Persistent Branch Office

  • Article

Persistent Branch Office

The Chicago and Phoenix branch offices of Electronic, Inc. are connected to the corporate office by using persistent router-to-router VPN connections that stay connected 24 hours a day. The Windows 2000 routers in the Chicago and Phoenix offices are equipped with T1 WAN adapters that have a permanent connection to a local Internet service provider to gain access to the Internet.

The Chicago branch office uses the IP network ID of 192.168.9.0 with a subnet mask of 255.255.255.0. The Chicago branch office router uses the public IP address of 131.107.0.1 for its Internet interface. The Phoenix branch office uses the IP network ID of 192.168.14.0 with a subnet mask of 255.255.255.0. The Phoenix branch office router uses the public IP address of 131.107.128.1 for its Internet interface.

The VPN connection is a two-way initiated connection. The connection is initiated from either the branch office router or the VPN server. Two-way initiated connections require the creation of demand-dial interfaces, remote access policies, IP address pools, and packet filters on the routers on both sides of the connection.

Figure 4 shows the Electronic, Inc. VPN server that provides persistent branch office connections.

Figure 4: The Electronic, Inc. VPN server that provides persistent branch office connections

Figure 4: The Electronic, Inc. VPN server that provides persistent branch office connections

To deploy persistent router-to-router VPN connections to connect the Chicago and Phoenix branch offices to the corporate office based on the settings configured in the "Common Configuration for the VPN Server" section of this paper, the following additional settings are configured.

Domain Configuration
For the Chicago office VPN connection that is initiated by the Chicago router, the user account VPN_Chicago is created with the following settings:

  • Password of U9!j5dP(%q1.

  • For the dial-in properties on the VPN_Chicago account, the remote access permission is set to Control access through Remote Access Policy.

  • For the account properties on the VPN_Chicago account, the Password never expires account option is selected.

  • The VPN_Chicago account is added to the VPN_Routers group.

For the VPN connection to the Phoenix office, the user account VPN_Phoenix is created with the following settings:

  • Password of z2F%s)bW$4f.

  • For the dial-in properties on the VPN_Phoenix account, the remote access permission is set to Control access through Remote Access Policy.

  • For the account properties on the VPN_Phoenix account, the Password never expires account option is selected.

  • The VPN_Phoenix account is added to the VPN_Routers group.

For the Chicago office VPN connection and the Phoenix office VPN connection that are initiated by the VPN server, the user account VPN_CorpHQ is created with the following settings:

  • Password of o3\Dn6@`-J4.

  • For the dial-in properties on the VPN_CorpHQ account, the remote access permission is set to Control access through Remote Access Policy.

  • The VPN_CorpHQ account is added to the VPN_Routers group.

Remote Access Policy Configuration
Remote access policies must be configured at the VPN server, the Chicago router, and the Phoenix router.

Remote Access Policy Configuration at the VPN Server
The remote access policy configuration for the VPN server is the same as described in the "On-Demand Branch Office" section of this paper.

Remote Access Policy Configuration at the Chicago Router
To define the authentication and encryption settings for the VPN connections, the default policy named Allow access if dial-in permission is enabled is deleted and the following remote access policy is created:

  • Policy name: VPN Routers

  • Conditions:

    • NAS-Port-Type is set to Virtual (VPN).

    • Windows-Groups is set to VPN_Routers.

    • Called-Station-ID is set to 131.107.0.1

  • Permission is set to Grant remote access permission.

  • Profile settings:

    • Authentication tab: Extensible Authentication Protocol is selected and Smartcard or other certificate (TLS) is configured to use the installed machine certificate. Microsoft Encrypted Authentication version 2 (MS-CHAP v2) is also selected.

    • Encryption tab: Strong and Strongest are the only options that are selected.

Note: The Called-Station-ID is set to the IP address of the Internet interface for the branch office router. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. branch office network are not permitted.

Remote Access Policy Configuration at the Phoenix Router
To define the authentication and encryption settings for the VPN connections, the default policy named Allow access if dial-in permission is enabled is deleted and the following remote access policy is created:

  • Policy name: VPN Routers

  • Conditions:

    • NAS-Port-Type is set to Virtual (VPN).

    • Windows-Groups is set to VPN_Routers.

    • Called-Station-ID is set to 131.107.128.1

  • Permission is set to Grant remote access permission.

  • Profile settings:

    • Authentication tab: Extensible Authentication Protocol is selected and Smartcard or other certificate (TLS) is configured to use the installed machine certificate. Microsoft Encrypted Authentication version 2 (MS-CHAP v2) is also selected.

    • Encryption tab: Strong and Strongest are the only options that are selected.

Note: The Called-Station-ID is set to the IP address of the Internet interface for the branch office router. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. branch office network are not permitted.

IP Address Pool Configuration
IP address pools must be configured at the VPN server, the Chicago router, and the Phoenix router.

IP Address Pool Configuration at the VPN Server
The IP address pool configuration for the VPN server is the same as described in the "Common Configuration for the VPN Server" section of this paper.

IP Address Pool Configuration at the Chicago Router
A static IP address pool with an IP address of 192.168.9.248 and an ending IP address of 192.168.9.253 is configured. This creates a static address pool for up to five VPN clients.

For more information, see the "Creating a Static IP Address Pool" procedure in Appendix A.

IP Address Pool Configuration at the Phoenix Router
A static IP address pool with a starting IP address of 192.168.14.248 and an ending IP address of 192.168.14.253 is configured. This creates a static address pool for up to five VPN clients.

For more information, see the "Creating a Static IP Address Pool" procedure in Appendix A.

The following sections describe a PPTP-based persistent branch office connection for the Chicago office and an L2TP-based persistent branch office connection for the Phoenix office.

PPTP-based Persistent Branch Office

The Chicago branch office is a PPTP-based branch office that uses a Windows 2000 router to create a persistent, router-to-router VPN connection with the VPN server in New York. The connection is never terminated, even when idle.

To deploy a PPTP, two-way initiated, persistent, router-to-router VPN connection to the corporate office based on the settings configured in the "Common Configuration for the VPN Server" and "Persistent Branch Office" sections of this paper, the following settings are configured on the VPN server and Chicago router.

VPN Server Configuration
The VPN server is configured with a demand-dial interface, static routes, and PPTP packet filters.

Demand-Dial Interface for Router-to-Router VPN Connection
To connect the VPN server to the Chicago router by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

  • Interface name
    VPN_Chicago

  • Connection type
    Connect using virtual private networking (VPN) is selected.

  • VPN type
    Point to Point Tunneling Protocol (PPTP) is selected.

  • Destination address
    131.107.0.1

  • Protocols and security
    The Route IP packets in this interface check box is selected.

  • Dial-out credentials
    User name: VPN_CorpHQ
    Domain: electronic.microsoft.com
    Password: o3\Dn6@`-J4
    Confirm password: o3\Dn6@`-J4.

Once the demand-dial interface is created, the following change is made:

  • For the properties of the demand-dial interface, on the Options tab, under Connection type, Persistent connection is selected

Static Route for Chicago Office Network
To make all locations on the Chicago network reachable, the following static route is configured:

  • Interface: VPN_Chicago

  • Destination: 192.168.9.0

  • Network mask: 255.255.255.0

  • Metric: 1

Chicago Router Configuration
The Chicago router is configured with a demand-dial interface and static routes.

Demand-dial interface for router-to-router VPN connection
To connect the Chicago office router to the VPN server by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

  • Interface name
    VPN_CorpHQ

  • Connection type
    Connect using virtual private networking (VPN) is selected.

  • VPN type
    Point to Point Tunneling Protocol (PPTP) is selected.

  • Destination address
    207.46.130.1

  • Protocols and security
    The Route IP packets on this interface check box is selected.

  • Dial-out credentials
    User name: VPN_Chicago
    Domain: electronic.microsoft.com
    Password: U9!j5dP(%q1
    Confirm password: U9!j5dP(%q1

Once the demand-dial interface is created, the following change is made:

  • For the properties of the demand-dial interface, on the Options tab, under Connection type, Persistent connection is selected. To view properties for a demand-dial interface, click Routing Interfaces, right-click the desired demand-dial interface, and then click Properties.

Static route for the Electronic, Inc. VPN server
To make the Electronic, Inc. VPN server on the Internet reachable, the following static route is configured:

  • Interface: The WAN adapter attached to the Internet

  • Destination: 207.46.130.1

  • Network mask: 255.255.255.255

  • Metric: 1

Note: Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. 0.0.0.0 is the unspecified IP address.

Static Routes for Corporate Intranet and Branch Offices
To make all locations on the corporate intranet reachable, the following static route is configured:

  • Interface: VPN_CorpHQ

  • Destination: 172.16.0.0

  • Network mask: 255.240.0.0

  • Metric: 1

To make all locations on Electronic, Inc. branch offices reachable, the following static route is configured:

  • Interface: VPN_CorpHQ

  • Destination: 192.168.0.0

  • Network mask: 255.255.0.0

  • Metric: 1

PPTP Packet Filters on the Internet Interface
To ensure that only PPTP-based traffic is allowed on the connection to the Internet, you can configure PPTP packet filters on the Internet interface. For more information, see the "Adding PPTP Packet Filters" procedure in Appendix A.

L2TP-based Persistent Branch Office

The Phoenix branch office is an L2TP-based branch office that uses a Windows 2000 router to create a persistent, router-to-router VPN connection with the VPN server in New York. The connection is never terminated, even when idle.

To deploy an L2TP, two-way initiated, persistent, router-to-router VPN connection to the corporate office based on the settings configured in the "Common Configuration for the VPN Server" and "Persistent Branch Office" sections of this paper, the following settings are configured on the VPN server and Phoenix router.

VPN Server Configuration
The VPN server is configured with a demand-dial interface and a static route.

Demand-Dial Interface for Router-to-Router VPN Connection
To connect the VPN server to the Phoenix router by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

  • Interface name
    VPN_Phoenix

  • Connection type
    Connect using virtual private networking (VPN) is selected.

  • VPN type
    Layer-2 Tunneling Protocol (L2TP) is selected.

  • Destination address
    131.107.128.1

  • Protocols and security
    The Route IP packets on this interface check box is selected.

  • Dial-out credentials
    User name: VPN_CorpHQ
    Domain: electronic.microsoft.com
    Password: o3\Dn6@`-J4
    Confirm password: o3\Dn6@`-J4.

After the demand-dial interface is created, the following change is made:

  • For the properties of the demand-dial interface, on the Options tab, under Connection type, Persistent connection is selected

Static Route for Phoenix Office Network
To make all locations on the Phoenix network reachable, the following static route is configured:

  • Interface: VPN_Phoenix

  • Destination: 192.168.14.0

  • Network mask: 255.255.255.0

  • Metric: 1

Phoenix Router Configuration
The Phoenix router was configured by the Electronic, Inc. network administrator while connected to the Electronic, Inc. intranet and then shipped to the Phoenix site. While the Phoenix router was connected to the Electronic, Inc. intranet, a computer certificate was installed through auto-enrollment. Additionally, the Phoenix router computer was configured with a demand-dial interface and a static route.

Demand-Dial Interface for Router-to-Router VPN Connection
To connect the Phoenix office router to the VPN server by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

  • Interface name
    VPN_CorpHQ

  • Connection type
    Connect using virtual private networking (VPN) is selected.

  • VPN type
    Layer-2 Tunneling Protocol (L2TP) is selected.

  • Destination address
    207.46.130.1

  • Protocols and security
    The Route IP packets on this interface check box is selected.

  • Dial-out credentials
    User name: VPN_Phoenix
    Domain: electronic.microsoft.com
    Password: z2F%s)bW$4f
    Confirm password: z2F%s)bW$4f

Once the demand-dial interface is created, the following change is made:

  • For the properties of the demand-dial interface, on the Options tab, under Connection type, Persistent connection is selected.

Static Route for the Electronic, Inc. VPN Server
To make the Electronic, Inc. VPN server on the Internet reachable, the following static route is configured:

  • Interface: The WAN adapter attached to the Internet

  • Destination: 207.46.130.1

  • Network mask: 255.255.255.255

  • Gateway: 0.0.0.0

  • Metric: 1

Note: Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. 0.0.0.0 is the unspecified IP address.

Static Route for Corporate Intranet and Branch Offices
To make all locations on the corporate intranet reachable, the following static route is configured:

  • Interface: VPN_CorpHQ

  • Destination: 172.16.0.0

  • Network mask: 255.240.0.0

  • Metric: 1

To make all locations on Electronic, Inc. branch offices reachable, the following static route is configured:

  • Interface: VPN_CorpHQ

  • Destination: 192.168.0.0

  • Network mask: 255.255.0.0

  • Metric: 1

L2TP over IPSec Packet Filters on the Internet Interface
To ensure that only L2TP over IPSec-based traffic is allowed on the connection to the Internet, L2TP over IPSec packet filters are configured on the Internet interface. For more information, see the "Adding L2TP Packet Filters" procedure in Appendix A.