password, certificate, etc’, ‘Include Windows logon domain’
In the security tab, set the security options to ‘Typical’
Validate my identity as follows : ‘Require secured password’
Enable ‘Require data encryption’
In the networking tab, Type of VPN server : automatic (or PPTP)
Click OK
Now you can specify the login, password and domain to try to log onto the VPN server.
When you are connected and authenticated, you will get a new IP address, a new gateway address will make sure you can access resources inside the LAN
If the VPN server is in a DMZ, the firewall can apply additional rules on the IP address (destination & target…)

For Win9x clients, you will need the latest DUN software, to support VPN,
or you can create a VPN client package on your Win2K server using Connection Manager Administration Kit

Good Luck

Peter Van Eeckhoutte
peter.ve@pandora.be

 

[PNorton]

Those are great instructions on getting VPN setup on Windows 2000 using L2TP. We have the exact same config running now. We want to add IPSec next.

Is there anywhere to look to find step-by-step instructions for adding IPSec? I know it isn't quite as simple, but I do know enough about certificate authorities to get through it OK. I just do not know where to begin.

 

[grnfvr]

peterve,

if you have had experience with L2TP over IPSec could you please offer such incredible step by step instructions for that. I have been able to implement PPTP easily enough.

In my efforts to get L2TP over IPSec off the ground I have installed a CA on the VPN server (also domain controller). In reading through the online w2k server documentation its my understanding that i need a computer certificate on both the VPN server and client. I was able to easily enough get a computer certificate for the VPN Server from the CA residing on the same server. I can't figure out how to get computer certificate on my machine at work (the VPN client). Do the certificates on the Server and client have to come from the same CA? if so how do i get a certificate on my machine at work from my CA at home?

After working out the certificate issue i believe i will just need a little help configuring IPSec. Please help. Your thorough and precise help for the PPTP is incredible. Can you help me now with L2TP over IPSec.

Thanks

 

[peterve]

just send me an email and I'll send you the exact steps... --------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
If this post was helpfull, please click below to let me know !