L2TP-based router-to-router VPN deployment

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

L2TP-based router-to-router VPN deployment

To create an L2TP/IPSec router-to-router VPN connection to send private data across the Internet, you must perform the following:

  1. Configure the router running a Windows Server 2003 operating system at the corporate office to receive L2TP connections from a branch office router.

  2. Configure the router running a Windows Server 2003 operating system at the branch office to initiate an L2TP connection with the corporate office router.

  3. Initiate the L2TP connection from the branch office router.

Note

  • These steps assume that the L2TP/IPSec router-to-router VPN connection is between a corporate office and a branch office. However, you can also apply these steps to a VPN connection between two corporate offices.

Configuring the corporate office router

If you want your router running a Windows Server 2003 operating system in the corporate office to support multiple branch office L2TP connections, complete the following steps:

  • Configure the connection to the Internet.

  • Configure the connection to the intranet.

  • Install a computer certificate.

  • Configure the corporate router.

  • Configure demand-dial interfaces.

  • Configure firewall packet filters.

  • Configure remote access policies.

The following illustration shows the elements of a L2TP/IPSec router-to-router VPN connection on a computer running a Windows Server 2003 operating system.

An L2TP/IPSec router-to-router VPN connection

For more information, see Router-to-router VPN connection and Layer Two Tunneling Protocol.

Note

  • To simplify this configuration, the branch office router always initiates the L2TP connection.

Configuring the connection to the Internet

The connection to the Internet is a dedicated connection--a WAN adapter that is installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, or Frame Relay adapter. You must contract with a local telephone company to run the appropriate physical wiring to your premises. You need to verify that the WAN adapter is compatible with the Windows Server 2003 operating systems. To verify compatibility, see the Compatible Hardware and Software section at Support resources.

The WAN adapter includes drivers that are installed in Windows Server 2003 operating systems so that the adapter appears as a network adapter.

You need to configure the following TCP/IP settings on the WAN adapter:

  • IP address and subnet mask assigned from the InterNIC or an Internet service provider (ISP).

  • Default gateway of the ISP router.

Configuring the connection to the intranet

The connection to the intranet is a LAN adapter that is installed in the computer. You need to verify that the LAN adapter is compatible with the Windows Server 2003 operating systems. To verify compatibility, see the Compatible Hardware and Software section at Support resources.

You need to configure the following TCP/IP setting on the LAN adapter:

  • IP address and subnet mask assigned from the network administrator.

If the corporate router is running applications, you need to configure the following TCP/IP setting on the LAN adapter:

  • DNS and WINS name servers of corporate intranet name servers.

Because the corporate router will route traffic between the corporate office and the branch office, you must configure the corporate router with either static routes or with routing protocols so that all of the destinations on the corporate network are reachable from the corporate router.

Installing a computer certificate

Although you can use either computer certificates or a preshared key to provide authentication for IPSec security associations for an L2TP/IPSec connection, computer certificates are the recommended method. Therefore, you must install a computer certificate on the corporate router.

For more information about installing a computer certificate on the corporate router, see Computer certificates for L2TP/IPSec VPN connections and Network access authentication and certificates.

Configuring the corporate router

You need to enable the corporate router by installing the Routing and Remote Access service. For more information, see Enable the Routing and Remote Access service.

Configuring demand-dial interfaces

For each branch office router, you can create a demand-dial interface by using the Demand-Dial Interface Wizard. In the wizard, configure the following:

  • Interface Name

    Type the name of the interface that represents the connection to the branch office. For example, for a router in the New York branch office, type NewYorkRouter.

  • Connection Type

    Click Connect using virtual private networking (VPN).

  • VPN Type

    Click Layer 2 Tunneling Protocol (L2TP).

  • Destination Address

    Because the corporate router will not initiate the VPN connection, no address is required.

  • Protocols and Security

    Select the protocols you want to route, and then select the Add a user account so a remote router can dial in check box.

  • Configuring static routes

    You need to add static routes so that traffic to the branch office is forwarded by using the appropriate demand-dial interface. For each route of each branch office, configure the interface, destination, network mask, and metric. For the interface, you need to select the demand-dial interface that corresponds to the branch office.

    For example, the route that corresponds to the New York branch office is 192.168.25.0 with a subnet mask of 255.255.255.0. This route becomes the static route with the following configuration:

    • Interface: NewYorkRouter

    • Destination: 192.168.25.0

    • Network mask: 255.255.255.0

    • Metric: 1

  • Dial-out Credentials

    Because the corporate router will not initiate the VPN connection, type in any name, domain, and password.

  • Dial-in Credentials

    Type the domain and password for the account that will be used to authenticate the branch office router. The Demand-Dial Interface Wizard automatically creates the account and sets its remote access permission to Allow access. The name of the account is the same as the name of the demand-dial interface. For example, for the New York branch office router, the name of the account is NewYorkRouter.

Note

  • Because the L2TP connection is a point-to-point connection, the Gateway IP address is not configurable.

For more information, see Add a static route.

Configuring firewall packet filters

If you are using a firewall in the corporate office, you need to configure L2TP/IPSec packet filters on your firewall to allow L2TP/IPSec traffic between branch office routers and the corporate office router. For more information, see VPN servers and firewall configuration.

Configuring remote access policies

By using the Demand-Dial Interface Wizard, the dial-in properties of user accounts that are used by branch office routers are already configured to allow remote access.

If you want to grant remote access to the L2TP/IPSec branch office routers based on group membership, do the following:

  1. For a stand-alone router that is not a member of a domain, use Local Users and Groups and set dial-in properties to Allow access for all users.

  2. For a directory services-based router, use Active Directory Users and Computers and set dial-in properties to Control access through Remote Access Policy for all users.

  3. Create a Windows Server 2003 Active Directory group whose members can create virtual private networking connections with the VPN server. For example, BranchOfficeRouters.

  4. Add the appropriate user accounts that corresponds to the accounts that are used by the branch office routers to the Active Directory group.

  5. Create a new remote access policy with the following properties:

    • Set Policy name to VPN Access if member of BranchOfficeRouters (example).

    • Set the Windows-Groups condition to BranchOfficeRouters (example).

    • Set the NAS-Port-Type condition to Virtual (VPN).

    • Set the Tunnel-Type condition to Layer Two Tunneling Protocol.

    • Select the Grant remote access permission option.

  6. If this computer is only used to provide router-to-router VPN connections, you need to delete the default remote access policies. Otherwise, move the default remote access policy so that it is evaluated last.

For encryption, the default setting allows no encryption and all levels of encryption strength. To require encryption, clear the No Encryption option and select the appropriate encryption strengths on the Encryption tab of the remote access policy profile that is used by your calling routers.

For more information, see Configure encryption.

Configuring the branch office router

If you want your router running a Windows Server 2003 operating system in the branch office to initiate an L2TP connection with the corporate office router, complete the following steps:

  • Configure the connection to the Internet.

  • Configure the connection to the branch office network.

  • Install a computer certificate.

  • Configure a demand-dial interface.

  • Configure static routes.

  • Configure firewall packet filters.

Note

  • To simplify configuration, the branch office router always initiates the L2TP connection.

Configuring the connection to the Internet

The connection to the Internet is a dedicated connection--a WAN adapter that is installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, or Frame Relay adapter. You must contract with a local telephone company to run the appropriate physical wiring to your premises. You need to verify that the WAN adapter is compatible with the Windows Server 2003 operating systems. To verify compatibility, see the Compatible Hardware and Software section at Support resources.

The WAN adapter includes drivers that are installed in Windows Server 2003 operating systems so that the adapter appears as a network adapter.

You need to configure the following TCP/IP settings on the WAN adapter:

  • IP address and subnet mask assigned from the InterNIC or an Internet service provider (ISP).

  • Default gateway of the ISP router.

Configuring the connection to the branch office network

The connection to the branch office network is a LAN adapter that is installed in the computer. You need to verify that the LAN adapter is compatible with the Windows Server 2003 operating systems. To verify compatibility, see the Compatible Hardware and Software section at Support resources.

You need to configure the following TCP/IP settings on the LAN adapter:

  • IP address and subnet mask assigned from the network administrator.

  • DNS and WINS name servers of branch office name servers.

Because the branch office router will act as a router between the corporate office and the branch office, you must configure the branch office router with either static routes or with routing protocols so that all of the destinations on the branch office network are reachable from the branch office router.

Installing a computer certificate

Because the corporate office router is using computer certificates to authenticate the IPSec security association for the L2TP/IPSec connection, you must install a computer certificate on the branch office router in order for an L2TP/IPSec connection to be successfully established.

For more information about installing a computer certificate on the branch office router, see Computer certificates for L2TP/IPSec VPN connections and Network access authentication and certificates.

Configuring a demand-dial interface

You can create a demand-dial interface by using the Demand-Dial Interface Wizard. In the wizard, configure the following:

  • Interface Name

    Type the name of the interface that represents the connection to the corporate office. For example, type CorpOffice.

  • Connection Type

    Click Connect using virtual private networking (VPN).

  • VPN Type

    Click Layer 2 Tunneling Protocol (L2TP).

  • Destination Address

    Type the IP address or host name that is assigned to the Internet interface of the router at the corporate office. If you enter a host name, verify that the host name resolves to the proper IP address.

  • Protocols and Security

    Select the protocols you want to route.

  • Dial-out Credentials

    Type the name, domain name, and password of the user account that corresponds to this branch office router. The credentials are the same as those entered in the Dial-Out Credentials page of the Demand-Dial Interface Wizard when the demand-dial interface for this branch office was created on the corporate router.

Configuring static routes

You need to add static routes so that traffic to the corporate office is forwarded by using the appropriate demand-dial interface. For each route of the corporate office, configure the interface, destination, network mask, and metric. For the interface, select the demand-dial interface that corresponds to the corporate office previously created.

For example, the route that corresponds to the corporate office is 10.0.00 with a subnet mask of 255.0.0.0. This route becomes a static route with the following configuration:

  • Interface: CorpOffice

  • Destination: 10.0.0.0

  • Network mask: 255.0.0.0

  • Metric: 1

Note

  • Because the L2TP connection is a point-to-point connection, the Gateway IP address is not configurable.

For more information, see Add a static route.

Configuring firewall packet filters

If you are using a firewall in the branch office, you need to configure L2TP/IPSec packet filters on your firewall to allow L2TP/IPSec traffic between the corporate office router and the branch office router. For more information, see VPN servers and firewall configuration.

Initiating the L2TP router-to-router VPN connection

To connect the branch office router to the corporate router, in Routing and Remote Access, right-click the demand-dial interface that connects to the corporate office, and then click Connect.

For information about troubleshooting a router-to-router VPN, see Troubleshooting router-to-router VPNs.