The Cable Guy - January 2001

Planning and Installing a Windows 2000 Remote Access VPN Server

TechNet's The Cable Guy

By The Cable Guy

Virtual private networking (VPN) technologies provide remote access to organization intranets without the cost of a dial-up infrastructure. The wide availability of Internet connections allows roving users or telecommuters who can access the Internet to also access their organization intranets. Remote access VPN connections are used to connect individual computers to an organization intranet. Router-to-router connections, also known as gateway-to-gateway connections, connect networks. For more information about router-to-router connections, see the links at the end of this column.

Types of VPN Technologies

Windows 2000 includes three types of VPN technologies:

Point-to-Point Tunneling Protocol (PPTP)

Introduced in Windows NT 4.0, PPTP leverages Point-to-Point Protocol (PPP) user authentication and Microsoft Point-to-Point Encryption (MPPE) to encapsulate and encrypt IP, IPX, and NetBEUI traffic. With version 2 of the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2) and strong passwords, PPTP is a secure VPN technology. For nonpassword-based authentication, Extensible Authentication Protocol-Transport Level Security (EAP-TLS) can be used in Windows 2000 to support smart cards. PPTP is widely supported, easily deployed, and can be used across network address translators (NATs).

Layer Two Tunneling Protocol (L2TP)

L2TP leverages PPP user authentication and IP Security (IPSec) encryption to encapsulate and encrypt IP, IPX, and NetBEUI traffic. This combination, known as L2TP/IPSec, uses certificate-based computer identity authentication to create a secure and encrypted channel (an IPSec security association), and then uses PPP-based user authentication to create the L2TP tunnel. L2TP/IPSec provides data integrity and data authentication for each packet. However, L2TP/IPSec requires a public key infrastructure (PKI) to allocate computer certificates and is only supported by Windows 2000 VPN clients.

IPSec tunnel mode

IPSec tunnel mode uses Encapsulating Security Payload (ESP) in tunnel mode to encapsulate and encrypt unicast IP traffic. Windows 2000 IPSec tunnel mode is used only for router-to-router VPN connections because the current IPSec standards do not specify a method for providing user authentication and address assignment for remote access connections.

Network Planning Considerations

Before you begin a deployment of Windows 2000 VPN servers, you should evaluate the following elements of your infrastructure.

Routing infrastructure

The routing infrastructure must support the delivery of IP packets from the VPN server computer to any location on the Internet and all appropriate locations on your intranet. If the proposed VPN server computer is on the perimeter network (the network between your intranet and the Internet, also known as the DMZ), it must be configured with both a default gateway of a neighboring router on the perimeter network and a series of one or more routes that summarize the address space of your intranet.

The VPN server will assign IP addresses to VPN clients as they connect. The IP addresses can be:

  • From an on-subnet address range, which is an address range of the intranet subnet to which the VPN server is attached.
  • From an off-subnet address range, which is an address range that represents a different subnet that is logically attached to the VPN server.

If you are using an off-subnet address range, you must add routes that summarize the address range to the neighboring routers on the intranet subnet to which the VPN server is attached so that traffic can be delivered to VPN clients.

Name resolution infrastructure

If you use Domain Name System (DNS) to resolve host names or Windows Internet Name Service (WINS) to resolve NetBIOS names, ensure that the VPN server is configured with the IP addresses of the appropriate DNS and WINS servers. The VPN clients inherit the DNS and WINS server addresses configured on the VPN server. After connecting, Windows 2000 VPN clients also send a Dynamic Host Configuration Protocol (DHCP) message to receive updated DNS and WINS server addresses from a DHCP server. In general, if name resolution does not work from the VPN server, it will not work for VPN clients.

Address assignment infrastructure

DHCP is commonly used to automatically assign IP address and other configuration parameters. The VPN server can be configured to obtain IP addresses for VPN clients from DHCP. In this case, VPN clients are always assigned an on-subnet address and no additional routes must be added. However, ensure that there are enough IP addresses in the DHCP scope for the intranet subnet to allow the maximum number of VPN clients to connect. If the DHCP server runs out of addresses to allocate to the VPN server or if the DHCP server becomes unavailable, additional VPN clients can connect, but they will not be able to access intranet resources.

Public key infrastructure

If you are using L2TP/IPSec, you must deploy a PKI that allocates computer certificates to the VPN server and VPN clients. If Remote Authentication Dial-in User Service (RADIUS) is used for user authentication and authorization, the RADIUS server must have a computer certificate installed to authenticate connections using smart cards. With Active Directory, it is possible to configure Group Policy to automatically allocate a computer certificate to all computers that join the domain. For more information, see Windows 2000 Server online Help (

Firewall configuration

If your VPN server is separated from the Internet by a firewall (also known as a security gateway), the firewall must be configured to allow VPN traffic to be passed to and from the VPN server on the perimeter network. This requires setting input and output packet filters on firewall interfaces so that the only traffic forwarded by the firewall to the VPN server is VPN traffic. For more information, see Virtual Private Networking chapter of the Windows 2000 Server Resource Kit (

VPN Server Planning Considerations

Before you install a Windows 2000 VPN server, you should evaluate the following elements of the VPN server configuration.

Authentication and authorization

A Windows 2000 VPN server can perform authentication by contacting a domain controller and authorization through locally configured remote access policies. Alternately, authentication and authorization can be offloaded to a RADIUS server. Windows 2000 includes a RADIUS server known as Internet Authentication Service (IAS). With an IAS server, you can centralize authentication, accounting, and administration of remote access policies for multiple Windows 2000 VPN and dial-in remote access servers and third party network access servers.

Authentication protocols

While Windows 2000 supports a wide variety of current and legacy PPP authentication protocols, MPPE encryption for PPTP requires the use of MS-CHAP, MS-CHAP v2, or EAP-TLS. MS-CHAP v2 is recommended in the absence of smart cards. Although L2TP does not require a specific authentication protocol because the PPP authentication process is protected by IPSec encryption, MS-CHAP v2 and EAP -TLS are recommended.

Level of encryption

Secure VPN connections require encryption of encapsulated data. To ensure encryption, create a remote access policy for VPN connections (with the NAS-Port-Type set to Virtual (VPN)) and clear the No Encryption checkbox on the Encryption tab on the profile settings for the policy. Additionally, you can specify a required level of encryption by selecting or clearing Basic (40-bit MPPE for PPTP and 56-bit Data Encryption Standard [DES] for L2TP), Strong (56-bit MPPE for PPTP and 56-bit DES for L2TP), or Strongest (128-bit MPPE for PPTP and 3DES for L2TP). Strongest can be used only in conjunction with the Windows 2000 High Encryption Pack.

Client configuration

Microsoft VPN clients can configure VPN connections either manually or by using the Connection Manager Administration Kit (CMAK) included with Windows 2000. To manually configure a Windows 2000 VPN client, use the Make New Connection wizard in the Network and Dial-up Connections folder to create a VPN connection to the IP address or DNS name of the VPN server on the Internet. For more information about CMAK, see Windows 2000 Server online Help (

Configuring the VPN Server

After you have configured your infrastructure and made your VPN server design decisions, run the Routing and Remote Access Server Setup wizard to configure your Windows 2000 VPN server:

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
  2. Right-click your server name, and then click Configure and Enable Routing and Remote Access.
  3. In Common Configurations, click Virtual Private Network (VPN) server and then click Next.
  4. In Remote Client Protocols, verify that all data protocols used by your remote access VPN clients are present. Add data protocols if necessary and then click Next.
  5. In Internet Connection, click the connection that corresponds to the interface connected to the Internet or your perimeter network, and then click Next.
  6. In IP Address Assignment, click Automatic if the VPN server should use DHCP to obtain IP addresses for remote access VPN clients. Or, click From a specified range of addresses to use one or more static ranges of addresses. If any of the static address ranges is an off-subnet address range, routes must be added to the routing infrastructure in order for the VPN clients to be reachable. When IP address assignment is complete, click Next.
  7. In Managing Multiple Remote Access Servers, if you are using RADIUS for authentication and authorization, click Yes, I want to use a RADIUS server, and then click Next.
  8. In RADIUS Server Selection, configure the primary (mandatory) and secondary (optional) RADIUS servers and the shared secret, and then click Next.
  9. Click Finish.

For More Information

For more information about Windows 2000 VPN technology, design, and deployment, including detailed examples, consult the following resources:

For a list of all The Cable Guy articles, click here.