Setting up a Windows 2000 virtual private network

Issues that crop up during VPN installation

In “Issues surrounding a Windows 2000 VPN implementation,” I discussed some of the primary issues you should consider when building a virtual private network (VPN). These issues include such factors as security, reliability, and cost. In this Daily Feature, I’ll describe the process of installing a VPN. I’ll also cover some additional issues you’ll face during the installation process.

Installing a VPN
Before we begin creating a VPN, let’s review the basic requirements. On one end of the VPN, you have a client. This client may be a remote network or a remote user. On the other end of the VPN, you have the host. The host is a Windows 2000 server that functions as a router between the Internet and the private network.

The server that’s functioning as a router should have a permanent Internet connection, such as the type provided through a leased line. It is possible to implement a VPN even if the host relies on a dial-up connection to the Internet. However, I highly discourage using a dial-up connection. That’s because even if you can manage to stay dialed in 24 hours a day, 7 days a week, most Internet service providers assign dynamic IP addresses to dial-up users. This means the host router would likely have a different IP address every time it connects to the Internet. As you can imagine, it will be very difficult for remote clients to connect to the host if the host’s IP address keeps changing.

With that said, let’s look at the process for configuring the host router to provide VPN capabilities. For the purpose of this Daily Feature, I’ll work through the process of joining two networks through a VPN. As such, both of the Windows 2000 servers involved in the process function as hosts and clients. The dual functionality of each machine allows VPN traffic to flow in both directions. This arrangement allows the free exchange of data between the two networks.

Begin the configuration process by clicking the Start button and selecting Programs | Administrative Tools | Routing And Remote Access. When the Routing And Remote Access console appears, right-click on the host server and select the Enable Routing And Remote Access command from the context menu. When you do, you’ll see the Routing And Remote Access Server Setup Wizard. On the initial wizard screen, click Next to begin the installation process.

The next screen you’ll see gives you the choice of several types of routing and remote access. Even though this server will function as a VPN router, don’t select VPN just yet. Instead, select Manually Configured Server and click Next. The resulting screen will display a summary of the configuration you’ve chosen. Click Finish to close the wizard.

When you complete the wizard, Windows will ask if you want to start the Remote Access Service. Click Yes, and the service will be started. If you’ve ever created a remote access server under Windows NT 4.0, you’ll notice (and appreciate) the fact that Windows 2000 doesn’t require you to reboot the server. When the service starts, you’ll see there are several configuration options available in the Routing And Remote Access console, as shown inFigure A.

Figure A
The Routing And Remote Access console will contain many more options after you’ve enabled the Remote Access Service.

At this point, right-click on Routing Interface in the Routing And Remote Access console, and then select the New Demand Dial Interface command from the context menu. When you do, Windows 2000 will launch the Demand Dial Interface Wizard. Start by clicking Next. Now, the wizard will ask you for the name of the interface you’re configuring. Many people choose to name the interface after the network it’s attached to or after the function the interface will provide. For example, you might call the interface VPN Interface. Once you’ve entered the name of the new interface, click Next.

Now, Windows will ask you what type of demand dial interface you want to create. Select the Connect Using Virtual Private Network (VPN) radio button and click Next.

The next screen the wizard displays asks for the type of VPN interface you want to create. The choices are PPTP, L2TP, or Automatic Selection. The type of VPN interface you create is really up to you. Microsoft recommends using L2TP for new VPN installations. So, let’s use L2TP for the purpose of this Daily Feature.

At this point, you’ll see a screen that asks for the IP address or host name for the remote VPN router. As you probably know, the host name is the remote machine’s registered DNS name. Therefore, in the space provided you can enter an IP address, such as, or a host name, such as Click Next to continue.

After you’ve entered the host name or IP address of the remote router, you’ll see a screen similar to the one shown in Figure B. This screen asks what type of packets you plan on routing across the VPN link. Again, the selections you make will greatly depend on your individual network. As you can see in the figure, I’ve chosen to allow IP packets but to disallow IPX packets. I’ve also chosen to create a remote access user account and password so that it’s possible for the remote router (or remote users for that matter) to access the network through the VPN. When you’ve made your selections, click Next.

Figure B
Select the types of data you’ll allow to flow across your VPN link.

Now, assuming you’ve allowed dial-in access, the wizard will display a screen that asks for some dial-in credentials. At first, this screen may be a bit deceptive. It’s easy to accidentally assume this screen is designed to give access to dial-in users. However, its purpose is to establish a username and password that can be used to validate the remote router when it tries to connect. After all, you don’t want just anyone who knows your host name or IP address to build a VPN that allows access to your network.

On this screen, the wizard will be set to automatically create a user account that uses the same name as the interface you’re creating. For example, if you named your interface VPN Interface, then the user account will also be called VPN Interface. Although this screen won’t allow you to change the username, you can enter a password for the user account. Once you’ve entered and confirmed the account’s password, click Next to proceed.

The next screen you’ll see gives you a chance to enter the credentials for connecting to the remote network. Remember that when you join two networks through a VPN, both networks must be protected. This means you’ll have a separate VPN username and password for each network. Each VPN router must be set up to know the authentication information for the remote VPN router it will connect to. Simply fill in the domain name, username, password, and password confirmation for the remote router. When you’ve entered this information, click Next.

You’ve now finished configuring your VPN router. Click Finish to complete the process. Remember that you must configure both routers before your VPN will work.

Cleaning house
Now that you’ve created a VPN, there are a few things you need to do to ensure that your network is secure and that your VPN is functional. Remember that each VPN router is connected to the Internet. There are countless Internet users with malicious intent who would just love to get their hands on your network.

Although the VPN link you’ve just created is secure, there are other ways to get into your network from across the Internet. Typically, hackers exploit unused TCP/IP ports. Therefore, I strongly recommend implementing IP packet filtering in a way that will block all inbound Internet traffic except for VPN traffic (and any other types of traffic you might require).

IP filtering is a science in and of itself. Therefore, it’s impossible to thoroughly discuss IP filtering in the amount of space I have to work with. I can, however, show you the basic technique.

To enable IP filtering, go to Control Panel and double-click the Network And Dial Up Connections icon. Now, right-click on your Internet connection and select the Properties command from the context menu. Next, select Internet Protocol (TCP/IP) from the list of installed components and click the Properties button.

When you do, you’ll see the Internet Protocol (TCP/IP) Properties sheet. Click the Advanced button to view the advanced TCP/IP properties. On the Advanced TCP/IP Properties sheet, select the Options tab. Now, select TCP/IP Filtering and click the Properties button. You can then use the resulting dialog box to enable or disable various TCP/IP ports. It’s important to point out, however, that in Windows 2000, it’s impossible to filter TCP/IP on one adapter but not another. If you filter TCP/IP on one adapter, you’ve filtered TCP/IP on all of the adapters.

The other task you must complete is to exchange route information between the routers and test the VPN link. To do so, return to the Routing And Remote Access console and navigate to Server | IP Routing | General. Next, right-click on the demand dial interface and select the Update Route command from the context menu.

Now, perform this task on the other router as well. To make sure that the route exchange worked, go to the Routing And Remote Access console’s IP Routing | Static Routes section. The routes you created should be visible. You should now be able to ping each router from the other router.

In this Daily Feature, I’ve explained how to implement a VPN. As I did, I discussed some issues you may encounter during the implementation phase.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks