A virtual private network (VPN) is the extension of a private network that encompasses logical links across shared or public networks such as the Internet. A remote access VPN connection allows computers connected to the Internet to securely access organization intranets. This paper describes the various components and design choices of a deployment of remote access VPN connections using the Windows 2000 platform VPN servers and Windows-based VPN clients. This paper also includes detailed walkthroughs to deploy Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP)- based remote access VPNs, information on firewall configuration, how to create a VPN test lab, and details of troubleshooting tools and common problems. This paper assumes familiarity with TCP/IP, IP routing, Internet Protocol security (IPSec), and the capabilities of the Windows 2000 Routing and Remote Access service.
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link (such as a long haul T-Carrier-based wide area network [WAN] link). Virtual private networking is the act of creating and configuring a virtual private network.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a virtual private network (VPN) connection.
Figure 1 shows the logical equivalent of a VPN connection.
Users working at home or on the road can use VPN connections to establish a remote access connection to an organization server by using the infrastructure provided by a public network such as the Internet. From the user's perspective, the VPN connection is a point-to-point connection between the computer (the VPN client) and an organization server (the VPN server). The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link.
Organizations can also use VPN connections to establish routed connections with geographically separate offices or with other organizations over a public network such as the Internet while maintaining secure communications. A routed VPN connection across the Internet logically operates as a dedicated WAN link.
With both remote access and routed connections, an organization can use VPN connections to trade long-distance dial-up or leased lines for local dial-up or leased lines to an Internet service provider (ISP).
There are two types of remote access VPN technology in the Windows® 2000 operating system:
Point-to-Point Tunneling Protocol (PPTP)
PPTP uses user-level Point-to-Point Protocol (PPP) authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption.
Layer Two Tunneling Protocol (L2TP) with Internet Protocol security (IPSec)
L2TP uses user-level PPP authentication methods and IPSec for computer-level authentication using certificates and data authentication, integrity, and encryption.
A remote access client (a single user computer) makes a remote access VPN connection that connects to a private network. The VPN server provides access to the entire network to which the VPN server is attached. The packets sent from the remote client across the VPN connection originate at the remote access client computer.
The remote access client (the VPN client) authenticates itself to the remote access server (the VPN server) and, for mutual authentication, the server authenticates itself to the client.
Computers running Windows XP, Windows 2000, Windows NT version 4.0, Windows Millennium Edition (ME), Windows 98, and Windows 95 operating systems can create remote access VPN connections to a VPN server running Windows 2000. VPN clients may also be any non-Microsoft PPTP client or L2TP client using IPSec.
Note: Using IPSec tunnel mode is not a remote access VPN technology supported by Microsoft VPN clients or servers due to the lack of an industry standard method of performing user authentication and IP address configuration over an IPSec tunnel. IPSec tunnel mode is described in RFCs 2401, 2402, and 2406.
For encryption, you can use either link encryption or end-to-end encryption in addition to link encryption:
Link encryption encrypts the data only on the link between the VPN client and the VPN server. For PPTP connections, you must use MPPE in conjunction with MS-CHAP, MS-CHAP v2, or EAP-TLS authentication. For L2TP/IPSec connections, IPSec provides encryption on the link between the VPN client and the VPN server.
End-to-end encryption encrypts the data between the source host and its final destination. You can use IPSec after the VPN connection is made to encrypt data from the source host to the destination host.