Appendix C: Setting up a VPN test lab

  • Article

This section provides detailed information about how you can use five computers to create a test lab with which to configure and test the virtual private network (VPN) features in Windows 2000. These instructions are designed to take you through a set of tasks that expose you to VPN connections and their functionality. Beyond the set of tasks, you can use these instructions to create a functioning VPN configuration. You can then use this configuration to experiment with VPN features and functionality in prior to deployment on your production network.

This section covers:

  • Setting up the infrastructure

  • Virtual private network test lab tasks

On This Page

Setting up the infrastructure
VPN test lab tasks

Setting up the infrastructure

The infrastructure for the VPN test lab network consists of five computers performing the following services:

  • A computer running Windows 2000 that is acting as a domain controller, a Domain Name System (DNS) server, and a certification authority (CA). This computer is named DC1.

  • A computer running Windows 2000 that is acting as a Remote Authentication Dial-in User Service (RADIUS) server. This computer is named IAS1.

  • A computer running Windows 2000 that is acting as a Web server and file sharing server. This computer is named IIS1.

  • A computer running Windows 2000 that is acting as a VPN server. This computer is named VPN1. VPN1 has two network adapters installed.

  • A computer running Windows 2000 that is acting as a VPN client. This computer is named CLIENT1.

Figure 7 shows the configuration of the VPN test lab.

Figure 7

Figure 7  Configuration of the VPN test lab

There is a network segment representing a corporate intranet and a network segment representing the Internet. All computers on the corporate intranet are connected to a common hub or Layer 2 switch. All computers on the Internet are connected to a separate common hub or Layer 2 switch. Private addresses are used throughout the test lab configuration. The private network of 172.16.0.0/24 is used for the intranet. The private network of 10.0.0.0/24 is used for the simulated Internet.

Each computer is manually configured with the appropriate IP address, subnet mask, and DNS server IP address. There are no Dynamic Host Configuration Protocol (DHCP) or Windows Internet Name Service (WINS) servers present.

The following sections describe the configuration for each of the computers in the test lab. To reconstruct this test lab, configure the computers in the order presented.

Note:  The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

DC1
DC1 is a computer running Windows 2000 that is providing the following services:

  • A domain controller for the testlab.microsoft.com domain

  • A DNS server for the testlab.microsoft.com DNS domain.

  • The enterprise root certification authority (CA) for the testlab.microsoft.com domain.

To configure DC1 for these services, perform the following steps.

  1. Install Windows 2000 as a stand-alone server.

  2. Configure the TCP/IP protocol with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0.

  3. Run dcpromo for a new domain called testlab.microsoft.com in a new forest. Install the DNS service when prompted.

  4. Install the Certificate Services component as an enterprise root certification authority.

  5. Configure the testlab.microsoft.com domain for automatic enrollment of computer certificates.

IAS1
IAS1 is a computer running Windows 2000 that is providing RADIUS authentication, authorization, and accounting for VPN1 (the VPN server computer).

To configure IAS1 as a RADIUS server, perform the following steps:

  1. On DC1, add a computer account for the IAS1 computer.

  2. Install Windows 2000 as a stand-alone server.

  3. Configure the TCP/IP protocol with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.

  4. Join IAS1 to the testlab.microsoft.com domain.

  5. Install the Internet Authentication Service.

IIS1
IIS1 is a computer running Windows 2000 and the Internet Information Service. It is providing Web server services for intranet clients. To configure IIS1 as a Web server, perform the following steps:

  1. On DC1, add a computer account for the IIS1 computer.

  2. Install Windows 2000 as a stand-alone server.

  3. Configure the TCP/IP protocol with the IP address of 172.16.0.3, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.

  4. Join IIS1 to the testlab.microsoft.com domain.

  5. Install the Internet Information Service.

  6. To determine whether the Web server is working correctly, run Internet Explorer on IAS1. When prompted by the Internet Connection wizard, configure the wizard for a LAN connection. In Internet Explorer, in Address, type https://IIS1.testlab.microsoft.com/win2000.gif. You should see a Windows 2000 graphic.

  7. 7. In Windows Explorer, share the root directory of Local Disk (C:)using the share name ROOT to the group Everyone with full access.

VPN1
VPN1 is a computer running Windows 2000 that is providing VPN server services for Internet-based VPN clients. To configure VPN1 as a VPN server, perform the following steps:

  1. On DC1, add a computer account for VPN1.

  2. Install Windows 2000 as a stand-alone server.

  3. For the intranet local area connection, configure the TCP/IP protocol with the IP address of 172.16.0.4, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.

  4. For the Internet local area connection, configure the TCP/IP protocol with the IP address of 10.0.0.2 and the subnet mask of 255.255.255.0.

  5. Join VPN1 to the testlab.microsoft.com domain.

  6. Configure and enable the Routing and Remote Access service. In the Routing and Remote Access Server Setup Wizard, select Virtual private network (VPN) server from the list of common configurations. When prompted for IP address assignment, select From a specified range of addresses and configure the range 172.16.0.248 to 172.16.0.255. Do not configure RADIUS authentication.

CLIENT1
CLIENT1 is a computer running Windows 2000 that is acting as a VPN client and gaining remote access to intranet resources across the simulated Internet. To configure CLIENT1 as a VPN client, perform the following steps:

  1. On DC1, add a computer account for CLIENT1.

  2. Connect CLIENT1 to the intranet network segment.

  3. On CLIENT1, install Windows 2000 as a workgroup computer.

  4. Configure the TCP/IP protocol with the IP address of 172.16.0.5, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.

  5. Join CLIENT1 to the testlab.microsoft.com domain.

  6. Configure the TCP/IP protocol with the IP address of 10.0.0.1, the subnet mask of 255.255.255.0, and no DNS server IP address.

  7. Shut down the CLIENT1 computer.

  8. Disconnect the CLIENT1 computer from the intranet network segment and connect it to the simulated Internet network segment.

  9. Restart the CLIENT computer and log on using the cached credentials of the testlab.microsoft.com administrator account.

VPN test lab tasks

The following tasks are designed to take you through the most common elements of remote access VPN support with Windows 2000:

  • PPTP-based remote access

  • L2TP-based remote access

  • RADIUS authentication and accounting

  • Remote access policies for different types of VPN connections

PPTP-based remote access
To create a PPTP-based remote access VPN connection between CLIENT1 and VPN1 and test whether intranet resources are available, perform the following steps:

Create a user account
On DC1, use the Active Directory Users and Computers snap-in to create a user account named PPTPUser with a password. Set the remote access permission on the Dial-in tab to Allow access.

Create the PPTP connection

  1. On CLIENT1, use the Make New Connection Wizard to create a new VPN connection named PPTPtoCorpnet, using the VPN server IP address of 10.0.0.2.

  2. Right-click the new PPTPtoCorpnet connection, and then click Properties.

  3. Click the Networking tab, and then in Type of VPN, click Point to Point Tunneling Protocol.

  4. Click OK to save changes to the PPTPtoCorpnet connection.

Make the PPTP connection

  1. On CLIENT1, double-click the PPTPtoCorpnet connection.

  2. In the PPTPtoCorpnet dialog box, type PPTPUser@testlab.microsoft.com as the user name, type the password, and then select the Save this user name and password to use when check box

  3. Click Connect.

Access Web server and file share on the intranet

  1. On CLIENT1, run Internet Explorer

  2. When prompted by the Internet Connection Wizard, configure it for a LAN connection

  3. In Internet Explorer, in Address, type https://IIS1.testlab.microsoft.com/win2000.gif. You should see a Windows 2000 graphic.

  4. On CLIENT1, click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the Local Drive (C:) on IIS1.

Disconnect the PPTP connection
On CLIENT1, right-click the PPTPtoCorpnet connection and then click Disconnect

L2TP-based remote access
To create an L2TP-based remote access VPN connection between CLIENT1 and VPN1 and test whether intranet resources are available, perform the following:

Create a user account
On DC1, use Active Directory Users and Computers to create a user account named L2TPUser with a password. Set the remote access permission on the Dial-in tab to Allow access.

Create the L2TP connection

  1. On CLIENT1, use the Make New Connection Wizard to create a new VPN connection named L2TPtoCorpnet, using the VPN server IP address of 10.0.0.2.

  2. Right-click the new L2TPtoCorpnet connection, and then click Properties.

  3. Click the Networking tab, and then in Type of VPN, click Layer 2 Tunneling Protocol.

  4. Click OK to save changes to the L2TPtoCorpnet connection.

Make the L2TP connection

  1. On CLIENT1, double-click the L2TPtoCorpnet connection.

  2. In the L2TPtoCorpnet dialog box, type L2TPUser@testlab.microsoft.com as the user name, type the password, and then select the Save this user name and password to use when check box.

  3. Click Connect.

Access Web server and file share on the intranet

  1. On CLIENT1, run Internet Explorer.

  2. In Internet Explorer, in Address, type https://IIS1.testlab.microsoft.com/win2000.gif. You should see a Windows 2000 graphic.

  3. On CLIENT1, click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the Local Drive (C:) on IIS1.

Disconnect the L2TP connection
On CLIENT1, right-click the L2TPtoCorpnet connection and then click Disconnect.

RADIUS authentication and accounting
To configure RADIUS authentication and accounting for VPN connections, perform the following:

Configure IAS1 for VPN1 as a RADIUS client
On IAS1, add VPN1 as a RADIUS client using the IP address of 172.16.0.4 and a shared secret. To add a RADIUS client, right-click the Clients folder and click New Client in the Internet Authentication Service snap-in.

Configure IAS1 to log authentication events
On IAS1, enable the logging of accounting and authentication requests from Settings tab in the properties of the Local File object in the Remote Access Logging folder in the Internet Authentication Service snap-in.

Configure VPN1 for IAS1 as a RADIUS server
On VPN1, add IAS1 as a RADIUS server for both the authentication and accounting provider at the IP address of 172.16.0.2 and the shared secret. To configure the Routing and Remote Access service for RADIUS, obtain properties on the VPN server and click the Security tab. For RADIUS authentication, select RADIUS authentication as the authentication provider and click Configure to add IAS1 as the RADIUS server. For RADIUS accounting, select RADIUS accounting as the accounting provider and click Configure to add IAS1 as the RADIUS server.

Make PPTP and L2TP connections

  1. On CLIENT1, make a PPTP connection with VPN1 using the PPTPtoCorpnet connection.

  2. Disconnect the PPTP connection.

  3. On CLIENT1, make an L2TP connection with VPN1 using the L2TPtoCorpnet connection.

  4. Disconnect the L2TP connection.

Check the system event log for RADIUS events
On IAS1, use Event Viewer to view IAS events in the system event log for the PPTP and L2TP connections that were recently created using CLIENT1.

Check RADIUS authentication and accounting logs
On IAS1, use Windows Explorer to open the SystemRoot\System32\Logfiles\Iaslog.log file. Note the authentication and accounting entries for the PPTP and L2TP connections that were recently created using CLIENT1.

Remote access policies for different types of VPN connections
To create remote access policies for different types of VPN connections, do the following:

Create separate remote access policies for PPTP and L2TP connections

  1. On IAS1, create a new remote access policy with the following settings: Policy name: PPTP connections

    Conditions:

         NAS-Port-Type matches Virtual (VPN)

         Tunnel-Type matches Point-to-Point Tunneling Protocol (PPTP)

    Permission: Grant remote access permission

    Profile settings, IP tab:

         From client packet filter:

              Filter action: Deny all traffic except those listed below

              Destination network, IP address: 172.16.0.1

              Destination network, Subnet mask: 255.255.255.255

              Protocol: Any

         To client packet filter

              Filter action: Deny all traffic except those listed below

              Source network, IP address: 172.16.0.1

              Destination network, Subnet mask: 255.255.255.255

              Protocol: Any

  2. Create a new custom remote access policy with the following settings: Policy name: L2TP connections

    Conditions:

         NAS-Port-Type matches Virtual (VPN)

         Tunnel-Type matches Layer Two Tunneling Protocol (L2TP)

    Permission: Grant remote access permission

    Profile settings, IP tab:

         From client packet filter:

              Filter action: Deny all traffic except those listed below

              Destination network, IP address: 172.16.0.2

              Destination network, Subnet mask: 255.255.255.255

              Protocol: Any

         To client packet filter:

              Filter action: Deny all traffic except those listed below

              Source network, IP address: 172.16.0.2

              Destination network, Subnet mask: 255.255.255.255

              Protocol: Any

Make a PPTP connection and test connectivity

  1. On CLIENT1, make a VPN connection with VPN1 using the PPTPtoCorpnet connection.

  2. Use the ping command to ping DC1 at its IP address of 172.16.0.1.

  3. Use the ping command to ping IAS1 at its IP address of 172.16.0.2. This command fails because packet filtering for all connections that match the PPTP connections policy allows only traffic sent to and from the IP address of 172.16.0.1.

  4. Disconnect the PPTPtoCorpnet connection.

Make an L2TP connection and test connectivity

  1. On CLIENT1, make a VPN connection with VPN1 using the L2TPtoCorpnet connection.

  2. Use the ping command to ping IAS1 at its IP address of 172.16.0.2.

  3. Use the ping command to ping DC1 at its IP address of 172.16.0.1. This command fails because packet filtering for all connections that match the L2TP connections policy allows only traffic sent to and from the IP address of 172.16.0.2.

  4. Disconnect the L2TPtoCorpnet connection.

Check the system event log for IAS events
On IAS1, use Event Viewer to view the IAS events in the system event log for the PPTP and L2TP connections that were recently created by CLIENT1. Note that the authentication event message text contains the name of the remote access policy that accepted the connection.