Windows 2000 VPN

Configuring a Windows 2000 VPN Server

Introduction

Virtual Private Networking (VPN), in its most basic form, creates a secure "tunnel" between a client and a server over the otherwise unsecure Internet. VPNs allow employees and customers to remotely connect to an organization's internal network. The two biggest reasons to implement a VPN are security and availability. Once a connection is established, all packets are encrypted ahead of transmission and decrypted after transmission. VPN will also re-address the client machine, allowing the user to become part of the network. For example, many departments on campus have resources only available to machines with campus IP addresses (128.192.x.x). If a user connects from their ISP, they will not have a campus address and thus will not be able to connect to campus-specific resources. If, however, they connect to their department's VPN, their machine will be re-addressed with a campus address. Now the user is able to access the campus-specific information remotely.

There are two protocols available for use with VPN's in Windows 2000 Server; these are PPTP and L2TP. PPTP is required if there are down-level (pre-Windows 2000) clients who wish to use the VPN. If all clients are Windows 2000 (or above, including XP) then L2TP is a better solution. Both 2000 and XP also support PPTP. Overall, PPTP is an easier technology to implement but L2TP is more robust.

PPTP (Point-to-Point Tunneling Protocol)

To configure PPTP for a Windows 2000 Server on the UGA Network, follow these directions. You need an account with administrative rights to complete the configuration.

Initial Server configuration (getting the VPN server running)

The IP Subnet's DNL must send a email to helpdesk@uga.edu requesting that VPN routing be enabled for each static (or DHCP Reserved) address of the VPN server. Otherwise, your transmissions will be blocked at the edge of campus by our routers. This is done on a port by port basis.
You will need to secure at least two real campus IP addresses for the first connection and one thereafter (i.e. 2 simultaneous VPN connections require 3 IP addresses); all addresses must be sequential.
** NOTE: Private IP addresses will not work without thirt-party hardware. **
Once this is completed, install Windows 2000 Server (required) or Advanced Server (optional). Ensure that your server is fully patched.
If you DO NOT have a Windows Domain (NT4 or Active Directory), follow the indented steps below. Otherwise, skip to the next main point.
- Go to Start, Settings, Network and Dial-Up Connections
- Double-click Make New Connection
- If you are prompted for location information, fill in the apporpriate configuration.
- Click Next on the Welcome window.
- Choose Accept incoming connections and click Next
- Choose Allow virtual private connections and click Next
- Choose the users that will have permission to use the VPN and click Next
- Unless you want to alter any network components, click Next
- Change the name if you choose and click Finish
Go to Start, Programs, Administrative Tools, Routing and Remote Access
Right-click on your server's name (the one below Server Status) and select Configure and Enable Routing and Remote Access
Click Next on the Welcome window.
Select Virtual Private Network (VPN) server and click Next
Unless you want to route something besides TCP/IP, click Next
Make sure <No internet connection> is selected; it doesn't make sense but it works.
Here's the trick... Select From a specified range of addresses and click Next.
**NOTE: Campus DHCP will not properly address the VPN clients; you MUST have the VPN server assign addresses to each client. **
Click New..., enter the starting and ending IP range, and click OK
Click Next when all ranges are entered
Make sure No, I dont' want to set up this server to use RADIUS now is selected. RADIUS is not required for VPN connections.
Click Finish

Post-installation Server configuration (getting the settings right)

The first thing you want to change is the number of available connections.
Expand the pane under your server name (click the + next to the server's name)
Right click on Ports and choose Properties
Double-click WAN Miniport (PPTP)
- Uncheck Demand-dial routing connections (inbound and outbound)
- Enter the server's main IP address in the Phone number for this device box
- Change the box next to Maximum ports to the maximum number of IPs assigned above (minus 1 for the server)
- If you have 4 addresses, for example, enter 3 in this box
- Click OK
- If you get an error message, click Yes or OK
Double-click WAN Miniport (L2TP)
- Assuming you do not want to use L2TP (see below), uncheck both Remote access connections (inbound only) and Demand-dial routing connections (inbound and outbound)
- Set Maximum ports to 0
- Click OK
- If you get an error message, click Yes or OK
Click OK
If you are in a Windows Domain, enable Dial-Up access for each user allowed to use the new VPN

L2TP/IPSec (Layer 2 Tunneling Protocol/ IP Security)

This is a much broader topic and will be addressed in the future.