A Virtual Private Network (VPN) allows you to connect to components in a network through another network, such as the Internet. You can use a Windows 2000 Server-based computer as a remote access server, so that other users can connect to it using a VPN and then access shared files on your local drive or network. A virtual private network is implemented by "Creating a tunnel" on the Internet or another public network. It provides the same security and functions as a private network. With VPN, data can be transmitted using the Internet routing architecture through a public network connection. for users, data seems to be transmitted through a dedicated link.
This article describes how to install a virtual private network (VPN) and how to create a VPN connection in Windows 2000.
VPN Overview
A Virtual Private Network (VPN) is a method for connecting a private network (such as your office network) through a public network (such as the Internet. It combines the advantages of the dial-up connection to the dial-up server with the convenience and flexibility of the Internet connection. By using Internet connections, you can travel around the world, while in most places you can still connect to your office through the nearest local Internet access phone number. If your computer (and Office) has a high-speed Internet connection (such as a cable or DSL), you can use the highest Internet speed to communicate with the Office, the speed is much faster than that of any analog modem.
VPN uses a link that requires authentication to ensure that only authorized users can connect to your network, and they use encryption to ensure that data transmitted over the Internet is not listened to and used by others. Windows uses Point-to-Point Tunneling Protocol (PPTP) or L2 Tunneling Protocol (L2TP) for this security.
VPN technology allows companies to connect to their branch offices or other companies through public networks (such as the Internet), while maintaining communication security. A VPN connection over the Internet is logically equivalent to a dedicated WAN link.
VPN Components
VPN components in Windows 2000 include a VPN Server, a VPN Client, a VPN connection (the encrypted part of the data in the connection), and a tunnel (the encapsulated part of the data in the connection ). Creating a tunnel is done through the two tunnel protocols included in Windows 2000, both of which are installed with "Routing and Remote Access. Windows 2000 includes two Protocols:
Point-to-Point Tunneling Protocol (PPTP) uses Microsoft point-to-point encryption technology to provide data encryption.
L2 Tunneling Protocol (L2TP) uses ipsec to provide data encryption, authentication, and integrity.
Dedicated Lines, such as T1, fractional T1, or frame relay, should be used for connection to the Internet. The Wan adapter must be configured with the IP address and subnet mask assigned to your domain or provided by the Internet service provider (ISP), and the default gateway of the ISP router.
Note: To enable VPN, you must use an account with administrative permissions to log on.
How to install and enable VPN
To install and enable the VPN Server, follow these steps:
1. on the Microsoft Windows 2000 VPN computer, make sure that the connection to the Internet and the connection to your LAN are correctly configured.
2. Click Start, point to administrative tools, and then click "route and remote access ".
3. Click the server name in the tree, and then click "configure and enable Routing and Remote Access" on the Operation menu ". Click Next.
4. In the general configuration dialog box, click Virtual Private Network (VPN Server), and then click Next.
5. in the remote client protocol dialog box, confirm that the TCP/IP is included in the list, and click "yes, all of the available protocols are on this list (yes, all available protocols are in this list) ", and then click Next.
6. In the Internet connection dialog box, select the connection to connect to the Internet, and click Next.
7. In the "IP Address Allocation" dialog box, select automatic to use the DHCP server on your subnet to assign IP addresses to the dial-up client and server.
8. in the manage multiple Remote Access Servers dialog box, confirm "No, I don't want to set up this server to use radius now (No, I don't want to set this server to use radius now) "check box selected.
9. Click next and then click Finish.
10. Right-click the port node and click Properties.
11. In the port Properties dialog box, click Wan miniport (PPTP) device, and then click Configure.
12. In the "Configure device-Wan miniport (PPTP)" dialog box, Perform one of the following operations:
O if you do not want to support direct user dial-up VPN for the modem installed on the server, click the clear request dial-up Route connection (Inbound and Outbound) check box.
O if you want to support direct user dial-up VPN for the modem installed on the server, click the check box for requesting dial-up route connections (Inbound and Outbound.
13. In the maximum port count text box, type the maximum number of PPTP connections you want at the same time. (This may depend on the number of available IP addresses ).
14. Repeat steps 11 to 13 on the L2TP device and click OK.
How to configure a VPN Server
To configure the VPN Server as needed, follow these steps.
Configure the remote access server as a vro
To allow remote access to the server to correctly forward traffic in your network, you must use static routing or routing protocol to configure it as a router, in this way, the remote access server can access all locations in the intranet.
To configure the server as a router, perform the following steps:
1. Click Start, point to administrative tools, and then click "route and remote access ".
2. Right-click the server name and click Properties.
3. On the General tab, click Enable this computer as a router ).
4. Select only LAN routing or "Lan and request dial-up routing ". Click OK to close the Properties dialog box.
How to configure the PPTP port
Confirm the number of PPTP ports you need. To check the number of ports or add ports, follow these steps:
1. Click Start, point to administrative tools, and then click "route and remote access ".
2. In the console tree, expand Routing and Remote Access, expand the server name, and then click port.
3. Right-click the port and click Properties.
4. In the port Properties dialog box, click Wan miniport (PPTP), and then click Configure.
5. In the configure device dialog box, select the maximum number of ports for the device, and then select the option to specify whether the device only accepts incoming connections or incoming and outgoing connections.
How to manage address and name servers
The VPN Server must have available IP addresses so that they can be allocated to the Virtual Interface and VPN Client of the VPN Server during the IP Control Protocol (ipcp) negotiation phase of the connection process. The IP address allocated to the VPN Client is actually allocated to the Virtual Interface of the VPN Client.
For a Windows 2000-based VPN Server, the IP address assigned to the VPN Client is obtained through DHCP by default. You can also configure a static IP Address pool. The VPN Server must also configure the name resolution server (usually DNS and WINS Server) address to be allocated to the VPN Client during ipcp negotiation.
How to manage access
Configure the dial-in attribute on the user account and configure a remote access policy to manage access to the dial-up network and VPN connection.
Note: by default, access to dial-up is denied.
Access through user account
If you are managing remote access by user, you can click Allow access on the dial-in tab in the Properties dialog box of their account for users who are allowed to create VPN connections. If the VPN Server only allows VPN connections, delete the default Remote Access Policy called "enable dial-in permission. Create a remote access policy and give it a descriptive name, for example, "allow VPN access by user account ". For more information, see Windows 2000 help.
Note: After the Default policy is deleted, access to a dialing client that does not match your policy is denied.
If the VPN Server also provides the dial-up remote access service, do not delete the Default policy, but move its location to make it the last effective policy.
Access through group members
If you manage remote access by group, click "control access through remote access policy Radio (control access by remote access policy radio)" on all user accounts )". Create a Windows 2000 group, including the Members that allow the creation of VPN connections. If the VPN Server only allows VPN connections, delete the default Remote Access Policy named "enable dial-in permission. Next, create a remote access policy and give it a descriptive name. For example, "a VPN-allowed group member allows VPN access ", then, assign the Windows 2000 Group to this policy.
If the VPN Server also provides remote access to the dial-up network, do not delete the Default policy, but move its location to make it the last effective policy.
How to configure a VPN connection from a customer's computer
To establish a VPN connection, perform the following steps:
1. on the customer's computer, confirm that the connection to the Internet is configured correctly.
2. Click Start, point to settings, and then click Network and dial-up connection.
3. Double-click to create a new connection.
4. Click Next, connect to VPC over the Internet, and then click Next.
5. Perform one of the following operations:
O if you use a dial-up connection to connect to the Internet, click automatically dial this initial connection and select your dial-up Internet connection from the list.
O if you are using a full-time connection (such as a cable modem), click do not dial the initial connection.
6. click Next.
7. type the Host Name (for example, Microsoft.com) or IP address (for example, 123.123.123.123) of the computer you want to connect to, and then click Next.
8. if you want anyone logging on to this computer to use this connection, click Select all users. If you want this connection to be available only when you log on to the computer, click to select only for me. Click Next.
9. Enter a descriptive name for the connection and click Finish.
Note: This option is only available when you log on as a member of the Administrators group.
10. Click Start, point to settings, and then click Network and dial-up connections.
11. Double-click the new connection.
12. Click properties to further configure the connection options:
O if you are connecting to a domain, click the options tab and select the "include Windows domains" check box to specify whether to require Windows 2000 domains domain information before trying to connect.
O if you want to re-dial the connection after disconnection, click the options tab and then select the "reconnection" check box.
To use a connection, follow these steps:
1. Click Start, point to settings, and then click Network and dial-up connection.
2. Double-click the new connection.
3. If there is no connection to the Internet, Windows allows you to connect to the Internet.
4. After an Internet connection is established, the VPN Server prompts you to enter the user name and password. Enter your username and password, and click Connect to use your network resources. Note: To disconnect from a VPN, right-click the connection icon and click disconnect.