Appendix A: Configuring Firewalls with a Windows 2000 VPN Router

On This Page

VPN router in front of the firewall
VPN router behind the firewall
VPN router between two firewalls

The following are common configurations of firewalls with a VPN router:

  • The VPN router is attached to the Internet and the firewall is between the VPN router and the site.

  • The firewall is attached to the Internet and the VPN router is between the firewall and the site.

  • Two firewalls are used one between the VPN router and the site and one between the VPN router and the Internet.

VPN router in front of the firewall

To secure the VPN router from sending or receiving any traffic on its Internet interface except VPN traffic, you need to configure PPTP or L2TP/IPSec input and output filters on the interface that corresponds to the connection to the Internet. Because IP routing is enabled on the Internet interface, if PPTP or L2TP/IPSec filters are not configured on the Internet interface, then any traffic received on the Internet interface is routed, which may forward unwanted Internet traffic to your site.

When the VPN router is in front of the firewall attached to the Internet, you need to add packet filters to the Internet interface that allow only VPN traffic to and from the IP address of the VPN router's Internet interface.

For inbound traffic, when the tunneled data is decrypted by the VPN router, it is forwarded to the firewall. The firewall in this configuration is acting as a filter for site traffic and can prevent specific resources from being accessed, scan data for viruses, perform intrusion detection, and other functions.

Because the only Internet traffic allowed on the site must pass through the VPN router, this approach also prevents the sharing of File Transfer Protocol (FTP) or Web site resources with non-VPN Internet users.

Figure 3 shows the VPN router in front of the firewall.

Bb727144.bug28137-fig3-sm(en-us,TechNet.10).gif

Figure 1: The VPN router in front of the firewall

The firewall is configured for the appropriate rules for site traffic to and from hosts in other sites according to your network security policies.

For the Internet interface on the VPN router, configure the following input and output filters using the Routing and Remote Access snap-in.

Packet Filters for PPTP

Configure the following input filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Destination IP address of the VPN router's Internet interface, subnet mask of 255.255.255.255, and TCP destination port of 1723.
    This filter allows PPTP tunnel maintenance traffic to the VPN router.

  • Destination IP address of the VPN router's Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47.
    This filter allows PPTP tunneled data to the VPN router.

  • Destination IP address of the VPN router's Internet interface, subnet mask of 255.255.255.255, and TCP source port of 1723.
    This filter is required only when the VPN router is acting as a calling router in a router-to-router VPN connection. With the TCP [established] filter, traffic is accepted only when the VPN router initiated the TCP connection.

Configure the following output filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Source IP address of the VPN router's Internet interface, subnet mask of 255.255.255.255, and TCP source port of 1723.
    This filter allows PPTP tunnel maintenance traffic from the VPN router.

  • Source IP address of the VPN router's Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47.
    This filter allows PPTP tunneled data from the VPN router.

  • Source IP address of the VPN router's Internet interface, subnet mask of 255.255.255.255, and TCP destination port of 1723.
    This filter is required only when the VPN router is acting as a calling router in a router-to-router VPN connection.

Packet Filters for L2TP/IPSec

Configure the following input filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Destination IP address of the VPN router's Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 500.
    This filter allows Internet Key Exchange (IKE) traffic to the VPN router.

  • Destination IP address of the VPN router's Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 1701.
    This filter allows L2TP traffic to the VPN router.

Configure the following output filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Source IP address of the VPN router's Internet interface, subnet mask of 255.255.255.255, and UDP source port of 500.
    This filter allows IKE traffic from the VPN router.

  • Source IP address of the VPN router's Internet interface, subnet mask of 255.255.255.255, and UDP source port of 1701.
    This filter allows L2TP traffic from the VPN router.

There are no filters required for IPSec Encapsulating Security Protocol (ESP) traffic for the IP protocol of 50. The Routing and Remote Access service filters are applied after the IPSec components remove the ESP header.

VPN router behind the firewall

In a more common configuration, the firewall is connected to the Internet and the VPN router is an site resource that is connected to the perimeter network, also known as a demilitarized zone (DMZ) or screened subnet. The perimeter network is an IP network segment that contains resources that are available to Internet users, such as Web and FTP servers. The VPN router has an interface on both the perimeter network and the site. In this approach, the firewall must be configured with input and output filters on its Internet interface that allow the passing of tunnel maintenance traffic and tunneled data to the VPN router. Additional filters can allow the passing of traffic to Web, FTP, and other types of servers on the perimeter network. For an added layer of security, the VPN router can also be configured with PPTP or L2TP/IPSec packet filters on its perimeter network interface.

The firewall in this configuration is acting as a filter for Internet traffic and can confine the incoming and outgoing traffic to the specific resources on the perimeter network, perform intrusion attempt detection, prevent denial of service attacks, and other functions.

Because the firewall does not have the encryption keys for each VPN connection, it can only filter on the plaintext headers of the tunneled data. In other words, all tunneled data passes through the firewall. This is not a security concern, however, because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN router.

Figure 4 shows the VPN router behind the firewall on the perimeter network.

Bb727144.bug28137-fig4-sm(en-us,TechNet.10).gif

Figure 1: The VPN router behind the firewall on the perimeter network

For both the Internet and network perimeter interfaces on the firewall, configure the following input and output filters using the firewall's configuration software.

Packet Filters for PPTP

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface.

Filters on the Internet Interface
Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN router's perimeter network interface and TCP destination port of 1723 (0x6BB).
    This filter allows PPTP tunnel maintenance traffic to the VPN router.

  • Destination IP address of the VPN router's perimeter network interface and IP Protocol ID of 47 (0x2F).
    This filter allows PPTP tunneled data to the VPN router.

  • Destination IP address of the VPN router's perimeter network interface and TCP source port of 1723 (0x6BB).
    This filter is required only when the VPN router is acting as a calling router in a router-to-router VPN connection. This filter should only be used in conjunction with PPTP packet filters described in "VPN router in front of the firewall" and configured on the VPN router's network perimeter interface. By allowing all traffic to the VPN router from TCP port 1723, there exists the possibility of network attacks from sources on the Internet that use this port.

Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN router's perimeter network interface and TCP source port of 1723 (0x6BB).
    This filter allows PPTP tunnel maintenance traffic from the VPN router.

  • Source IP address of the VPN router's perimeter network interface and IP Protocol ID of 47 (0x2F).
    This filter allows PPTP tunneled data from the VPN router.

  • Source IP address of the VPN router's perimeter network interface and TCP destination port of 1723 (0x6BB).
    This filter is required only when the VPN router is acting as a calling router in a router-to-router VPN connection. This filter should only be used in conjunction with PPTP packet filters described in "VPN router in front of the firewall" and configured on the VPN router's network perimeter interface. By allowing all traffic from the VPN router to TCP port 1723, there exists the possibility of network attacks from sources on the Internet using this port.

Filters on the Perimeter Network Interface
Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN router's perimeter network interface and TCP source port of 1723 (0x6BB).
    This filter allows PPTP tunnel maintenance traffic from the VPN router.

  • Source IP address of the VPN router's perimeter network interface and IP Protocol ID of 47 (0x2F).
    This filter allows PPTP tunneled data from the VPN router.

  • Source IP address of the VPN router's perimeter network interface and TCP destination port of 1723 (0x6BB).
    This filter is required only when the VPN router is acting as a calling router in a router-to-router VPN connection. This filter should only be used in conjunction with PPTP packet filters described in "VPN router in front of the firewall" and configured on the VPN router's network perimeter interface. By allowing all traffic from the VPN router to TCP port 1723, there exists the possibility of network attacks from sources on the Internet using this port.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN router's perimeter network interface and TCP destination port of 1723 (0x6BB).
    This filter allows PPTP tunnel maintenance traffic to the VPN router.

  • Destination IP address of the VPN router's perimeter network interface and IP Protocol ID of 47 (0x2F).
    This filter allows PPTP tunneled data to the VPN router.

  • Destination IP address of the VPN router's perimeter network interface and TCP source port of 1723 (0x6BB).
    This filter is required only when the VPN router is acting as a calling router in a router-to-router VPN connection. This filter should only be used in conjunction with PPTP packet filters described in "VPN router in front of the firewall" and configured on the VPN router's network perimeter interface. By allowing all traffic to the VPN router from TCP port 1723, there exists the possibility of network attacks from sources on the Internet using this port.

Packet Filters for L2TP/IPSec

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface.

Filters on the Internet Interface
Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN router's perimeter network interface and UDP destination port of 500 (0x1F4).
    This filter allows IKE traffic to the VPN router.

  • Destination IP address of the VPN router's perimeter network interface and IP Protocol ID of 50 (0x32).
    This filter allows IPSec ESP traffic to the VPN router.

Configure the following output packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN router's perimeter network interface and UDP source port of 500 (0x1F4).
    This filter allows IKE traffic from the VPN router.

  • Source IP address of the VPN router's perimeter network interface and IP Protocol ID of 50 (0x32).
    This filter allows IPSec ESP traffic from the VPN router.

There are no filters required for L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP payload.

Filters on the Perimeter Network Interface
Configure the following input packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN router's perimeter network interface and UDP source port of 500 (0x1F4).
    This filter allows IKE traffic from the VPN router.

  • Source IP address of the VPN router's perimeter network interface and IP Protocol ID of 50 (0x32).
    This filter allows IPSec ESP traffic from the VPN router.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN router's perimeter network interface and UDP destination port of 500 (0x1F4).
    This filter allows IKE traffic to the VPN router.

  • Destination IP address of the VPN router's perimeter network interface and IP Protocol ID of 50 (0x32).
    This filter allows IPSec ESP traffic to the VPN router.

There are no filters required for L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP payload.

VPN router between two firewalls

Another configuration is when the VPN router computer in placed on the perimeter network between two firewalls. The Internet firewall, the firewall between the Internet and the VPN router, filters all Internet traffic from all Internet clients. The site firewall, the firewall between the VPN router and the site, filters site traffic from hosts in other sites.

Figure 5 shows the VPN router between two firewalls on the perimeter network.

Bb727144.bug28137-fig5-sm(en-us,TechNet.10).gif

Figure 1: The VPN router between two firewalls on the perimeter network

In this configuration:

  • Configure your Internet firewall and VPN router with the packet filters as described in the "VPN router behind the firewall" section.

  • Configure your site firewall for the appropriate rules for site traffic to and from calling routers according to your network security policies.