Virtual private network test lab tasks
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Virtual private network test lab tasks
The following tasks are designed to take you through the most common elements of setting up VPN support with the Windows Server 2003 family:
PPTP-based remote access
L2TP/IPSec remote access
RADIUS authentication and accounting
Remote access policies for both PPTP and L2TP connections
Note
- The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
PPTP-based remote access
To create a PPTP-based remote access VPN connection between CLIENT1 and VPN1 and test whether intranet resources are available, perform the following steps:
1. Create a user account.
On DC1, use Active Directory Users and Computers to create a user account called PPTPUser and set the password. For more information, see Create a new computer account.
Set the remote access permission on the Dial-in tab to Allow access. For more information, see Configure remote access permission for a user.
2. Create the PPTP connection.
On CLIENT1, use the New Connection Wizard to create a new PPTP-based connection named PPTPtoCorpnet, using the IP address of 10.0.0.2. For more information, see Make a virtual private network (VPN) connection.
Obtain properties on the newly created PPTPtoCorpnet connection, and click the Networking tab.
Under Type of VPN server I am calling, select PPTP VPN, and click OK.
3. Make the PPTP connection.
On CLIENT1, double-click the PPTPtoCorpnet connection.
When prompted for credentials, type PPTPUser as the user name, testlab.microsoft.com as the domain name, and the password.
4. Access Web server and file share on the intranet.
On CLIENT1, run your Web browser.
When prompted by the Internet Connection Wizard, configure it for a LAN connection. In your Web browser, type https://IIS1.testlab.microsoft.com/wnetStndS\_v\_s\_rgb.gif.
You should see a Windows Server 2003, Standard Edition, graphic.
On CLIENT1, click Start, click Run, type \\IIS1\ROOT, and then click OK.
You should see the contents of the Local Drive (C:) on IIS1.
5. Disconnect the PPTP connection.
- On CLIENT1, right-click the PPTPtoCorpnet connection, and then click Disconnect.
L2TP/IPSec remote access
To create an L2TP/IPSec remote access VPN connection between CLIENT1 and VPN1 and test whether intranet resources are available, perform the following steps:
1. Create a user account.
On DC1, use Active Directory Users and Computers to create a user account called L2TPUser, and set the password. For more information, see Create a new computer account.
Set the remote access permission on the Dial-in tab to Allow access. For more information, see Configure remote access permission for a user.
2. Create the L2TP connection.
On CLIENT1, use the New Connection Wizard to create a new L2TP/IPSec connection named L2TPtoCorpnet, using the IP address of 10.0.0.2. For more information, see Make a virtual private network (VPN) connection.
Obtain properties on the newly created L2TPtoCorpnet connection, and click the Networking tab.
Under Type of VPN server I am calling, select L2TP IPSec VPN, and click OK.
3. Make the L2TP connection.
On CLIENT1, double-click the L2TPtoCorpnet connection.
When prompted for credentials, type L2TPUser as the user name, testlab.microsoft.com as the domain name, and the password.
4. Access Web server and file share on the intranet.
On CLIENT1, run your Web browser.
When prompted by the Internet Connection Wizard, configure it for a LAN connection. In your Web browser, type https://IIS1.testlab.microsoft.com/wnetStndS\_v\_s\_rgb.gif.
You should see a Windows Server 2003, Standard Edition, graphic.
On CLIENT1, click Start, click Run, type \\IIS1\ROOT, and then click OK.
You should see the contents of the Local Drive (C:) on IIS1.
5. Disconnect the L2TP connection.
- On CLIENT1, right-click the L2TPtoCorpnet connection, and then click Disconnect.
RADIUS authentication and accounting
To configure RADIUS authentication and accounting for VPN connections, perform the following steps:
1. Configure IAS1 for VPN1 as a RADIUS client.
- On IAS1, add VPN1 as a RADIUS client with the Microsoft Client-Vendor, at the IP address of 172.16.0.4, and set the shared secret. For more information, see Add RADIUS clients.
2. Configure IAS1 to log authentication events.
- On IAS1, enable the logging of accounting and authentication requests in the Internet Authentication Service console, in the Remote Access Logging folder, in the properties of the Local File object, on the Settings tab.
3. Configure VPN1 for IAS1 as a RADIUS server.
- On VPN1, add IAS1 as a RADIUS server for both the authentication and accounting provider, at the IP address of 172.16.0.2, and set the shared secret. For more information, see Use RADIUS authentication and Use RADIUS accounting.
4. Make a PPTP connection.
On CLIENT1, create a PPTP connection with VPN1 using the PPTPtoCorpnet connection.
Disconnect the connection. For more information, see Disconnect from a remote network.
5. Make an L2TP connection.
On CLIENT1, create an L2TP connection with VPN1 using the L2TPtoCorpnet connection.
Disconnect the connection. For more information, see Disconnect from a remote network.
6. Check the system event log for RADIUS events.
- On IAS1, use Event Viewer to view IAS events in the system event log for the PPTP and L2TP connections that were recently created using CLIENT1.
7. Check RADIUS authentication and accounting logs.
- On IAS1, use Windows Explorer to open the systemroot\System32\Logfiles\Iaslog.log file. Note the authentication and accounting entries for the PPTP and L2TP connection. For more information on the IAS log file format, see Interpreting IAS-formatted log files.
Remote access policies for both PPTP and L2TP connections
To create separate remote access policies for PPTP and L2TP connections, perform the following steps:
1. On IAS1, create a new remote access policy with the following settings:
Policy name: PPTP connections
Policy Conditions:
NAS-Port-Type matches Virtual (VPN)
Tunnel-Type matches Point-to-Point Tunneling Protocol (PPTP)
If a connection request matches the specified conditions: Grant remote access permission
Profile settings, IP tab, output packet filter:
Filter action: Deny all traffic except those listed below
Destination network, IP address: 172.16.0.1
Destination network, Subnet mask: 255.255.255.255
Protocol: Any
Profile settings, IP tab, input packet filter:
Filter action: Deny all traffic except those listed below
Source network, IP address: 172.16.0.1
Destination network, Subnet mask: 255.255.255.255
Protocol: Any
2. On IAS1, create a new custom remote access policy with the following settings:
Policy name: L2TP connections
Policy Conditions:
NAS-Port-Type matches Virtual (VPN)
Tunnel-Type matches Layer Two Tunneling Protocol (L2TP)
If a connection request matches the specified conditions: Grant remote access permission
Profile settings, IP tab, output packet filter:
Filter action: Deny all traffic except those listed below
Destination network, IP address: 172.16.0.2
Destination network, Subnet mask: 255.255.255.255
Protocol: Any
Profile settings, IP tab, input packet filter:
Filter action: Deny all traffic except those listed below
Source network, IP address: 172.16.0.2
Destination network, Subnet mask: 255.255.255.255
Protocol: Any
3. Make a PPTP connection and test connectivity.
On CLIENT1, make a VPN connection with VPN1 using the PPTPtoCorpnet connection.
Use the ping command to ping DC1 at its IP address of 172.16.0.1.
Use the ping command to ping IAS1 at its IP address of 172.16.0.2. This command fails because packet filtering for all connections that match the PPTP connections policy allows only traffic sent to and from the IP address of 172.16.0.1.
Disconnect the PPTPtoCorpnet connection.
4. Make an L2TP connection and test connectivity.
On CLIENT1, make a VPN connection with VPN1 using the L2TPtoCorpnet connection.
Use the ping command to ping IAS1 at its IP address of 172.16.0.2.
Use the ping command to ping DC1 at its IP address of 172.16.0.1. This command fails because packet filtering for all connections that match the L2TP connections policy allows only traffic sent to and from the IP address of 172.16.0.2.
Disconnect the L2TPtoCorpnet connection.
5. Check the system event log for IAS events.
- On IAS1, use Event Viewer to view the IAS events in the system event log for the PPTP and L2TP connections that were recently created by CLIENT1. Note that the authentication event message text contains the name of the remote access policy that accepted the connection.