Talk about the experience of VPN networking

Shandong Securities Co., Ltd. is a company operating the securities business in Shandong Province, headquartered in Jinan, in the province of the city has more than 10 sales department, and in Shanghai and Beijing has two sales department. The links between the day-to-day departments are very close, especially in relation to the headquarters of the local city divisions. In view of the characteristics of the securities industry, in order to integrate the network of local cities and towns, and reduce the cost of investment and management, and enhance the security of communication, we adopt the current Microsoft's Windows NT VPN technology to build the Shandong Securities network.

The concrete connection way is the local city sales department uses the 64K DDN line to establish the VPN channel connection with the Headquarters VPN server through 169 public network. At the same time, in order to ensure the continuous operation of the entire VPN network, set up Qingdao contact as a VPN backup server, once the center point in Jinan Fault, the city's connection to the transfer to Qingdao contact. In addition, in Jinan Center contact, configure a modem pool, in case of emergency, as the local city of the dial-in equipment use.

Shandong Securities VPN Network IP address planning: Jinan Central point of the LAN IP is 100.100.0.1, the subnet mask is 255.255.255.0, that is, the 100.100.0.0 network segment, the other city sales department's network segment address is 100.100.1.0 to 100.100.18.0, all over the city The business department's VPN authentication server IP address is 100.100.1.1 to 100.100.18.1, and the mask is 255.255.255.0. So this division is sufficient to meet the company's current and future requirements.

Local City VPN Authentication server configuration process:

1. Install the PPTP protocol on the Windows NT server and set the VPN private network channel number to 2, which is used to connect to the central point server.

2. Install VPN Routing and RAS Management software (Mpri386.exe), and when the installation is complete, Routing and RAS Admin items automatically appear in NT program items.

3. Add the VPN dial-up interface to the Dial-up network and configure the user name, password, operating protocol, and security authentication.

4. The configuration of routing options, we chose the static route configuration, where the destination IP address of the VPN route is 100.100.0.0 (Mask is 255.255.0.0) that is to the central contact route. Here, the central point verifies that the server's VPN IP address pool (pools) is 100.100.100.0 to 100.100.100.255, and that the gateway to all local VPN routes is the central point VPN PPTP pool The first IP address of IP in the address pool is 100.100.100.1. Interface is the VPN dial-up interface that is added. To 169 public network routing 0.0.0.0 (Mask for 0.0.0.0), the gateway is the Business Department router's Ethernet port address, interface is the machine's network card. In the authentication server is an NT domain created for dial-up users.

The following is an example of a VPN server configuration in a city (Qingdao).

(1) First add the PPTP protocol to the Windows NT 4.0 network

(2) Add a good PPTP Point-to-Point protocol and set up two VPN private network channels. Used to authenticate the server connection with the central point and to authenticate the server with the local connection for routing functions.

(3) Install VPN RAS and Routing Admin (mpri386.exe) software.

(4) Restart the computer 3 times during the installation process to complete the installation of Routing and RAS. After the installation is successful, the Routing and RAS Admin program items are added to the program items, and the next step is to configure VPN dialing and routing.

(5) Add a VPN dial-up adapter and a dial-up IP address, and set the VPN authentication username, password, and domain.

After the addition is complete, you can set up VPN on demand dialing routes and VPN authentication encryption methods.

(6) Next to set up VPN routes, you can use static routes or RIP routes, where we use static routing, to add two routes. One is the route to the VPN channel (VPN_QD Interface) and the other is the route to the Internet network (3Com EHTERIII card). Here, the central point verifies that the server's VPN IP address pool (pools) is 100.100.100.0 to 100.100.100.255, and that the gateway to all local VPN routes is the central point VPN PPTP pool The first IP address of IP in the address pool is 100.100.100.1. The IP address of the local Internet gateway should be an Ethernet port IP address such as 10.86.0.4 at all the municipal office routers. Then static Routes (static routing table) is the following table:

(7) Add VPN dial-up users to NT domain User Manager and allow dial-in.

Here we take Qingdao as an example, add the VPN_QD user, set the VPN dialing password, and give dial-in permission.

After the setup is complete, you can ping a workstation on the local area network from your native workstation, such as ping 100.100.0.1 or ping 100.100.0.11 if you can ping it, establish a VPN route correctly. If you ping a workstation at the center point, but you can ping the VPN authentication server at the center point, the local VPN route may be incorrect.

In addition, the local VPN server can ping other computers on the Internet, and if the ping does not pass, the default static route setting may be incorrect. If everything is OK then the connection state (LAN and Demand Dial) status of the VPN_QD and 3Com EHTERIII line in Routing and RAS Admin management should all be connect Ed on the connection, the local VPN server should be connected to the router and the hub connected to the LAN. The workstation IP address on the LAN should be set to virtual IP address, VPN authentication server or two network cards (a connection router, another set of virtual IP address to connect LAN), or a network card (bundled two IP addresses).

Central Contact VPN Authentication Server configuration process:

The configuration process is basically the same as the authentication server configuration process in every city, that is, the number of VPN private network channels added is added by the sales department. To create a VPN interface to each sales department, and configure the static route for each excuse. You also create each VPN user on the Windows NT User Manager for Domains.

VPN connections can be made after the central point verifies that the server and the Sales department verify that the server's configuration is complete. In addition, it should be noted that the IP address of the client machine on the network segment of the local sales department should be configured as the planning address for the VPN of the sales department, not the 169IP address or other. Only in this way can the client machine connect to the central contact for resource access through the local authentication server.