1、Operating SystemVirtual Private Networking with Windows 2000: Deploying Router-to-Router VPNsBy Joseph DaviesMicrosoft CorporationPublished: October 2001AbstractA virtual private network (VPN) is the extension of a private network that encompasses logical links across shared or public networks such
2、as the Internet. A router-to-router VPN connection allows computers to securely connect the sites of an organization across the Internet. This paper describes the various components and design choices of a deployment of router-to-router VPN connections using the Windows 2000 platform VPN servers. Th
3、is paper also includes detailed walkthroughs to deploy Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP)-based router-to-router VPNs, information on firewall configuration, and details of troubleshooting tools and common problems. This paper assumes familiarity with TC
4、P/IP, IP routing, Internet Protocol security (IPSec), and the capabilities of the Windows 2000 Routing and Remote Access service.Deploying Router-to-Router VPNs iThe information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of
5、publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This White Paper is for informational purposes o
6、nly. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retri
7、eval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
8、 property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2001. Microsoft Corporation
9、. All rights reserved. Microsoft, Active Directory, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners
10、.Deploying Router-to-Router VPNs iiContentsIntroduction .1Overview of Demand-Dial Routing in Windows 2000 Server 2Demand-dial routing updates 3Introduction to Router-to-Router VPN connections 4On-demand vs. persistent connections 5Restricting the initiation of demand-dial connections 5One-way vs. tw
11、o-way initiated connections 6Components of Windows 2000 Router-to-Router VPNs8VPN routers 8Installing a certificate on a VPN router 11Design Points: Configuring the VPN router 11Internet network infrastructure 14Answering router name resolvability 14Answering router reachability 14VPN routers and fi
12、rewall configuration 14Design Points: Answering router accessibility from the Internet 15Authentication protocols 15Design Point: Which authentication protocol to use? 17VPN protocols 17Point-to-Point Tunneling Protocol 17Layer Two Tunneling Protocol with IPSec 17Design Point: PPTP or L2TP? 18Site n
13、etwork infrastructure 18Name resolution 18Routing 19Routing and multi-use VPN routers 20Design Points: Routing infrastructure 21AAA Infrastructure 22Deploying Router-to-Router VPNs iiiRemote access policies 23Windows domain user accounts and groups 24One-way initiated connections and static routes o
14、n the user account 25Design Points: AAA infrastructure 26Certificate infrastructure 26Computer certificates for L2TP/IPSec 26User and computer certificates for EAP-TLS authentication 27Design Points: Certificate infrastructure 28Deploying a PPTP-based Router-to-Router VPN Connection.29Deploying cert
15、ificate infrastructure 29Installing a user certificate on a calling router 29Configuring EAP-TLS on the calling router 30Installing a computer certificate on the authenticating server 30Configuring EAP-TLS on the answering router and remote access policy 30Deploying Internet infrastructure 31Placing
16、 VPN routers in perimeter network or on the Internet 31Installing Windows 2000 Server on VPN routers and configuring Internet interfaces 31Deploying the answering router 31Configuring the answering routers connection to the site 31Running the Routing and Remote Access Server Setup Wizard 32Configuri
17、ng a demand-dial interface 32Deploying the calling router 33Configuring the calling routers connection to the site 33Running the Routing and Remote Access Server Setup Wizard 33Configuring a demand-dial interface 34Deploying AAA infrastructure 35Configuring Active Directory for user accounts and gro
18、ups 35Configuring the primary IAS server on a domain controller 35Configuring the secondary IAS server on a different domain controller 37Deploying site network infrastructure 37Configuring routing on the VPN routers 37Deploying Router-to-Router VPNs ivVerifying reachability from each VPN router 38C
19、onfiguring routing for off-subnet address pools 38Deploying intersite network infrastructure 38Deploying an L2TP-based Router-to-Router VPN Connection .40Deploying certificate infrastructure 40Certificates for L2TP connections 40Certificates for EAP-TLS authentication 41Installing a user certificate
20、 on a calling router 41Configuring EAP-TLS on the calling router 41Installing a computer certificate on the authenticating server 42Configuring EAP-TLS on the answering router and remote access policy 42Deploying Internet infrastructure 42Placing VPN routers in perimeter network or on the Internet 4
21、2Installing Windows 2000 Server on VPN routers and configuring Internet interfaces 43Deploying the answering router 43Configuring the answering routers connection to the site 43Running the Routing and Remote Access Server Setup Wizard 43Configuring a demand-dial interface 44Deploying the calling rou
22、ter 45Configuring the calling routers connection to the site 45Running the Routing and Remote Access Server Setup Wizard 45Configuring a demand-dial interface 46Deploying AAA infrastructure 46Configuring Active Directory for user accounts and groups 47Configuring the primary IAS server on a domain c
23、ontroller 47Configuring the secondary IAS server on a different domain controller 48Deploying site network infrastructure 49Configuring routing on the VPN routers 49Verifying reachability from each VPN router 49Configuring routing for off-subnet address pools 49Deploying intersite network infrastruc
24、ture 49Deploying Router-to-Router VPNs vAppendix A: Configuring Firewalls with a Windows 2000 VPN Router .51VPN router in front of the firewall 51Packet Filters for PPTP 52Packet Filters for L2TP/IPSec 52VPN router behind the firewall 53Packet Filters for PPTP 53Packet Filters for L2TP/IPSec 53VPN r
25、outer between two firewalls 53Appendix B: Alternate Configurations 53Multiple Internet Function VPN Router 53Single-Adapter VPN Router 53Appendix C: Troubleshooting53Troubleshooting tools 53TCP/IP Troubleshooting Tools 53Authentication and Accounting Logging 53Unreachability Reason 53Event Logging 5
26、3IAS Event Logging 53PPP logging 53Tracing 53Network Monitor 53Troubleshooting router-to-router VPN connections 53Connection attempt is rejected when it should be accepted 53Connection attempt is accepted when it should be rejected 53Unable to reach locations beyond the VPN router 53Unable to reach
27、the virtual interfaces of VPN routers 53On-demand connection is not made automatically 53Unable to establish tunnel 53Summary 53Deploying Router-to-Router VPNs viRelated Links .53Deploying Router-to-Router VPNs 1IntroductionA virtual private network (VPN) is the extension of a private network that e
28、ncompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link (such as a long haul T-Carrier-based wide area network WAN link). Virtual private network
29、ing is the act of creating and configuring a virtual private network.To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, t
30、he data is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The logical link over which the private data is encapsulated and encrypted is a virtual private network (VPN) connection. Figure 1 shows the logical
31、equivalent of a VPN connection.Figure 1 The logical equivalent of a VPN connectionUsers working at home or on the road can use VPN connections to establish a remote access connection to an organization server by using the infrastructure provided by a public network such as the Internet. From the use
32、rs perspective, the VPN connection is a point-to-point connection between the computer (the VPN client) and an organization server (the VPN server). The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private lin
33、k.Organizations can also use VPN connections to establish router-to-router connections with geographically separate offices or with other organizations over a public network such as the Internet while maintaining secure communications. A router-to-router VPN connection across the Internet logically
34、operates as a dedicated WAN link.Deploying Router-to-Router VPNs 2With both remote access and router-to-router connections, an organization can use VPN connections to trade long-distance dial-up or leased lines for local dial-up or leased lines to an Internet service provider (ISP).There are two typ
35、es of PPP-based router-to-router VPN technology in the Windows 2000 operating system:1. Point-to-Point Tunneling Protocol (PPTP) PPTP uses user-level Point-to-Point Protocol (PPP) authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption.2. Layer Two Tunneling Protoco
36、l (L2TP) with Internet Protocol security (IPSec) L2TP with IPSec (L2TP/IPSec) uses user-level PPP authentication methods and IPSec for computer-level authentication using certificates and data authentication, integrity, and encryption.Note: Using IPSec tunnel mode for router-to-router VPN connection
37、s is possible using computers running Windows 2000 Server. Because the IPSec tunnel is not represented as a logical interface over which packets can be forwarded and received, routing protocols do not operate over IPSec tunnels. Because the configuration of IPSec tunnels for router-to-router VPN con
38、nections is vastly different, it is not discussed here. For more information, see article Q252735, “How to Configure IPSec Tunneling in Windows 2000,“ in the Microsoft Knowledge Base.For encryption, you can use either link encryption or end-to-end encryption in addition to link encryption: Link encr
39、yption encrypts the data only on the link between the routers. For PPTP connections, you must use MPPE in conjunction with MS-CHAP, MS-CHAP v2, or EAP-TLS authentication. For L2TP/IPSec connections, IPSec provides encryption on the link between the routers. End-to-end encryption encrypts the data be
40、tween the source host and its final destination. You can use IPSec after the router-to-router VPN connection is made to encrypt data from the source host to the destination host. Overview of Demand-Dial Routing in Windows 2000 ServerThe Windows 2000 Routing and Remote Access service includes support
41、 for demand-dial routing (also known as dial-on-demand routing) over both dial-up connections (such as analog phone lines or ISDN) and VPN connections. Demand-dial routing is the forwarding of packets across a Point-to-Point Protocol (PPP) link. The PPP link is represented inside the Windows 2000 Ro
42、uting and Remote Access service as a demand-dial interface, which can be used to create on-demand connections across dial-up, non-permanent, or persistent media. Demand-dial connections allow you to use dial-up telephone lines instead of leased lines for low-traffic situations and to leverage the co
43、nnectivity of the Internet to connect branch offices with VPN connections.Demand-dial routing is not the same as remote access. While remote access connects a single computer to a network; demand-dial routing connects entire networks. However, both use PPP as the protocol through which to negotiate
44、and authenticate the connection and encapsulate the data sent over it. As implemented in the Windows 2000 Routing and Remote Access service, both remote access and demand-dial connections can be enabled separately. However, they still share the same: Dial-in properties behavior of user accounts. Sec
45、urity (authentication protocols and encryption). Remote access policies usage. Windows or Remote Authentication Dial-In User Service (RADIUS) usage (for authentication, authorization, and accounting). IP and Internetwork Packet Exchange (IPX) address assignment and configuration.Deploying Router-to-
46、Router VPNs 3 PPP features usage, such as Microsoft Point-to-Point Compression (MPPC), Multilink PPP, and Bandwidth Allocation Protocol (BAP). Troubleshooting facilities, including event logging, Windows or RADIUS authentication and accounting logging, and tracing.While the concept of demand-dial ro
47、uting is fairly simple, configuration of demand-dial routing is relatively complex. This complexity is due to the following factors: Connection endpoint addressing. The connection must be made over public data networks, such as the analog phone system or the Internet. The endpoint of the connection
48、must be identified by a phone number for dial-up connections, and either a fully qualified host name or IP address for VPN connections. Authentication and authorization of the caller Anyone calling the router must be authenticated and authorized. Authentication is based on the callers set of credent
49、ials that are passed during the connection establishment process. The credentials that are passed must correspond to a Windows 2000 account. Authorization is granted based on the dial-in properties of the Windows 2000 account and remote access policies. Differentiation between remote access clients and calling routers. Both routing and remote access services coexist on the same computer running Windows 2000 Server. Both remote access clients and demand-dial routers can initiate a connection. The computer running Windows 2000 Server that answers a connection attempt mus
