Remote Site Connection and Static Routed IP Network Example

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Note

This topic serves as both a remote site example and a static routing example.

The Chicago and Phoenix branch offices of Fabrikam, Inc. are connected to the corporate office by using persistent router-to-router VPN connections that stay connected 24 hours a day. The routers running Windows Server 2008 R2, in the Chicago and Phoenix offices are equipped with T1 WAN adapters that have a permanent connection to a local Internet service provider to gain access to the Internet.

The Chicago branch office uses the IP network ID of 192.168.9.0 with a subnet mask of 255.255.255.0. The Chicago branch office router uses the public IP address of 131.107.0.1 for its Internet interface. The Phoenix branch office uses the IP network ID of 192.168.14.0 with a subnet mask of 255.255.255.0. The Phoenix branch office router uses the public IP address of 131.107.128.1 for its Internet interface.

The VPN connection is a two-way initiated connection. The connection is initiated from either the branch office router or the corporate office router. Two-way initiated connections require the creation of demand-dial interfaces, remote access network policies, IP address pools, and packet filters on the routers on both sides of the connection.

The following illustration shows the Fabrikam, Inc. VPN server that provides persistent branch office connections.

To deploy persistent router-to-router VPN connections that connect the Chicago and Phoenix branch offices to the corporate office based on the settings configured in Common Configuration for the VPN Server, the following additional settings are configured.

Domain configuration

For the Chicago office VPN connection that is initiated by the Chicago router, the user account VPN_Chicago is created with the following settings:

  • Password of U9!j5dP(%q1.

  • For the dial-in properties on the VPN_Chicago account, the network access permission is set to Control access through NPS Network Policy.

  • For the account properties on the VPN_Chicago account, the Password never expires account option is enabled.

  • The VPN_Chicago account is added to the VPN_Routers group in Active Directory Domain Services (AD DS).

For the Phoenix office VPN connection that is initiated by the Phoenix router, the user account VPN_Phoenix is created with the following settings:

  • Password of z2F%s)bW$4f.

  • For the dial-in properties on the VPN_Phoenix account, the network access permission is set to Control access through NPS Network Policy.

  • For the account properties on the VPN_Phoenix account, the Password never expires account option is enabled.

  • The VPN_Phoenix account is added to the VPN_Routers group in AD DS.

For the VPN connections to either branch office that are initiated by the corporate headquarters VPN server, the user account VPN_CorpHQ is created with the following settings:

  • Password of o3\Dn6@`-J4.

  • For the dial-in properties on the VPN_CorpHQ account, the network access permission is set to Control access through NPS Network Policy.

  • For the account properties on the VPN_CorpHQ account, the Password never expires account option is enabled.

  • The VPN_CorpHQ account is added to the VPN_Routers group in AD DS.

Network policy configuration for the VPN server

To define the authentication and encryption settings for the corporate headquarters VPN server, the following network policy is created:

  • Policy name: VPN Routers

  • Conditions:

    • NAS Port Type is set to Virtual (VPN).

    • Windows Groups is set to VPN_Routers.

    • Called Station ID is set to 207.209.68.1.

  • Permission is set to Grant access.

  • Network Policy Server (NPS) policy settings:

    • On the Constraints tab, under Authentication Method, add Microsoft: Smart Card or other certificate as an EAP type, and then enable Microsoft Encrypted Authentication version 2 (MS-CHAP v2).

    • On the Settings tab, under Encryption, select Strong encryption (MPPE 56-bit) and Strongest encryption (MPPE 128-bit).

Note

The Calling Station ID is set to the IP address of the “Internet Connection” interface for the VPN server. Only tunnels initiated from the Internet are allowed. Tunnels initiated from within the Fabrikam, Inc. intranet are not permitted. Fabrikam, Inc. users that require Internet access from the Fabrikam, Inc. intranet must go through the Fabrikam, Inc. proxy server (not shown), where Internet access is controlled and monitored.

Network policy configuration for the Chicago router

To define the authentication and encryption settings for the VPN connections, the default policies are deleted, and the following remote access network policy is created:

  • Policy name: VPN Routers

  • Conditions:

    • NAS Port Type is set to Virtual (VPN).

    • Windows Groups is set to VPN_Routers.

    • Calling Station ID is set to 131.107.0.1.

  • Permission is set to Grant access.

  • NPS policy settings:

    • On the Constraints tab, under Authentication Method, add Microsoft: Smart Card or other certificate as an EAP type, and then enable Microsoft Encrypted Authentication version 2 (MS-CHAP v2).

    • On the Settings tab, under Encryption, select Strong encryption (MPPE 56-bit) and Strongest encryption (MPPE 128-bit).

Note

The Calling Station ID is set to the IP address of the Internet interface for the branch office router. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Fabrikam, Inc. branch office network are not permitted.

Network policy configuration for the Phoenix router

To define the authentication and encryption settings for the VPN connections, the default policies are deleted, and the following remote access network policy is created:

  • Policy name: VPN Routers

  • Conditions:

    • NAS Port Type is set to Virtual (VPN).

    • Windows Groups is set to VPN_Routers.

    • Called Station ID is set to 131.107.128.1.

  • Permission is set to Grant access.

  • NPS policy settings:

    • On the Constraints tab, under Authentication Method, add Microsoft: Smart Card or other certificate as an EAP type, and then enable Microsoft Encrypted Authentication version 2 (MS-CHAP v2).

    • On the Settings tab, under Encryption setting, select Strong encryption (MPPE 56-bit) and Strongest encryption (MPPE 128-bit) are the only options that are selected.

Note

The Calling Station ID is set to the IP address of the Internet interface for the branch office router. Only tunnels initiated from the Internet are allowed. Tunnels initiated from within the Fabrikam, Inc. branch office network are not permitted.

IP address pool configuration

IP address pools must be configured at the VPN server, the Chicago router, and the Phoenix router.

IP address pool configuration at the VPN server

The IP address pool configuration for the VPN server is the same as described in Common Configuration for the VPN Server in this guide.

IP address pool configuration at the Chicago router

A static IP address pool with a starting IP address of 192.168.9.248 and an ending IP address of 192.168.9.253 is configured. This creates a static address pool for up to five VPN clients.

For more information, see Configure the Routing and Remote Access Service and Demand-Dial Interfaces in the RRAS Deployment Guide.

IP address pool configuration at the Phoenix router

A static IP address pool with a starting IP address of 192.168.14.248 and an ending IP address of 192.168.14.253 is configured. This creates a static address pool for up to five VPN clients.

For more information, see Configure the Routing and Remote Access Service and Demand-Dial Interfaces in the RRAS Deployment Guide.

For more information about the corporate router and branch office router configuration, see: