Professor Windows - February 2001

While the term Virtual Private Networking (VPN) has a rather broad definition, most industry experts use the term VPN to refer to the creation of a private virtual tunnel over a public network (such as the Internet). With a VPN, data travels between computers across a public network in a secure manner by encapsulating (wrapping) the packets with a header that contains the routing information. Windows 2000 supports Layer 2 (data-link layer) tunneling protocols such as PPTP and L2TP, which wrap data in a PPP frame before it can be transmitted over the wire. Layer 3 (network layer) tunneling protocol such as IPSec is also supported, where IP packets are encapsulated in an IP header before they are transmitted.

VPN Scenarios

There are a number of ways to take advantage of VPNs. Perhaps the most common scenario is when a remote user accesses the corporate network through a VPN tunnel. In another scenario, a remote office connects to the corporate network either using a persistent or an on-demand dial-up VPN connection. VPNs can also be deployed in an extranet scenario to communicate securely with business partners. In this article, we will look at deploying a VPN in the first scenario where a remote user connects to the corporate network via a VPN tunnel.

Configuring a Windows 2000 Server for VPN

To configure a VPN server, your computer must have at least two interfaces. To setup a Windows 2000 server for VPNs, use the following procedure:

  1. Open Routing and Remote Access console in Administrative Tools
  2. Right-click the server and then click Configure and Enable Routing and Remote Access
  3. The Setup Wizard starts, click next
  4. Select Manually configured server, as shown in Figure 1, and click next
  5. Click Finish to complete the setup wizard

If your browser does not support inline frames, click here to view on a separate page.

Figure 1 Enabling VPN on the Server

Do not use the option Virtual private network (VPN) server. The Routing and Remote Access wizard does not allow routing, as explained in Microsoft Knowledge Base article Q243374

. The VPN option configures the server for incoming VPN connections and secures the server by configuring filters that only allow PPTP or L2TP traffic. If that's what you want then you don't need to worry. However, be aware that using this option will cause Routing and Remote Access to block all packets other than PPTP or L2TP.

There is one additional step you need to take before users can make VPN connections to your server. You need to give the users appropriate dial-in permissions to access the network. This can be achieved either by granting users remote access permissions in Remote Access Policies, as shown in Figure 2, or by configuring dial-in permissions on a per-user basis in Active Directory Users and Computers.

If your browser does not support inline frames, click here to view on a separate page.

Figure 2 Granting Remote Access Permissions

By default, the number of VPN ports that are created varies, depending on whether you choose the last option Manually configured server, in which case only five PPTP and five L2TP ports are created, or you select the middle option Virtual private network (VPN) server, in which case there are 128 PPTP and 128 L2TP ports are created. You can always adjust the number of ports in the Routing and Remote Access console, by selecting Properties of Ports.

Note If the VPN clients will be going through a router or firewall, make sure that if you are using PPTP then TCP Port 1723 and IP Protocol ID 47 (GRE – Generic Routing Encapsulation) is allowed to pass through the router or firewall. If you are using L2TP then you need to open UDP port 500 (IKE), Protocol ID 50 (IPSec ESP) and Protocol ID 51 (IPSec AH).

Client Configuration

To connect to a VPN server at the corporate, you need to first make sure that you are connected to the Internet by dialing in to your ISP, unless you have a dedicated connection to the Internet (such as DSL) where you don't need to dial. Connecting to the Internet puts you on the same worldwide Internet backbone where the corporate VPN server is connected. Then you make a second connection to create a VPN tunnel.

To create this second connection to the corporate server, follow the procedure described below:

  1. Go to Start, Settings, Network and Dial-up Connections and select Make New Connection to start the Network Connection Wizard.
  2. From the Network Connection Type screen, select Connect to a private network through the Internet, as shown in Figure 3.
  3. On the Public Network screen you can configure the connection to automatically dial your ISP first, before it makes the second connection to your corporate VPN server. You would only use this option if you use a modem or ISDN to "dial" into your ISP to connect to the Internet.
  4. Follow the on-screen instructions to finish the wizard.

If your browser does not support inline frames, click here to view on a separate page.

Figure 3 Network Connection Type

By default, when you'll use this connection, you only have the option to type your user name and password. To add the Domain option, click on Properties and on the Options tab select the box Include Windows logon domain, as shown in Figure 4.


Figure 4 Including Windows Logon Domain

Levels of Encryption Supported by VPNs

Depending on how you connect to the VPN server you will either use MPPE encryption or IPSec encryption. If you connect to a PPTP server, you will use MPPE but if you connect to an L2TP server, you'll use IPSec. By default, the VPN is configured for an automatic server type, which means that L2TP with IPSec encryption is tried first, before PPTP with MPPE is attempted. The way MPPE works is different than IPSec. Because the packets can arrive at the destination out of order, MPPE uses a sequence number in the header to keep track of the packets. MPPE changes the encryption key for each packet, based on the sequence number. Using L2TP connection requires IPSec certificates. If you are experiencing problems in establishing a VPN connection, try selecting PPTP as your connection type, instead of the default Automatic option. If you select the Automatic setting and an IPSec session cannot be negotiated, you may experience a long wait (up to 2 minutes) before it falls back to PPTP.

There are four options supported for encryption that can be configured by selecting Edit Profile under the Properties of Remote Access Policy. On the Encryption tab, you can select No encryption, Basic, Strong, or Strongest encryption. The Strongest encryption (128-bit) is only available if you install Windows 2000 High Encryption Pack

(installing Windows 2000 Service Pack 1 is recommended).

The following table shows a comparison of the types of encryption used by Dial-up and PPTP versus L2TP over IPSec VPN connections:

Dial-up and PPTP
L2TP over IPSec
40-bit MPPE
56-bit DES
56-bit MPPE
56-bit DES
128-bit MPPE
3DES (three 56-bit keys)

Understanding the Packet Structure

PPTP Packet Structure

Figure 5 (below) shows what PPTP data packet looks like when it goes through a tunnel. First a PPP frame is created by encapsulating the encrypted PPP data with a PPP header. Then the PPP frame is encapsulated with a GRE header. The resulting payload is then encapsulated with an IP header, which includes information on the source and destination IP addresses. Finally, this IP datagram is encapsulated with the data-link layer header and trailer. Depending on the technology you use, the data-link layer header and trailers would vary. For example, when you send IP datagrams over an Ethernet network it is encapsulated with Ethernet header and trailer, over an analog phone line it is encapsulated with PPP header and trailer, and so on. When the packets reach their destination, the headers are stripped one by one in reverse order. First the data-link layer header and trailer are removed and then the IP, GRE, and PPP headers are stripped. Finally, the PPP data is decrypted.

Data-link header
IP header
GRE header
PPP header
Encrypted PPP data
Data-link trailer

Figure 5 PPTP Packet Structure

L2TP Packet Structure

The packet structure for L2TP is somewhat similar to PPTP in that headers are added to the PPP data. Figure 6 shows what the L2TP packet looks like. Notice that everything between UDP header and IPSec trailer is encrypted.

If your browser does not support inline frames, click here to view on a separate page.

Figure 6 L2TP Packet Structure

VPNs are a useful method for telecommuters to access corporate networks in a secure fashion. They are also beneficial in remote branch office and extranet scenarios in providing a secure extension to the LAN over a public network. Compared to the traditional dial-up solutions, VPNs have become very popular as of late due to their ease of management and lower total cost of ownership.