VPN Summary by kapilm879



Virtual Private Networks (VPN) allow users working at home, on the
road or at a branch office to connect in a secure manner to a
remote corporate server using the public Internet. VPN server or
host is a computer that accepts VPN connections from VPN clients. A
VPN server or host can be a NT/W2K server or W2K/XP Pro. VPN
client is a computer that initiates a VPN connection to a VPN server
or host. A VPN client can be an individual computer running MS
Windows NT version 4.0, Windows 2000, 9x. VPN clients can also be
any non-Microsoft Point-to-Point Tunneling Protocol (PPTP) client or
Layer Two Tunneling Protocol (L2TP) client using IPSec.

Basic VPN Requirement

     User Permission. Enable a user to access the VPN. To do
      this, go to AD Users and Computers, select the user who need
      to access the VPN, click Dial-in. Check Allow access on the
      Remote Access Permission (Dial-in or VPN).
     IP Configuration. The VPN server should have a static IP
      address and assign the arrange IP addresses to VPN clients.
      The VPN server must also be configured with DNS and WINS
      server addresses to assign to the VPN client during the
     Data Encryption. Data carried on the public network should
      be rendered unreadable to unauthorized clients on the
      Protocol Support. The TCP/IP is common protocols used in
      the public network. The VPN also include IP, Internetwork
      Packet Exchange (IPX), NetBEUI and so on.
     Firewall Ports. When you place a VPN server behind your
      firewall, be sure to enable IP protocol 47 (GRE) and TCP port
     Interface(s) for VPN server. If your network doesn't have a
      router or the VPN is also a gateway, your computer must have
      at least two interfaces, one connecting to the Internet and
      another connecting to the LAN. If it is behind a router, you just
      need one NIC.
     One interface for VPN client. The interface can be a dial-in
      modem, or a dedicated connection to the Internet.
Still need help, contact consultant

Q: Can I setup my VPN client as a router to direct all local
computers traffic to the VPN.

A: No, you need to setup site to site VPN.

Can't ping computer name when using VPN

If you have name resolution issue when using VPN, check the PPTP
filtering on the server. If you disable UDP ports 137 and 138 or TCP
port 139, NetBIOS packets can't pass through the network. You also
need to enable these ports on all firewalls and routers that are
between the client and the server for unicast (point-to-point) traffic.

Configure RRAS tracing

When you need to monitor the activities of RRA and Dial-Up
Networking components, use the tracing functionality to configure
RRA and Dial-Up Networking components to log tracing information
to a file. You can make RRA and Dial-Up Networking tracing
available by either configuring the registry or using
the netsh command.

How to add DNS and WINS into your Cisco VPN server

If your VPN client cannot find servers or cannot ping
computernmae, you may need to add DNS and WINS into your VPN
server. For example, to add DNS and WINS on a Cisco Firewall PIX,
add vpdn group 1 client configuation dns dnsservername and vpdn
group 1 client configuration wins winsservername..

How to assign a static IP to VPN client

If you have Windows 2003 server as VPN server, you can assign a
static IP under user's properties. If you use other Windows OS as
VPN server, you may do create a DHCP reservation.

How to connect to a Windows domain using Windows VPN at
If you are running w2k/xp pro setup for a domain controller, you
will have a option to "log on using dial-up connection" on logon
screen after creating a VPN/dial-up connection. In the Log On to
Windows dialog box, the user can select the Log on using dial-
up connection check box. After clicking OK, the user is prompted
to choose a network connection.

How to configure VPN Packet Filters

When you setup the RRAS, a set of default Input and Output Filters
on the external adapter on the VPN server will be created. If you
aren't running your server in a highly secure environment, you can
comfortably place the server outside the firewall and restrict
incoming VPN traffic to PPTP packets only. To display and mortify
these filters, go to Routing and Remote Access>IP
Routing>General, and then you can add or edit the packet filters of
the dedicated Local Area Connection. Or to enable PPTP filtering
from Control Panel, select the Network applet, Protocols, TCP/IP
Protocols, the WAN adapter, Advanced. Then, select the Enable
PPTP Filtering check box, as Screen 1 shows. When you enable PPTP
filtering, the server will refuse all non-PPTP requests.

How do I set up a modem to dial into a remote compute

  You need to install your modem from the control panel if you haven't
  already, and you need to set up the dialup networking server on your
  remote computer. (This is included with Win98, NT4 and w2k/xp. On
  Win95 it is in the Plus! pack, but you need to get an update to version 1.3
  or later from Microsoft's site. At the time of writing it can be found here.)
  You can enable the dialup server from the 'Connections' menu of the dial-
  up networking window. If it isn't there, or if you've updated the dialup
  networking as mentioned above, you need to install it using the Windows
  Setup section of 'Add/Remove Programs' in the control panel.

How many inbound dial-in connections are supported

W2K server supports 256 inbound dial-in connections while w2k pro supports

How to create an incoming networking connection
You can configure an incoming connection to accept the following
connection types: (modem, ISDN, X.25), VPN (PPTP, L2TP), or
direct (serial, infrared, DirectParallel). On a computer running
Windows 2000, 2003 or XP Pro, an incoming connection can accept
up to three incoming calls, up to one of each of these types. Note:
on a computer running Windows 2000/2003 Server, the number of
inbound calls is only limited by the computer and its hardware

To create VPN connection, open Networking Connections>New
Connection Wizard>Set up an advanced connection>Accept
incoming connections, then follow the instruction.

How to establish VPN connection automatically

1. You can run rasdial.exe as a service by using instsrv.exe
2. Add rasdial.exe into startup.
3. Create IPSec VPN if you have static IP.

How to manage IP assignment on RRAS

Open RRAS, right-click on the RRAS server>Properties>IP. You will
have two options, DHCP and Static address pool.

How to schedule to connect and disconnect a VPN

You can use rasdial command plus scheduler.

How to setup VPN server on 2003 server

You may have two options to setup VPN server on Windows 2003.
1) Create an incoming networking connection if you have small
network or you want to setup one PC to PC VPN; 2) If you have
large numbers of incoming connections on a server that operates as
part of a distributed network or as a domain controller, you should
use RRA to create a VPN server.

How to setup VPN on w2k server with one NIC

Symptoms: When attempting to create VPN on w2k server with one
NIC, you may receive "You have chosen the last available
connection as the Internet connection. A VPN server required that
one connection be used as the private network connection" if you
select the NIC.

1. You should highlight No internet connection instead of the NIC or
LAN connection.
2. You may try "Manually configured server option".

How to use PPTP through a Cisco PIX

In order to use PPTP through a PIX, you must have a one-to-one mapping
from the external IP to an internal IP for type 47 GRE packets and port

How to configure W2K server as VPN server

To setup a Windows 2000 server for VPN, open Routing and Remote
Access console in the Administrative Tools folder, right-click the
server and then click Configure and Enable Routing and Remote
Access>Virtual private network [VPN] server. Click Next if TCP/IP is
only protocol you will use. Select a connection you will connect to
on the Internet Connection. You will have two options to assign IP
to VPN clients. The default is Automatically. It is recommended to
configure the server to assign client addresses from a static address
pool, rather than assigning addresses from a DHCP server. If you
configure RAS to assign client addresses from a static address pool,
clients inherit the DNS and WINS settings from the RAS server. If
your RAS server can browse the network, clients should also be able
to browse the network with the same settings. If you prefer DHCP,
verify that DHCP scope option 44 (WINS/NetBIOS name server)
points to the WINS server and scope option 6 shows the address of
your DNS server. When you don't define these options, you almost
guarantee problems with client browsing. Finally, you can select
using RADIUS or not.

NOTE: If VPN traffic is traveling through a router or firewall,
configure the router or firewall to pass PPTP (TCP Port 1723 and IP
Protocol ID 47 [GRE - Generic Routing Encapsulation]) or L2TP over
IPSec (UDP Port 500 and IP Protocol ID 50 [Encapsulating Security
Payload]) traffic to and from the VPN server.
How to configure Win 2000/XP Pro as VPN host

Prior to Windows 2000/XP Pro, you must add PPTP on NT 4.0 Server
to establish VPN connections. With the release of Windows 2000/XP
Pro, you have the ability to run a Windows 2000/XP Pro as a VPN
host. However, Windows 2000/XP Pro enables only one VPN
connection at a time and requires Internet Protocol (IP).

Before you start the VPN configuration, you should have a
equipment (modem, T1, Frame Relay, ADSL, or cable modem)
connecting to the Internet. Also make sure you have correct TCP/IP
settings on the W2K/XP.

To setup Win XP (in our case) Pro as VPN host, go to
the Properties of My Network Places>Create a New
Connections>Set up a Advanced Connection>Accept
Incoming Connections. On the Devices for Incoming
Connections dialog box, do not select any device, only
click Next and check Allow Private Connections, and then
clickNext. On the Allowed Users dialog box, select or add all users
for whom you want to enable access. The accounts have to exist on
both computers that are involved in establishing the VPN
connection. On the New Connection Wizard, File and Printer
Sharing for Microsoft Networks, Internet Protocol
(TCP/IP) and Client for Microsoft Networks should be listed as
networking components. By default, Allow callers to access my
local area network and Assign TCP/IP address automatically using
DHCP are checked. If you would like to keep the default settings,
click Next to continue. Now, the Incoming Connection icon should
show on Incoming section under the Properties of My Network
Places and is ready to use.

How to configure a W2K/XP as VPN client

To connect to a VPN server, you should have a dail-in modem or a
dedicated connection to the Internet. To setup a XP client to access
the VPN host, go to theProperties of My Network Places>Create a
New Connections>Connect to the network at my workplace>Virtual
Private Network connection. Type Computer that will be showed as
connection name in VPN section, select Do not dial the initial
connection and then type the VPN host IP. You have two options to
create this connection for anyone or for yourself.

How to configuring a multihomed VPN server

If the VPN server has two network cards, one for the LAN and one for the
WAN, leave the gateway on the LAN adapter blank. In the gateway field of
the WAN network interface, enter the TCP/IP address that your ISP defines;
the gateway address usually points to a router at your ISP. It is recommend
you manually enter the TCP/IP address, DNS and WINS for the LAN NIC
instead of using DHCP.

Incoming Connection or RRAS

You can create an incoming connection on a computer acting as a
remote access server if it is running Windows 2000, XP Pro. or if it
is a stand-alone computer runningWindows 2000/2003 Server. For
large numbers of incoming connections on a computer running
Windows 2000/2003 Server as a router or as a domain controller, or
a member of a domain, you should use Routing and Remote Access
to create a remote access server.

Logon script with VPN

To run logon script while establishing a VPN, you may have two
options. 1) create a batch including rasdial.exe plus mapping. 2)
Use Microsoft CMAK

Manage VPN connections

To manage VPN logon time, permissions, disconnect if idle for
certain minutes, maximum session other constraints, use Remote
Access Policies under RRAS.

Security on Windows VPN Server

A Windows 2000 VPN server is installed with a default set of Input
and Output filters on the external adapter. These filters support
PPTP, L2TP, and IPSec connectivity only and block other traffic..
However, the filters can be modified. To modify the filters, go to
RRAS>IP Routing>General, right-click the external adapter and
select Properties.

Which ports need to be opened for running VPN

A: PPTP VPN uses TCP Port 1723, IP Protocol 47 (GRE); L2TP: UDP
Port 1701; IPSec: UDP Port 500, Pass IP protocol 50 and 51. Note:
47 is a protocol number and not TCP port. The protocol name is
GRE. It'll make a big difference when configuring your firewall or

What statements are required to allow a VPN inbound past
my Cisco PIX?

The following example is a simple PPTP access list:

access-list 110 permit tcp any host x.x.x.x eq 1723
access-list 110 permit gre any host x.x.x.x

Note: 1. x.x.x.x is outside ip. 2. If you use 6.3.1, you will need to
enable fixup protocol pptp 1723.

Why doesn't my w2k/xp have "log on using dial-up
connection" option on the logon screen

1. You must create a VPN or dial-up connection.
2. Your administrator may disable this option.
3. If the computer is not a member of a domain, the Log on using
dial-up connectioncheck box does not appear.

To top