Detailed VPN configuration instance in Win2000

Http://91mail.51.net supply

Currently, companies with relatively large scales all have their own subsidiaries. How to keep the branches safe, efficient, low-cost, and multi-purpose connections with the company's headquarters at any time is a challenge facing every enterprise. Traditional methods include leased line connection, dial-up connection, and direct access to IP addresses. However, they are either expensive or have a single function, which may pose security risks. Using a VPN connection can solve these problems.

First, let's briefly introduce the VPN, which is fully called virtual private network (vprivate network) in English. VPN technology refers to the establishment of a private network in a public network, which is a "line in the line". Data is transmitted through a secure "encrypted channel" in a public network, with good confidentiality and anti-interference. Enterprises only need to lease a local data leased line to connect to the local public information network, and local organizations can transmit information to each other. enterprises can also use the dial-up access devices of the Public Information Network, allow your users to dial to the public information network to connect to the enterprise network. The reason for this is that the connection between any two nodes of the VPN network does not have the end-to-end physical link required by the traditional private network, it is a logical network built on a network platform (such as Internet, ATM, and frame relay) provided by a public network service provider. User data is transmitted over a logical link. VPN also provides remote access, which features high scalability, easy management, comprehensive control, and cost saving. The adoption of VPN technology is the trend of enterprise network development in the future.

To achieve VPN connection, an enterprise's internal network must have a VPN Server Based on Windows NT or Windows 2000 Server. The VPN Server is connected to the internal private network of the enterprise and the Internet, therefore, the VPN Server must have a public IP address. When a client communicates with a computer in a private network through a VPN connection, the ISP (Internet Service Provider) First transmits all the data to the VPN Server, then, the VPN Server is responsible for transmitting all the data to the target computer. There are two types of VPN technology in Windows 2000: 1. point Tunneling Protocol (PPTP): used for data encryption. PPTP uses user-level Point-to-Point Protocol (PPP) authentication methods and Microsoft point-to-point encryption (MPPE ). 2. l2 Tunneling Protocol (L2TP) with IP Protocol Security (IPSec): L2TP uses user-level PPP authentication methods and machine-Level Certificates with IPSec data encryption.

The instance I configured is a connection between a remote client (Windows 2000 Pro) and a corporate headquarters VPN Server (Windows 2000 Pro). There are three main steps:

1. Configure the VPN Server to allow VPN access.

2. Configure the VPN Client (Win2000.

3. Establish a VPN connection between the client and the server.

The procedure is as follows:

First, the company's headquarters computer (hereinafter referred to as "VPN Server") and the branch computer (hereinafter referred to as "VPN Client") should be able to access the Internet, in addition, the VPN Server has a valid IP address (Internet IP address) on the Internet ). Then, when the VPN Client is successfully connected to the VPN Server through virtual dialing, the VPN Client becomes part of the LAN of the VPN Server. In this lan, any computer can access the hardware and software shared resources on other computers based on their permissions. the operation method is the same as that of a common LAN.

1. VPN Server Configuration

The operating system of the VPN Server can be WinNT 4.0/Win2000/WINXP/win2003. The relevant components are included in the system. The VPN Server must be connected to the Internet and have an independent public IP address. I chose to configure the VPN Server in Windows 2000 Server ("Win2000") as an example.
(1) Go to "start"> "program"> "Management Tools"> "Routing and Remote Access" in turn to open the "Routing and Remote Access" console.
(2) Right-click "server (local)" ("server" is the server name) in the left frame, select "configure and enable Routing and Remote Access" to open the "route and remote access installation wizard" window.
(3) In the "welcome to use Routing and Remote Access to the installation wizard" Step describes the role of this wizard. No options can be set. Click "Next" to continue.
(4) In the "public settings" step, select the corresponding public configuration. The default option is "Internet connection server". You need to change it to "Virtual Private Network (VPN) server", and then click "Next" to continue.
(5) The "remote client protocol" step shows the list of currently available VPN access protocols. The default option is "yes, all available protocols are on the list". If you do not need to modify the option, click "Next" to continue.
(6) In the "Internet connection" step, you must specify the connection used by the server. The default option is "no Internet connection". You do not need to modify it. Click "Next" to continue.
(7) In the "ip address" step, you must select the method to specify an IP address for the remote VPN Client. The default option is "automatic". Because the DHCP server is not configured on the local machine, you must select "from a specified address range" and click "Next" to continue.
(8) In the "specify IP address range" step, you can specify the IP address range allocated to the VPN Client. For example, the IP address range to be allocated is "192.168.0.100 "~ "192.168.0.200", click "new" to open the "new address range" window, follow the prompts, and click "OK" to return to the "specify address range" step, click "Next" to continue.
Note: These IP addresses are assigned to the VPN Server and the VPN Client. To ensure that the connected VPN network can communicate with the original LAN of the VPN Server, they must be in the same network segment as the IP address of the VPN Server. That is, if the VPN Server IP address is "192.168.0.1", the IP addresses in this range should start with "192.168.0.
(9) You can choose "manage multiple Remote Access Servers" to set and centrally manage multiple VPN servers. The default option is "no, I do not want to set this server to use radius". If you do not need to modify it, click "Next" to continue.
(10) The configuration is complete in the "completing the Routing and Remote Access Server Installation Wizard" step. No options can be set. Click "finish" to continue.
(11) A small window named "Starting Routing and Remote Access Service" appears on the screen. After a while, the "Routing and Remote Access" console is automatically returned, as shown in figure 1) the configuration of the VPN Server is completed.
Note: The "Routing and Remote Access" service in the "service" console is "automatically" in the "started" status; in the "Network and dial-up connections" window, an "incoming connection" icon is displayed.

Figure 1

2. Grant the user the dial-in permission

By default, all users, including administrator users, are denied to be transferred to the VPN Server. Therefore, you must grant the dial-in permission to the corresponding users. This article takes "water" users as an example.
(1) Right-click "my computer" and choose "manage" to open the "Computer Management" console.
(2) Expand "local users and groups"> "users" in the left frame, and double-click "water" in the right frame to open the "water properties" window.
(3) go to the "dial in" tab, and under the "select access permission (dial in or VPN)" option group, the default option is "control access through remote access policy ", select "Allow access" and click "OK" to return to the "Computer Management" console, which ends the process of granting the "water" user the access permission.

3. Configure the VPN Client (Win2000)

The operating system of the VPN Client can be Win98, winnt4.0, Win2000, WINXP, or win2003. The relevant components are included in the system and the VPN Client must be connected to the Internet. I chose to configure the VPN Client in Windows 2000 Server ("Win2000") as an example.
(1) Right-click "Network neighbors" and select "properties" to open the "Network and dial-up connections" window.
(2) double-click "New Connection" to open the "Network Connection Wizard" window.
(3) In the "welcome to use Routing and Remote Access to the installation wizard" Step describes the role of this wizard. No options can be set. Click "Next" to continue.
(4) In the "Network Connection Type" step, you can select the created network connection type. The default option is "dial-up to private network". You need to change it to "connect to private network through Internet", and then click "Next" to continue.
(5) In the "public network" step, you can choose whether to automatically dial before the VPN connection. The default option is "automatically dial this initial connection". You need to change it to "do not dial the initial connection", and then click "Next" to continue.
(6) provide the host name or IP address of the VPN Server in the "target address" step. Enter the public IP address of the VPN Server in the text box, for example, "218.88.135.48", and click "Next" to continue.
(7) In the "available connections" step, you can select whether the connection is only available to the currently logged-on users of the current client or all users in the client. The default option is "all users use this connection". Select as needed and click "Next" to continue.
(8) You can change the name of the new connection in the "complete network connection wizard" step. The default value is "virtual dedicated connection", which can be changed to any content without modification, for example, "to the company headquarters ", select the "add a shortcut to my desktop" check box and click "finish" to continue.
(9) The "connect to Headquarters" window will pop up automatically. Enter "water" in "User Name" (case-insensitive), enter the corresponding password in "password", and check the "Save Password" check box as needed, click "Connect" to continue, as shown in figure 2 ).
Note: The user name entered here should have been set up on the VPN Server, and the user with the permission to dial in the server is also set as the password.

Figure 2

(10) after the connection is successful, two icons are displayed on the right of the taskbar of both parties. One is the connection to intenet, and the other is the connection to VPN! See figure 3 ).

Figure 3

Note: after both parties establish a VPN connection over the Internet, it is equivalent to establishing a virtual channel dedicated to both parties on the Internet, mutual access can be made between the two sides in the network, that is, it is equivalent to forming another local area network! This network is dedicated to both parties and provides excellent confidentiality. After the VPN is successfully established, you can use IP addresses or "Network neighbors" for mutual access. Of course, you can use the hardware and software resources shared by the other party!

Problems encountered in VPN network application and solutions:

(1) After the VPN network is established successfully, how does the VPN Client Access the LAN of the VPN Server and the VPN Server?
Solution: Like a common Lan, you can use "Network Neighbor" or directly enter "// peer IP Address" in the address bar of any window (for example, "// 100.100.100.3 ") to access the hardware and software resources shared by the other party.

(2) After the VPN network is established successfully, the VPN Client cannot access the Internet. How can we achieve a correct connection between VPN network access and Internet access?
Solution: the VPN Client System uses the gateway defined by the VPN Server to overwrite the original gateway, thus cutting off the path for the VPN Client to access the Internet. The solution is to disable the VPN Client from using the default gateway on the VPN Server. The procedure is as follows:
For Win2000 clients, in the "Network and dial-up connections" window, first select the corresponding connection name, for example, "to company headquarters", right-click, select "properties" to open the "to corporate headquarters properties" window. Go to the network tab, and double-click "Internet Protocol (TCP/IP)" in the list to open the "Internet Protocol (TCP/IP) properties" window. Click the "advanced" button to go to the "General" tab of the "Advanced TCP/IP Settings" window and remove the "use default gateway on remote networks" check box.

(3) Why can't the connected VPN Client and VPN Server (including the original LAN Computer) be displayed in the Peer "Network Neighbor" after the VPN network is established successfully?
Solution: first, make sure that both the VPN Client and the VPN Server have the same "Working Group" name, then, you also need to install the "netbeui" Protocol on both the VPN Server and the VPN Client (we recommend that you install the "IPX/SPX" protocol at the same time ).

(4) After a VPN network is established, how can I quickly, comprehensively, and intuitively view the computer names, occupied IP addresses, and shared resources of all active computers in the network?
Solution: You can use the IP-tools software. It is: http://www.skycn.net/soft/1123.html (1.06 MB ). After the download, you can directly run it to easily complete the installation. After running the Master Ip-tools program, click the 4th "Nb-pilot" button from the left of the toolbar. after entering the start IP address as prompted, click the "Start" button to search for the corresponding content (figure 5 ).

Figure 5

 

Finally, we will summarize the advantages of using VPN:

1. reduced costs: first, remote users can log on to the Internet by applying for an account from the local ISP, using the Internet as a channel to connect to the private network of the enterprise, greatly reducing the communication cost. Second, enterprises can save on the cost of purchasing and maintaining communication equipment.

2. Enhanced Security: VPN uses three technologies to ensure communication security: Channel Protocol, authentication, and data encryption. The client sends a request to the VPN Server. The VPN Server responds to the request and sends an identity question to the client. The client sends the encrypted response information to the VPN Server. The VPN Server checks the response based on the user database, if the account is valid, the VPN Server checks whether the user has the permission for remote access. if the user has the permission for remote access, the VPN Server accepts the connection. The client and server public keys generated during authentication are used to encrypt data.

3. Support for the most common network protocols: clients in the network based on the IP, IPX, and netbui protocols can easily use VPN.

4. Benefits to IP address security: VPN is encrypted. When VPN data is transmitted over the Internet, users on the internet can only see public IP addresses, but cannot see private network addresses contained in the packets.