Deploying a PPTP-based Router-to-Router VPN Connection

  • Article
On This Page

Deploying certificate infrastructure
Deploying Internet infrastructure
Deploying the answering router
Deploying the calling router
Deploying AAA infrastructure
Deploying site network infrastructure
Deploying intersite network infrastructure

The deployment of PPTP-based router-to-router VPN connections using Windows 2000 consists of the following:

  • Deploy certificate infrastructure

  • Deploy Internet infrastructure

  • Deploy Internet infrastructure

  • Deploy the answering router

  • Deploy the calling router

  • Deploy AAA infrastructure

  • Deploy site network infrastructure

  • Deploy intersite network infrastructure

Deploying certificate infrastructure

For PPTP-based VPN connections, a certificate infrastructure is needed only when you are using EAP-TLS authentication. If you are only using a password-based authentication protocol such as MS-CHAP v2, a certificate infrastructure is not required and is not used for the authentication of the VPN connection.

To use EAP-TLS authentication for router-to-router VPN connections, you must:

  • Install a user certificate on each calling router computer.

  • Configure EAP-TLS on the calling router.

  • Install a computer certificate on the authenticating server (the answering router or the RADIUS server).

  • Configure EAP-TLS on the answering router and remote access policy.

Installing a user certificate on a calling router

If you are using a Windows 2000 CA, a Router (Offline Request) certificate is created and mapped to an Active Directory user account. To deploy a Router (Offline Request) certificates for a calling router, the network administrator must:

  1. Configure the Windows 2000 CA to issue Router (Offline Request) certificates.

  2. Request a Router (Offline Request) certificate.

  3. Export the Router (Offline Request) certificate.

  4. Map the certificate to the appropriate user account.

  5. Send the Router (Offline Request) certificate to the network administrator of the calling router.

  6. Import the Router (Offline Request) certificate on the calling router.

For more information about deploying Router (Offline Request) certificates for demand-dial routing, see the topic titled "Branch office demand-dial connection" in Windows 2000 Server online Help.

For a third-party CA, see the documentation for the CA software for instructions about how to create a user certificate with the Client Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.2") and export it so that it can be mapped to an Active Directory user account and sent to the network administrator of the calling router. You must also export the root CA certificate, the certificate of the issuing CA, and the certificates of any intermediate CAs and import them to the proper folder of the computer certificate store of the answering router using the Certificate Manager snap-in.

Configuring EAP-TLS on the calling router

To configure EAP-TLS for user certificates on the calling router:

  • The demand-dial interface must be configured to use EAP with the Smart Card or other certificate EAP type by configuring advanced settings on the Security tab on the properties of a demand-dial interface. In the properties of the Smart Card or other certificate EAP type, select Use a certificate on this computer. If you want to validate the computer certificate of the VPN or IAS server, select Validate server certificate. If you want to ensure that the server's DNS name ends in a specific string, select Connect only if server name ends with and type the string. To require the server's computer certificate to have been issued a certificate from a specific trusted root CA, select the CA in Trusted root certificate authority.

  • Right-click the demand-dial interface and click Credentials. In the Connect dialog box, select the proper user or Router (Offline Request) certificate in User name on certificate, and then click OK.

Installing a computer certificate on the authenticating server

To install a computer certificate, a certification authority must be present to issue certificates. If the CA is a Windows 2000 CA and the authenticating server is either the answering router or a Windows 2000 Internet Authentication Service (IAS) RADIUS server, you can install a certificate in the computer certificate store of the authenticating server in the following different ways:

  1. By configuring the automatic allocation of computer certificates to computers in a Windows 2000 domain.
    This method allows a single point of configuration for the entire domain. All members of the domain automatically receive a computer certificate through group policy.

  2. By using the Certificate Manager snap-in to request a certificate to store in the Certificates (Local Computer)\Personal folder.
    In this method, each computer must separately request a computer certificate from the CA. You must have administrator permissions to install a certificate using the Certificate Manager snap-in.

  3. By using Internet Explorer and web enrollment to request a certificate and store it in local machine store.
    In this method, each computer must separately request a computer certificate from the CA. You must have administrator permissions to install a certificate using Web enrollment.

Based on the certificate policies in your organization, you only need to perform one of these methods.

For more information about using the Windows 2000 CA to obtain computer certificates, see the topics titled "Machine certificates for L2TP over IPSec VPN connections" and "Submit an advanced certificate request via the Web" in Windows 2000 Server online Help.

For a third-party CA, see the documentation for the CA software for instructions about how to create a certificate with the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1") and export it so that it can be imported using the Certificate Manager snap-in by an administrator on the answering router. Additionally, the root CA certificate, the certificate of the issuing CA, and the certificates of any intermediate CAs must be exported and imported on the calling router.

Configuring EAP-TLS on the answering router and remote access policy

To configure EAP-TLS authentication on the answering router:

  • EAP must be enabled as an authentication type on the Authentication Methods dialog box available from the Security tab in the properties of the answering router in the Routing and Remote Access snap-in.

To configure EAP-TLS authentication on the remote access policy or either the answering router or IAS server:

  • On the remote access policy that is being used for router-to-router VPN connections, EAP must be enabled with the Smart Card or other certificate EAP type selected on the Authentication tab on the policy's profile settings. If the computer on which the remote access policy is being configured has multiple computer certificates installed, configure the properties of the Smart Card or other certificate EAP type and select the appropriate computer certificate to submit during the EAP-TLS authentication process.

If you are using a third-party RADIUS server, see the RADIUS server documentation for information on how to enable EAP-TLS and configure EAP-TLS to use the correct computer certificate.

Deploying Internet infrastructure

Deploying the Internet infrastructure for router-to-router VPN connections consists of the following:

  • Place VPN routers in the perimeter network or on the Internet.

  • Install Windows 2000 Server on VPN router computers and configure Internet interfaces.

Placing VPN routers in perimeter network or on the Internet

Decide where to place the VPN routers in relation to your Internet firewall. In the most common configuration, the VPN routers are placed behind the firewall on the perimeter network between your site and the Internet. If so, configure packet filters on the firewall to allow PPTP traffic to and from the IP address of the VPN routers' perimeter network interfaces. For more information, see Appendix A.

Installing Windows 2000 Server on VPN routers and configuring Internet interfaces

Install Windows 2000 Server on VPN router computers and connect it to either the Internet or to perimeter network with one network adapter and connect it to the site with another network adapter. Without running the Routing and Remote Access Server Setup Wizard, the VPN router computer will not forward IP packets between the Internet and the site. For the connection connected to the Internet or the perimeter network, configure the TCP/IP protocol with a public IP address, a subnet mask, and the default gateway of either the firewall (if the router is connected to a perimeter network) or an ISP router (if the router is directly connected to the Internet). Do not configure the connection with DNS server or WINS server IP addresses.

Deploying the answering router

Deploying the answering router for a router-to-router VPN connection consists of the following:

  • Configure the answering router's connection to the site.

  • Run the Routing and Remote Access Server Setup Wizard.

  • Configure a demand-dial interface.

Configuring the answering router's connection to the site

Configure the connection connected to the site with a manual TCP/IP configuration consisting of IP address, subnet mask, site DNS servers, and site WINS servers. Note that you must not configure the default gateway on the site connection to prevent default route conflicts with the default route pointing to the Internet.

Running the Routing and Remote Access Server Setup Wizard

Run the Routing and Remote Access Server Setup Wizard to configure the Windows 2000 answering router using the following steps:

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. Right-click your server name, and then click Configure and Enable Routing and Remote Access.

  3. In Common Configurations, click Virtual Private Network (VPN) server and then click Next. If you want to use the answering router computer as a network address translator (NAT), Web server, or other function, see Appendix B.

  4. In Remote Client Protocols, verify that all data protocols that you want to route over router-to-router VPN connections are present. By default, all of the protocols that can be used with a remote access or router-to-router VPN connection are listed. Click Next.

  5. In Internet Connection, click the connection that corresponds to the interface connected to the Internet or your perimeter network, and then click Next.

  6. In IP Address Assignment, click Automatic if the answering router should use DHCP to obtain IP addresses for calling routers. Or, click From a specified range of addresses to use one or more static ranges of addresses. If any of the static address ranges is an off-subnet address range, routes must be added to the routing infrastructure in order for the virtual interfaces of calling routers to be reachable. When IP address assignment is complete, click Next.

  7. In Managing Multiple Remote Access Servers, if you are using RADIUS for authentication and authorization, click Yes, I want to use a RADIUS server, and then click Next.

    • In RADIUS Server Selection, configure the primary (mandatory) and secondary (optional) RADIUS servers and the shared secret, and then click Next.

  8. Click Finish.

  9. Start the Routing and Remote Access service when prompted.

By default, only 128 PPTP ports are configured on the WAN Miniport (PPTP) device. If you need more PPTP ports, configure the WAN Miniport (PPTP) device from the properties of the Ports object in the Routing and Remote Access snap-in.

By default, only the MS-CHAP and MS-CHAP v2 protocols are enabled. If you are using user certificates for authentication, select Extensible Authentication Protocol (EAP) check box from the Authentication Methods dialog box available from the Security tab on the properties of the answering router computer in the Routing and Remote Access snap-in.

Configuring a demand-dial interface

From the Routing and Remote Access snap-in on the answering router, perform the following steps:

  1. In the console tree, right-click Routing Interfaces, and then click New Demand-dial Interface.

  2. In the Welcome to the Demand-Dial Interface Wizard dialog box, click Next.

  3. In the Interface Name dialog box, type the name of the demand-dial interface, and then click Next.

  4. In the Connection Type dialog box, click Connect using virtual private networking (VPN), and then click Next.

  5. In the VPN Type dialog box, click Point to Point Tunneling Protocol (PPTP), and then click Next.

  6. In the Destination Address dialog box, type the IP address of the calling router.

    For a two-way-initiated router to-router VPN connection, configure the IP address of the calling router. For a one-way initiated router-to-router VPN connection, you can skip this step because the answering router never uses this interface to initiate a connection to the calling router.

  7. In the Protocols and Security dialog box, select the Route IP packets on this interface, Route IPX packets on this interface (if needed), and Add a user account so that a remote router can dial in check boxes, and then click Next.

  8. In the Dial In Credentials dialog box, type the password of the user account used by the calling router in Password and Confirm password, and then click Next. This step automatically creates a user account with the same name as the demand-dial interface that is being created. This is done so that when the calling router initiates a connection to the answering router, it is using a user account name that matches the name of a demand-dial interface. Therefore, the answering router can determine that the incoming connection from the calling router is a demand-dial connection rather than a remote access connection.

  9. In the Dial Out Credentials dialog box, type the user name in User name, the user account domain name in Domain, and the user account password in both Password and Confirm password.

    For a two-way-initiated router to-router VPN connection, configure the name, domain, and password when this router is acting as the calling router. For a one-way initiated router-to-router VPN connection, you can type any name in User name and skip the rest of the fields because this router never uses this interface to initiate a connection to the calling router.

  10. In the Completing the demand-dial interface wizard dialog box, click Finish.

The result of this configuration is a PPTP-based demand-dial interface over which IP routing is enabled. A user account with the same name as the demand-dial interface is automatically added with correct account and dial-in settings.

Deploying the calling router

Deploying the calling router for a router-to-router VPN connection consists of the following:

  • Configure the calling router's connection to the site.

  • Run the Routing and Remote Access Server Setup Wizard.

  • Configure a demand-dial interface.

Configuring the calling router's connection to the site

Configure the connection connected to the site with a manual TCP/IP configuration consisting of IP address, subnet mask, site DNS servers, and site WINS servers. Note that you must not configure the default gateway on the site connection to prevent default route conflicts with the default route pointing to the Internet.

Running the Routing and Remote Access Server Setup Wizard

Run the Routing and Remote Access Server Setup Wizard to configure the Windows 2000 calling router using the following steps:

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. Right-click your server name, and then click Configure and Enable Routing and Remote Access.

  3. In Common Configurations, click Virtual Private Network (VPN) server and then click Next. If you want to use the calling router computer as a network address translator (NAT), Web server, or other function, see Appendix B.

  4. In Remote Client Protocols, verify that all data protocols that you want to route over router-to-router VPN connections are present. By default, all of the protocols that can be used with a remote access or router-to-router VPN connection are listed. Click Next.

  5. In Internet Connection, click the connection that corresponds to the interface connected to the Internet or your perimeter network, and then click Next.

  6. In IP Address Assignment, click Automatic if the calling router should use DHCP to obtain IP addresses for other calling routers when it is acting as an answering router. Or, click From a specified range of addresses to use one or more static ranges of addresses. If any of the static address ranges is an off-subnet address range, routes must be added to the routing infrastructure in order for the virtual interfaces of routers calling this router to be reachable. When IP address assignment is complete, click Next.

  7. In Managing Multiple Remote Access Servers, if you are using RADIUS for authentication and authorization, click Yes, I want to use a RADIUS server, and then click Next.

    • In RADIUS Server Selection, configure the primary (mandatory) and secondary (optional) RADIUS servers and the shared secret, and then click Next.

  8. Click Finish.

  9. Start the Routing and Remote Access service when prompted.

By default, only 128 PPTP ports are configured on the WAN Miniport (PPTP) device. If you need more PPTP ports, configure the WAN Miniport (PPTP) device from the properties of the Ports object in the Routing and Remote Access snap-in.

By default, only the MS-CHAP and MS-CHAP v2 protocols are enabled. If you are using user certificates for authentication, select Extensible Authentication Protocol (EAP) check box from the Authentication Methods dialog box available from the Security tab on the properties of this router computer in the Routing and Remote Access snap-in.

Configuring a demand-dial interface

From the Routing and Remote Access snap-in on the calling router, perform the following steps:

  1. In the console tree, right-click Routing Interfaces, and then click New Demand-dial Interface.

  2. In the Welcome to the Demand-Dial Interface Wizard dialog box, click Next.

  3. In the Interface Name dialog box, type the name of the demand-dial interface. For a two-way initiated connection, this is the same name as the user name in the user credentials used by the answering router when it is acting as a calling router. Click Next.

  4. In the Connection Type dialog box, click Connect using virtual private networking (VPN), and then click Next.

  5. In the VPN Type dialog box, click Point to Point Tunneling Protocol (PPTP), and then click Next.

  6. In the Destination Address dialog box, type the IP address of the answering router.

  7. In the Protocols and Security dialog box, select the Route IP packets on this interface, Route IPX packets on this interface (if needed) check boxes. For a two-way initiated connection, select the Add a user account so that a remote router can dial in check box. Click Next.

  8. For a two-way initiated connection, in the Dial In Credentials dialog box, type the password of the user account used by the answering router acting as a calling router in Password and Confirm password, and then click Next. This step automatically creates a user account with the same name as the demand-dial interface that is being created. This is done so that when the answering router acting as a calling router initiates a connection to this router, it is using a user account name that matches the name of a demand-dial interface. Therefore, this router can determine that the incoming connection from the answering router acting as a calling router is a demand-dial connection rather than a remote access connection.

  9. In the Dial Out Credentials dialog box, type the user name in User name, the user account domain name in Domain, and the user account password in both Password and Confirm password.

  10. In the Completing the demand-dial interface wizard dialog box, click Finish.

The result of this configuration is a PPTP-based demand-dial interface over which IP routing is enabled. A user account with the same name as the demand-dial interface is automatically added with correct account and dial-in settings.

Deploying AAA infrastructure

Deploying the AAA infrastructure for router-to-router VPN connections consists of the following:

  • Configure Active Directory for user accounts and groups.

  • Configure the primary IAS server on a domain controller.

  • Configure the secondary IAS server on a different domain controller.

This configuration must be done at each site containing an answering router. For branch offices with few computers and a single answering router, it is easier to configure the Routing and Remote Access service for Windows authentication and use locally configured remote access policies than configuring a separate IAS server computer.

Configuring Active Directory for user accounts and groups

To configure Active Directory for user accounts and groups, do the following:

  1. Ensure that all calling routers have a corresponding user account with the correct account and dial-in settings. This includes calling routers for branch offices and business partners. User accounts with the correct account and dial-in settings are automatically created when you select the Add a user account so that a remote router can dial in check box on the Protocols and Security dialog box in the Demand-Dial Interface Wizard.

  2. Organize user accounts used by calling routers into the appropriate universal and nested groups to take advantage of group-based remote access policies. For more information, see the topic titled "Universal, global, and domain local groups" in Windows 2000 Server online Help.

Configuring the primary IAS server on a domain controller

To configure the primary IAS server on a domain controller, do the following:

  1. On the domain controller, install IAS as an optional networking component. For more information, see the topic titled "Install IAS" in Windows 2000 Server online Help.

  2. Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain. For more information, see the topic titled "Enable the IAS server to read user objects in Active Directory" in Windows 2000 Server online Help.

  3. If the IAS server authenticates connection attempts for user accounts in other domains, verify that these domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, see the topic titled "Enable the IAS server to read user objects in Active Directory" in Windows 2000 Server online Help. For more information about trust relationships, see the topic titled "Understanding domain trusts" in Windows 2000 Server online Help.
    If the IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the IAS server computer is a member, you must configure a RADIUS proxy between the two untrusted domains.

  4. Enable file logging for accounting and authentication events. For more information, see the topic titled "Configure log file properties" in Windows 2000 Server online Help.

  5. Add the VPN router(s) as RADIUS clients of the IAS server. For more information, see the topic titled "Add RADIUS clients" in Windows 2000 Server online Help. For the IP address of each VPN router, use the site IP address assigned to the VPN router. If you are using names, use the internal name of the VPN router. Use strong shared secrets.

  6. Create remote access policies that reflect your remote access usage scenarios.
    For example, to configure a remote access policy that requires PPTP-based router-to-router VPN connections for members of the VPNRouters group to use MS-CHAP v2 authentication and 128-bit encryption, create a remote access policy with the following settings:

    Policy name: Router-to-router

    VPN connections

    Conditions:

           NAS-Port-Type matches Virtual (VPN)

           Tunnel-Type matches Point-to-Point Tunneling Protocol

           Windows-Groups matches VPNRouters (example)

    Permission: Grant remote access permission

    Profile settings, Authentication tab:

           Select Microsoft Encrypted Authentication (MS-CHAP v2). Clear all other check boxes.

    Profile settings, Encryption tab:

           Select the Strongest check box, and then clear all other check boxes.

  7. If you have created new remote access policies, either delete the default remote access policy named Allow access if dial-up permission is enabled, or move it so that it is the last policy to be evaluated. For more information, see the topics titled "Delete a remote access policy" and "Change the policy evaluation order" in Windows 2000 Server online Help.

Note: The Strongest encryption strength is only available after installing either the Windows 2000 High Encryption Pack or Windows 2000 Service Pack 2 (or later) on the IAS server computer.

Configuring the secondary IAS server on a different domain controller

To configure the secondary IAS server on a different domain controller, do the following:

  1. On the other domain controller, install IAS as an optional networking component. For more information, see the topic titled "Install IAS" in Windows 2000 Server online Help.

  2. Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain. For more information, see the topic titled "Enable the IAS server to read user objects in Active Directory" in Windows 2000 Server online Help.

  3. If the secondary IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see the topic titled "Enable the IAS server to read user objects in Active Directory" in Windows 2000 Server online Help. For more information about trust relationships, see the topic titled "Understanding domain trusts" in Windows 2000 Server online Help.
    If the secondary IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the secondary IAS server computer is a member, you must configure a RADIUS proxy between the two untrusted domains.

  4. To copy the configuration of the primary IAS server to the secondary IAS server, type netsh aaaa show config > path\file.txt at a command prompt on the primary IAS server. This stores the configuration settings, including registry settings, in a text file. The path can be relative, absolute, or a network path.

  5. Copy the file created in step 4 to the secondary IAS server. At a command prompt on the secondary IAS server, type netsh exec path\file.txt. This imports all the settings configured on the primary IAS server to the secondary IAS server.

Deploying site network infrastructure

Deploying the network infrastructure of a site for router-to-router VPN connections consists of the following:

  • Configure routing on the VPN routers.

  • Verify reachability from each VPN router.

  • Configure routing for off-subnet address pools.

Configuring routing on the VPN routers

In order for your VPN routers to properly forward traffic to locations within the site in which they are located, you must configure them with either static routes that summarize all the possible addresses used on in the site or with routing protocols so that the VPN router can participate as a dynamic router and automatically add routes for site subnets to its routing table.

To add static routes, see the topic titled "Add a static route" in Windows 2000 Server online Help. To configure the VPN router as a RIP router, see the topic titled "Configure RIP for IP". To configure the VPN router as an OSPF router, see the topics titled "OSPF design considerations" and "Configure OSPF" in Windows 2000 Server online Help.

Verifying reachability from each VPN router

From each VPN router, verify that the VPN router computer can resolve names and successfully communicate with resources in the VPN router's site by using the Ping command, Internet Explorer, and making drive and printer connections to known servers within the site.

Configuring routing for off-subnet address pools

If you configured any of the VPN routers with a static address pool and any of the ranges within the pool are an off-subnet range, you must ensure that the route(s) representing the off-subnet address range(s) are present in your site routing infrastructure to reach the virtual interfaces of calling routers. You can ensure this by adding static route(s) representing the off-subnet address range(s) as static routes to the neighboring router(s) of the VPN router(s) and then using the routing protocol of your site to propagate the route to other routers. When you add the static route(s), you must specify that the gateway or next hop address is the site interface of the VPN router.

Alternately, if you are using RIP or OSPF, you can configure the VPN routers using off-subnet address pools as RIP or OSPF routers. For OSPF, you must configure the VPN router as an autonomous system boundary router (ASBR). For more information, see the topic titled "OSPF design considerations" in Windows 2000 Help.

Deploying intersite network infrastructure

Deploying the intersite network infrastructure consists of configuring each VPN router with the set of routes for subnets that are available in the other sites (across each router-to-router VPN connection). This can be done in the following ways:

  • Manually configure static routes on each VPN router.

  • Perform auto-static updates on each VPN router.

  • Configure routing protocols to operate over the router-to-router VPN connection.

Manually configuring static routes on each VPN router

From the Routing and Remote Access snap-in, perform the following steps:

  1. In the console tree, click IP Routing, and then click Static Routes.

  2. Right-click Static Routes, and then click New Static Route.

  3. In the Static Route dialog box, select the appropriate demand-dial interface name, and type the destination, network mask, and metric.

  4. Click OK to add the route.

  5. For an additional route, go back to step 2.

Note: Because the demand-dial connection is a point-to-point connection, the Gateway IP address field is not configurable.

Performing auto-static updates on each VPN router

If RIP for IP is enabled on the demand-dial interfaces of both VPN routers, you can use auto-static updates to automatically configure static routes when the VPN connection is in a connected state. A demand-dial interface that is configured for auto-static updates sends a request across an active connection to request all of the routes of the router on the other side of the connection. In response to the request, all of the routes of the requested router are automatically entered as static routes in the routing table of the requesting router.

From the Routing and Remote Access snap-in on a VPN router (assuming the router-to-router VPN connection is active), perform the following steps:

  1. In the console tree, click IP Routing, and then click General.

  2. In the details pane, right-click the appropriate demand-dial interface, and then click Update Routes.

You can also use the netsh interface set interface command to perform an auto-static update. For more information, see the topic titled "Scheduling auto-static updates" in Windows 2000 Server online Help.

Configuring routing protocols

If the router-to-router VPN connection is persistent (always active), you can also configure IP routing protocols such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) to operate over the VPN connection. For more information, see the topics titled "Setting up a RIP-for-IP routed internetwork" and "Setting up an OSPF routed internetwork" in Windows 2000 Server online Help.