Virtual private networks (VPNs) allow you to connect to private network resources over the Internet. The VPN link mimics the connection you would have if all devices were directly connected to your private LAN. The difference is that instead of connecting directly to the private network, devices connect first to the Internet and then establish the virtual link that creates the connection to your private network.
The most common implementation of VPNs is allowing a client computer, such as a Windows 2000 Professional notebook, to make a connection to the Internet and then establish the VPN link. After establishing the VPN link, the computer becomes a member to the private network. The client then will be able to access resources on the network, such as printers and shares, just as if it were directly connected.
A less common, but important, implementation of VPNs is to use them to connect entire networks to one another. The VPN link acts like a routed connection that allows clients on both sides to access resources on the opposite side. Communications move through the Internet but are protected by the encryption provided by the tunneled connection.
You need a VPN server on each end of the link to create this type of VPN. The configuration is most frequently referred to as a gateway-to-gateway VPN. The gateway-to-gateway VPN allows messages to be routed from one network to the other with a secure encrypted tunnel over the Internet.
Configuring a gateway-to-gateway VPN in Windows 2000 is not for the faint of heart. In this Daily Feature, we’ll look at how to make the process of creating the gateway-to-gateway VPN easier by using ISA Server 2000 (ISA Server). ISA Server makes it easy to create a gateway-to-gateway VPN with VPN wizards that actually work.
Preparing for the VPN
A lot of people have trouble getting a VPN to work correctly the first time they implement one. The main reason is that they forget that a gateway-to-gateway VPN is just like any other routed connection. The ISA Server acts like a router; therefore, you have to configure your network to support a routed infrastructure.
In a routed network, you need to address issues related to:
- DNS host name resolution
- NetBIOS name resolution
- Routing tables
If the two networks host different internal network domains, you need to configure DNS to support name resolution for both sides. You can do this in a number of ways. You could make DNS servers on each side secondary servers of one another. You could also create referral records for nonlocal domains on each of the DNS servers that point to the DNS on the opposite side of the link.
NetBIOS name resolution is handled by a WINS server. Since the connection is a routed link, NetBIOS name broadcast queries will not traverse the VPN. Make sure there is a WINS server on each side of the link. You should configure the WINS servers to be replication partners if you wish to resolve NetBIOS names for machines on the opposite side of the VPN.
In a single-segment network, all machines will have the internal interface of the ISA Server set as their default gateway. On a multiple-segment network, you will need to configure routers to forward Internet-bound traffic to the internal interface of the ISA Server. In addition, you will need to configure the network routers to forward traffic destined for the network ID of the remote network on the other side of the VPN to the internal interface of the ISA Server.
Configuring the VPN connection
When using ISA Server to create the gateway-to-gateway VPN connection, you must use two wizards:
- The Local VPN Wizard
- The Remote VPN Wizard
The Local VPN Wizard is run at the location that will receive the calls from remote VPN servers. This wizard is usually run on the ISA Server at the central office, after which it will be ready to accept calls from an ISA Server at a remote, branch office.
The Remote VPN Wizard is run at the remote location—the location initiating the calls. The Remote VPN Wizard uses information collected by the Local VPN Wizard to create the connection.
Bidirectional VPN communications
The Local VPN Wizard is run on the machine that will accept inbound calls from the remote VPN server. However, you can tell the Local VPN Wizard to allow both sides to initiate a call.
Running the Local VPN Wizard
The first step is to run the Local VPN Wizard. Perform the following steps to configure the local VPN Server:
- Open the ISA Management console. Expand your server or array and right-click the Network Configuration node in the left pane. Click the Set Up Local ISA VPN Server command.
- On the Welcome To The Local ISA Server VPN Configuration Wizard page, click Next to continue.
- The ISA Server Virtual Private Network (VPN) Identification page will appear (Figure A). In the Type A Short Name To Describe The Local Network text box, type a short (less than 10 characters is safe) name for the local network. In this example, we’ll call it local. In the Type A Short Name To Describe The Remote Network text box, type in a short name for the remote network. In this example, we’ll call it remote. Click Next.
|Naming the VPN connection|
- The ISA Server Virtual Private Network (VPN) Protocol page will appear (Figure B). You have three choices:
- Use L2TP Over IPSec.
- Use PPTP.
- Use L2TP Over IPSec, If Available. Otherwise, Use PPTP
In this example, we will select Use L2TP Over IPSec, If Available. Otherwise, Use PPTP because it gives us the most flexibility in establishing the connection. Generally, you will want to use IPSec for your gateway-to-gateway tunnels, but it is helpful to have PPTP available for initial testing. You can remove the PPTP packet filters after you have confirmed that your VPN is functioning and that your IPSec configuration works properly. Click Next.
|Selecting the tunnel type|
- The Two-Way Communication page will appear next (Figure C). If you wish to allow both ends to initiate a call, put a check mark in the Both The Local And Remote ISA VPN Computers Can Initiate Communication check box. If you do not, only the remote VPN server will be able to initiate a call. In the top text box, enter the IP address of the FQDN of the remote ISA Server. In the bottom text box, enter the NetBIOS name of the computer or the NetBIOS name of the domain (if the machine is a domain controller). In this example, we will allow bidirectional initiation of calls. We will use gateway.tacteam.net as the FQDN of the remote gateway and type in the domain name of the remote VPN server, TACTEAM. Click Next.
|Configuring bidirectional call initiation|
- On the Remote Virtual Private Network (VPN) Network page (Figure D), enter the IP address range of the remote network. If you do not want access to all computers on the remote network, enter the IP addresses of the individual machines that you want access to. To add the address ranges, click the Add button. In this example, we’ll allow the local network to access all the machines on the remote network ID 192.168.9.0/24. Click Next.
|Configuring access to the remote network IP addresses|
- The Local Virtual Private Network (VPN) Network page will appear next (Figure E). Select the external address of the ISA Server to which the remote ISA Server will connect. Confirm that the entries for the local network ID ranges are correct and click Next.
|Configuring the local network IP addresses|
- The ISA VPN Computer Configuration File page will appear (Figure F). You’ll use this file to create the remote VPN server. Type a path and file name in the File Name text box. Then, type in and confirm the password. You can save this to a floppy disk to carry with you to the remote site or you can save it to the hard disk and e-mail it to an administrator at the remote site. Click Next.
|Naming the configuration file and creating a password|
- On the Final page of the wizard, click the Details button to review the changes made to your machine. If the Routing and Remote Access service has not been started, the wizard will start it and make the configuration changes noted in the Details. Click Finish.
Running the Remote VPN Wizard
Running the Remote VPN Wizard is simple because you already made all the configuration decisions when you ran the Local VPN Wizard. To run the Remote VPN Wizard, perform the following steps:
- Open the ISA Management console, expand your server or array, and right-click on the Network Configuration node in the left pane. Click Set Up Remote ISA VPN Server.
- On the Welcome to the Remote ISA Server VPN Configuration Wizard page, click Next.
- The ISA VPN Computer Configuration File page appears next (Figure G). Type in or browse to the file name. After selecting the file, type in the password and click Next.
|Running the Remote VPN Wizard|
- The Completing The ISA VPN Configuration Wizard will appear (Figure H). Click the Details button to see the changes that will be made to the server. You may also wish to select the check boxes that will open the Help files on how to configure demand-dial interface and IP packet filters. Click Finish to complete the wizard.
|Completing the Remote VPN Wizard|
Once the Local and Remote VPN Wizards have been run, users on either side of the VPN will be able to initiate a demand-dial connection to the remote network. You can configure the demand-dial interface to drop the connection after a period of idleness or to be a permanent connection.