Router-to-router VPN security considerations

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Router-to-router VPN security considerations

In addition to the security steps listed in Static routing security, you can enhance router-to-router VPN security through:

  • Strong authentication

  • Data encryption

  • PPTP or L2TP/IPSec packet filtering

  • Firewall packet filtering

For more information, see Router-to-router VPN connection.

Strong authentication

For authentication, use the strongest authentication scheme that is possible for your router-to-router VPN configuration. The strongest authentication scheme is the use of EAP-TLS with certificates. For more information, see Deploying certificate-based authentication for demand-dial routing.

Otherwise, use MS-CHAP version 2 authentication and enforce the use of strong passwords on your network. For more information, see MS-CHAP version 2.

Data encryption

For encryption, you can use either link encryption or end-to-end encryption:

  • Link encryption encrypts the data only on the link between the two routers. You can use 128-bit Microsoft Point-to-Point Encryption (MPPE) for high security with PPTP connections. Otherwise, you can use either 56-bit or 40-bit MPPE. 40-bit MPPE is used with older versions of Microsoft operating systems. MPPE is only used in conjunction with either MS-CHAP, MS-CHAP v2, or EAP-TLS authentication. L2TP/IPSec connections use DES or 3DES encryption.

  • End-to-end encryption encrypts the data between the source host and its final destination. You can use IPSec to encrypt data from the source host to the destination host across the demand-dial link.

To specify encryption strength, select the appropriate encryption strengths on the Encryption tab of the remote access policy profile that is used by your calling routers. The No Encryption option is cleared by default; do not select this option or your network security is in jeopardy. For more information, see Security issues for VPN and Configure encryption.

Packet filtering

To secure the calling or answering corporate router from sending or receiving any traffic on its Internet interface except router-to-router VPN traffic, you need to ensure that PPTP or L2TP/IPSec input and output filters are configured on the router interface that corresponds to the connection to the Internet.

When you configure your VPN server using the Routing and Remote Access Server Setup Wizard, PPTP or L2TP/IPSec input and output filters are configured automatically. For more information about PPTP filters, see Add PPTP Filters. For more information about L2TP/IPSec filters, see Add L2TP over IPSec Filters.

Because IP routing is enabled on the Internet interface, if PPTP or L2TP/IPSec filters are not configured on the Internet interface, then any traffic received on the Internet interface is routed, which may forward unwanted Internet traffic to your intranet.

Firewall packet filtering

It is a common practice to provide protection to intranet hosts, such as a VPN server, from Internet hosts using a firewall. If you have a firewall, you must configure packet filters on the firewall to allow traffic between the VPN router and the routers on the Internet. For more information, see VPN servers and firewall configuration.