Share via


The Cable Guy - October 2001

Demand-Dial Routing and Router-to-Router VPNs in Windows 2000

TechNet's The Cable Guy

By The Cable Guy

The Windows 2000 Routing and Remote Access service includes support for demand-dial routing (also known as dial-on-demand routing) over both dial-up connections (such as analog phone lines or ISDN) and virtual private network (VPN) connections. Demand-dial routing is the forwarding of packets across a Point-to-Point Protocol (PPP) link. The PPP link is represented inside the Windows 2000 Routing and Remote Access service as a demand-dial interface, which can be used to create on-demand connections across dial-up, non-permanent, or persistent media.

Demand-dial connections allow you to use dial-up telephone lines instead of leased lines for low-traffic situations and to leverage the connectivity of the Internet to connect branch offices with VPN connections.

Demand-dial routing is not the same as remote access. While remote access connects a single computer to a network; demand-dial routing connects entire networks. However, both use PPP as the protocol through which to negotiate and authenticate the connection and encapsulate the data sent over it. As implemented in the Windows 2000 Routing and Remote Access service, both remote access and demand-dial connections can be enabled separately. However, they still share the same:

  • Dial-in properties behavior of user accounts.
  • Security (authentication protocols and encryption).
  • Remote access policies usage.
  • Windows or Remote Authentication Dial-In User Service (RADIUS) usage (for authentication, authorization, and accounting).
  • IP and Internetwork Packet Exchange (IPX) address assignment and configuration.
  • PPP features usage, such as Microsoft Point-to-Point Compression (MPPC), Multilink PPP, and Bandwidth Allocation Protocol (BAP).
  • Troubleshooting facilities, including event logging, Windows or RADIUS authentication and accounting logging, and tracing.

While the concept of demand-dial routing is fairly simple, configuration of demand-dial routing is relatively complex. This complexity is due to the following factors:

  • Connection endpoint addressing

    The connection must be made over public data networks, such as the analog phone system or the Internet. The endpoint of the connection must be identified by a phone number for dial-up connections, and either a fully qualified host name or IP address for VPN connections.

  • Authentication and authorization of the caller

    Anyone calling the router must be authenticated and authorized. Authentication is based on the caller's set of credentials that are passed during the connection establishment process. The credentials that are passed must correspond to a Windows 2000 account. Authorization is granted based on the dial-in properties of the Windows 2000 account and remote access policies.

  • Differentiation between remote access clients and calling routers

    Both routing and remote access services coexist on the same computer running Windows 2000 Server. Both remote access clients and demand-dial routers can initiate a connection. The computer running Windows 2000 Server that answers a connection attempt must be able to distinguish a remote access client from a demand-dial router.

    If the user name, which is in the authentication credentials sent by the computer that initiates the connection (the calling computer), matches the name of a demand-dial interface on the Windows 2000 Server that answers the connection attempt (the answering computer), the connection is a demand-dial connection. Otherwise, the incoming connection is a remote access connection.

  • Configuration of both ends of the connection

    Both ends of the connection must be configured, even if only one end of the connection is initiating a demand-dial connection. Configuring only one side of the connection means that packets are successfully routed in only one direction. Communication generally requires that information travel in both directions.

  • Configuration of static routes

    You should not use dynamic routing protocols over temporary demand-dial connections. Therefore, routes for network IDs that are available across the demand-dial interface must be added, as static routes, to the routing tables of the demand-dial routers. You can add static routes manually or by using auto-static updates.

Demand-Dial Routing Example

The following illustration shows the configuration of two offices that connect to each other's networks across the Internet by using a router-to-router VPN connection.

cg100101

The Seattle office has a computer running Windows 2000 Server that acts as both remote access VPN server and demand-dial router. All computers in the Seattle office are connected to the 172.16.1.0/24 network (subnet mask 255.255.255.0). The Seattle router (Router 1) has an Internet interface that is assigned the public IP address 131.107.21.178.

The New York office has a computer running Windows 2000 Server that acts as both remote access server and demand-dial router. All computers in the New York office are connected to the 172.16.2.0/24 network (subnet mask 255.255.255.0). The New York router (Router 2) has an Internet interface that is assigned the public IP address 157.60.234.17.

All computers in both offices are in the example.microsoft.com domain.

To deploy demand-dial routing for the router-to-router VPN connection in this example, the following steps are performed:

  • Configure and enable the Routing and Remote Access service on Router 1.
  • Configure a demand-dial interface on Router 1.
  • Configure and enable the Routing and Remote Access service on Router 2.
  • Configure a demand-dial interface on Router 2.
  • Establish the router-to-router VPN connection.
  • Configure routing.

Configuring and enabling the Routing and Remote Access service on Router 1

To configure and enable the Routing and Remote Access service on Router 1, run the Routing and Remote Access Server Setup Wizard and select the Virtual Private Network (VPN) server common configuration. For more information, see Configuring the Routing and Remote Access Service in Windows 2000 (the Cable Guy article from June, 2001).

Configuring a demand-dial interface on Router 1

From the Routing and Remote Access snap-in on Router 1, perform the following steps:

  1. In the console tree, right-click Routing Interfaces, and then click New Demand-dial Interface.

  2. In the Welcome to the Demand-Dial Interface Wizard dialog box, click Next.

  3. In the Interface Name dialog box, type the name of the demand-dial interface, and then click Next.

    For this example, the name DD_NewYork is used.

  4. In the Connection Type dialog box, click Connect using virtual private networking (VPN), and then click Next.

  5. In the VPN Type dialog box, click Point to Point Tunneling Protocol (PPTP), and then click Next.

  6. In the Destination Address dialog box, type the host name or IP address of Router 2.

    For this example, the IP address of 157.60.234.17 is used. IP addresses, rather than host names, are used to simplify this example.

  7. In the Protocols and Security dialog box, select the Route IP packets on this interface and Add a user account so that a remote router can dial in check boxes, and then click Next.

  8. In the Dial In Credentials dialog box, type the password of the user account used by Router 2 in Password and Confirm password, and then click Next. This step automatically creates a user account with the same name as the demand-dial interface that is being created. This is done so that when Router 2 initiates a connection to Router 1, it is using a user account name that matches the name of a demand-dial interface. Therefore, Router 1 can determine that the incoming connection from Router 2 is a demand-dial connection rather than a remote access connection.

    For this example, the user account name is DD_NewYork and the password is h8#dW@93z~[Fc6$Q.

  9. In the Dial Out Credentials dialog box, type the user name in User name, the user account domain name in Domain, and the user account password in both Password and Confirm password.

    For this example, the user name DD_Seattle, the domain name example.microsoft.com, and the password of 7%uQv45l?p!kWy9* are used.

  10. In the Completing the demand-dial interface wizard dialog box, click Finish.

The result of this configuration is a VPN-based demand-dial interface over which IP routing is enabled. A user account with the same name as the demand-dial interface is automatically added with correct account and dial-in settings.

For this example, the following is created:

  • On Router 1, a PPTP-based demand-dial interface named DD_NewYork that uses as its credentials the user name DD_Seattle, the domain name example.microsoft.com, and the password of 7%uQv45l?p!kWy9* when it initiates a VPN connection to the IP address of 157.60.234.17.
  • A user account named DD_NewYork with the password h8#dW@93z~[Fc6$Q in the example.microsoft.com domain.

Configuring and enabling the Routing and Remote Access service on Router 2

To configure and enable the Routing and Remote Access service on Router 2, run the Routing and Remote Access Server Setup Wizard and select the Virtual Private Network (VPN) server common configuration. For more information, see Configuring the Routing and Remote Access Service in Windows 2000.

Configuring a demand-dial interface on Router 2

From the Routing and Remote Access snap-in on the calling router, perform the following steps:

  1. In the console tree, right-click Routing Interfaces, and then click New Demand-dial Interface.

  2. In the Welcome to the Demand-Dial Interface Wizard dialog box, click Next.

  3. In the Interface Name dialog box, type the name of the interface on Router 2 (this is the same name as the user account name in the user credentials for Router 1), and then click Next.

    For this example, the name DD_Seattle is used.

  4. In the Connection Type dialog box, click Connect using virtual private networking (VPN), and then click Next.

  5. In the VPN Type dialog box, click Point to Point Tunneling Protocol (PPTP), and then click Next.

  6. In the Destination Address dialog box, type the host name or IP address of Router 1.

    For this example, the IP address of 131.107.21.178 is used.

  7. In the Protocols and Security dialog box, select the Route IP packets on this interface and Add a user account so that a remote router can dial in check boxes, and then click Next.

  8. In the Dial In Credentials dialog box, type the password of the user account that is used by the answering router in both Password and Confirm password, and then click Next. This step automatically creates a user account with the same name as the demand-dial interface that is being created. This is done so that when Router 1 initiates a connection to Router 2, it is using a user account name that matches the name of a demand-dial interface. Therefore, Router 2 can determine that the incoming connection from Router 1 is a demand-dial connection rather than a remote access connection.

    For this example, the user account name is DD_Seattle and the password is 7%uQv45l?p!kWy9*.

  9. In the Dial Out Credentials dialog box, type the user name in User name, the user account domain name in Domain, and the user account password in both Password and Confirm password.

    For this example, the user name DD_NewYork, the domain name example.microsoft.com, and the password of h8#dW@93z~[Fc6$Q are used.

  10. In the Completing the demand-dial interface wizard dialog box, click Finish.

The result of this configuration is a VPN-based demand-dial interface over which IP routing is enabled. A user account with the same name as the demand-dial interface is automatically added with the correct account and dial-in settings.

For this example, the following is created:

  • On Router 2, a PPTP-based demand-dial interface named DD_Seattle that uses as its credentials the user name DD_NewYork, the domain name example.microsoft.com, and the password of h8#dW@93z~[Fc6$Q when it initiates a connection to Router 1 at the IP address of 131.107.21.178.
  • A user account named DD_Seattle with the password of 7%uQv45l?p!kWy9* in the example.microsoft.com domain.

Establishing the router-to-router VPN connection

Because a two-way initiated router-to-router VPN connection has been configured, the connection can be initiated by performing the following steps from the Routing and Remote Access snap-in on either Router 1 or Router 2:

  1. Click Routing Interfaces in the console tree.
  2. In the details pane, right-click the demand-dial interface, and then click Connect.

For this example, either the DD_NewYork demand-dial interface on Router 1 or the DD_Seattle demand-dial interface on Router 2 would be right-clicked.

Configuring routing

After the demand-dial VPN connection is established, a route must be added to Router 1 so that the locations on the 172.16.2.0/24 subnet of the New York office are reachable. In addition, a route must be added to Router 2 so that the locations on the 172.16.1.0/24 subnet of the Seattle office are reachable. This can be done through the following:

  • Manually configure static routes on Router 1 and Router 2.
  • Perform auto-static updates on Router 1 and Router 2.

If the router-to-router VPN connection is persistent (always active), you can also configure IP routing protocols such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) to operate over the demand-dial connection. For more information, see Windows 2000 online Help.

Manually configuring static routes

From the Routing and Remote Access snap-in at Router 1, perform the following steps:

  1. In the console tree, click IP Routing, and then click Static Routes.

  2. Right-click Static Routes, and then click New Static Route.

  3. In the Static Route dialog box, click or type the following:

    Interface: DD_NewYork

    Destination: 172.16.2.0

    Network mask: 255.255.255.0

    Metric: 1

  4. Click OK to add the route.

    Note Because the demand-dial connection is a point-to-point connection, the Gateway IP address is not configurable.

From the Routing and Remote Access snap-in at Router 2, perform the following steps:

  1. In the console tree, click IP Routing, and then click Static Routes.

  2. Right-click Static Routes, and then click New Static Route.

  3. In the Static Route dialog box, click or type the following:

    Interface: DD_Seattle

    Destination: 172.16.1.0

    Network mask: 255.255.255.0

    Metric: 1

  4. Click OK to add the route.

Note Because the demand-dial connection is a point-to-point connection, the Gateway IP address is not configurable.

Performing auto-static updates

To perform an auto-static update, the Routing Information Protocol (RIP) for IP routing protocol component must first be installed using the appropriate demand-dial interfaces. To configure RIP for IP on each router, perform the following:

  1. In the console tree, click IP Routing, right-click General, and then click Add Routing Protocol.
  2. In the New Routing Protocol dialog box, click RIP Version 2 for Internet Protocol, and then click OK.
  3. In the console tree, right-click the RIP routing protocol component, and then click New Interface.
  4. From the New Interface for RIP Version 2 for Internet Protocol dialog box, click the appropriate demand-dial interface, and then click OK.
  5. From the RIP Properties dialog box, click OK.

After RIP for IP is configured on both routers, auto-static updated can be performed.

From the Routing and Remote Access snap-in on Router 1 (assuming the router-to-router VPN connection is active), perform the following steps:

  1. In the console tree, click IP Routing, and then click General.
  2. In the details pane, right-click the DD_NewYork demand-dial interface, and then click Update Routes.

From the Routing and Remote Access snap-in on Router 2 (assuming the router-to-router VPN connection is active), perform the following steps:

  1. In the console tree, click IP Routing, and then click General.
  2. In the details pane, right-click the DD_Seattle demand-dial interface, and then click Update Routes.

Note An auto-static update is a one-time, one-way exchange of routing information. Therefore, you must perform both auto-static updates to get the correct routes on both Router 1 and Router 2.

The Resulting Configuration

The following illustration shows the demand-dial routing configuration in terms of the demand-dial interfaces, static routes, and user accounts for the Seattle and New York offices.

If your browser does not support inline frames, click here to view on a separate page.

This example shows a correct configuration for demand-dial routing. The user name from the user credentials of the demand-dial interface on the calling router must match the name of a demand-dial interface on the answering router in order for the incoming connection attempt to be considered a demand-dial connection. This relationship is summarized in the following table.

Router
Demand-dial interface name
User account name in user credentials
Router 1
DD_NewYork
DD_Seattle
Router 2
DD_Seattle
DD_NewYork

For More Information

For more information about demand-dial routing in Windows 2000, consult the following resources:

For a list of all The Cable Guy articles, click here.