PPTP-based router-to-router VPN deployment
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
PPTP-based router-to-router VPN deployment
To create a PPTP-based router-to-router VPN connection to send private data across the Internet, you must perform the following:
Configure the router running a Windows Server 2003 operating system at the corporate office to receive PPTP connections from a branch office router.
Configure the router running a Windows Server 2003 operating system at the branch office to initiate a PPTP connection with the corporate office router.
Initiate the PPTP connection from the branch office router.
Note
- These steps assume that the PPTP-based router-to-router VPN connection is between a corporate office and a branch office. However, you can also apply these steps to the VPN connection between two corporate offices.
Configuring the corporate office router
If you want your router running a Windows Server 2003 operating system in the corporate to support multiple branch office PPTP connections, complete the following steps:
Configure the connection to the Internet.
Configure the connection to the intranet.
Configure the corporate router.
Configure demand-dial interfaces.
Configure firewall packet filters.
Configure remote access policies.
The following illustration shows the elements of a PPTP-based router-to-router VPN connection on a computer running a Windows Server 2003 operating system.
For more information, see Router-to-router VPN connection and Point-to-Point Tunneling Protocol.
Note
- To simplify configuration, the branch office router always initiates the PPTP connection.
Configuring the connection to the Internet
The connection to the Internet is a dedicated connection--a WAN adapter that is installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, or Frame Relay adapter. You must contract with a local telephone company to run the appropriate physical wiring to your premises. You need to verify that the WAN adapter is compatible with products in the Windows Server 2003 family. To verify compatibility, see the Compatible Hardware and Software section at Support resources.
The WAN adapter includes drivers that are installed in Windows Server 2003 operating systems so that the adapter appears as a network adapter.
You need to configure the following TCP/IP settings on the WAN adapter:
IP address and subnet mask assigned from the InterNIC or an Internet service provider (ISP).
Default gateway of the ISP router.
Configuring the connection to the intranet
The connection to the intranet is a LAN adapter that is installed in the computer. You need to verify that the LAN adapter is compatible with products in the Windows Server 2003 family. To verify compatibility, see the Compatible Hardware and Software section at Support resources.
You need to configure the following TCP/IP settings on the LAN adapter:
IP address and subnet mask assigned from the network administrator.
DNS and WINS name servers of corporate intranet name servers.
Because the corporate router will route traffic between the corporate office and the branch office, you must configure the corporate router with either static routes or with routing protocols so that all of the destinations on the corporate network are reachable from the corporate router.
Configuring the corporate router
You need to enable the corporate router by installing the Routing and Remote Access service. For more information, see Enable the Routing and Remote Access service.
Configuring demand-dial interfaces
For each branch office router, you can create a demand-dial interface by using the Demand-Dial Interface Wizard. In the wizard, configure the following:
Interface Name
The name of the interface that represents the connection to the branch office. For example, for a router in the New York branch office, type NewYorkRouter.
Connection Type
Click Connect using virtual private networking (VPN).
VPN Type
Click Point-to-Point Tunneling Protocol (PPTP).
Destination Address
Because the corporate router will not initiate the VPN connection, no phone number or address is required.
Protocols and Security
Select the Add a user account so a remote router can dial in check box.
Configuring static routes
You need to add static routes so that traffic to the branch office is forwarded by using the appropriate demand-dial interface. For each route of each branch office, configure the interface, destination, network mask, and metric. For the interface, you need to select the demand-dial interface that corresponds to the branch office.
For example, the route that corresponds to the New York branch office is 192.168.25.0 with a subnet mask of 255.255.255.0. This route becomes the static route with the following configuration:
Interface: NewYorkRouter
Destination: 192.168.25.0
Network mask: 255.255.255.0
Metric: 1
Dial-out Credentials
Because the corporate router will not initiate the VPN connection, type in any name, domain, and password.
Dial-in Credentials
Type the domain and password for the account that will be used to authenticate the branch office router. The Demand-Dial Interface Wizard automatically creates the account and sets its remote access permission to Allow access. The name of the account is the same as the name of the demand-dial interface. For example, for the New York branch office router, the name of the account is NewYorkRouter.
Note
- Because the PPTP connection is a point-to-point connection, the Gateway IP address is not configurable.
For more information, see Add a static route.
Configuring firewall packet filters
If you are using a firewall in the corporate office, you need to configure PPTP packet filters on your firewall to allow PPTP traffic between the branch office routers and the corporate office router. For more information, see VPN servers and firewall configuration.
Configuring remote access policies
By using the Demand-Dial Interface Wizard, the dial-in properties of user accounts that are used by branch office routers are already configured to allow remote access.
If you want to grant remote access to the PPTP-based branch office routers based on group membership, do the following:
For a stand-alone router that is not a member of a domain, use Local Users and Groups and set dial-in properties to Allow access for all users.
For a directory services-based router, use Active Directory Users and Computers and set dial-in properties to Control access through Remote Access Policy for all users.
Create an Active Directory group whose members can create virtual private networking connections with the VPN server. For example, BranchOfficeRouters.
Add the appropriate user accounts that correspond to the accounts that are used by the branch office routers to the Active Directory group.
Create a new remote access policy with the following properties:
Set Policy name to VPN Access if member of BranchOfficeRouters (example).
Set the Windows-Groups condition to BranchOfficeRouters (example).
Set the NAS-Port-Type condition to Virtual (VPN).
Set the Tunnel-Type condition to Point-to-Point Tunneling Protocol.
Select the Grant remote access permission option.
If this computer is only used to provide router-to-router VPN connections, you need to delete the default remote access policies. Otherwise, move the default remote access policy so that it is evaluated last.
For encryption, the default setting allows no encryption and all levels of encryption strength. To require encryption, clear the No Encryption option and select the appropriate encryption strengths on the Encryption tab of the remote access policy profile that is used by your calling routers.
For more information, see Configure encryption.
Configuring the branch office router
If you want your router running a Windows Server 2003 operating system in the branch office to initiate a PPTP connection with the corporate office router, complete the following steps:
Configure the connection to the Internet.
Configure the connection to the branch office network.
Configure a demand-dial interface.
Configure static routes.
Configure firewall packet filters.
Note
- To simplify this configuration, the branch office router always initiates the PPTP connection.
Configuring the connection to the Internet
The connection to the Internet is a dedicated connection--a WAN adapter that is installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, or Frame Relay adapter. You must contract with a local telephone company to run the appropriate physical wiring to your premises. You need to verify that the WAN adapter is compatible with the server operating systems. To verify compatibility, see the Compatible Hardware and Software section at Support resources.
The WAN adapter includes drivers that are installed in Windows Server 2003 operating systems so that the adapter appears as a network adapter.
You need to configure the following TCP/IP settings on the WAN adapter:
IP address and subnet mask assigned from the InterNIC or an Internet service provider (ISP).
Default gateway of the ISP router.
Configuring the connection to the branch office network
The connection to the branch office network is a LAN adapter that is installed in the computer. You need to verify that the WAN adapter is compatible with products in the Windows Server 2003 family. To verify compatibility, see the Compatible Hardware and Software section at Support resources.
You need to configure the following TCP/IP settings on the LAN adapter:
IP address and subnet mask assigned from the network administrator.
DNS and WINS name servers of branch office name servers.
Configuring a demand-dial interface
You can create a demand-dial interface by using the Demand-Dial Interface Wizard. In the wizard, configure the following:
Interface Name
Type the name of the interface that represents the connection to the corporate office. For example, type CorpOffice.
Connection Type
Click Connect using virtual private networking (VPN).
VPN Type
Click Point-to-Point Tunneling Protocol (PPTP).
Destination Address
Type the IP address or host name that is assigned to the Internet interface of the router at the corporate office. If you enter a host name, verify that the host name resolves to the proper IP address.
Dial-out Credentials
Type the name, domain name, and password of the user account that corresponds to this branch office router. The credentials are the same as those entered in the Dial-Out Credentials page of the Demand-Dial Interface Wizard when the demand-dial interface for this branch office was created on the corporate router.
Configuring static routes
You need to add static routes so that traffic to the corporate office is forwarded by using the appropriate demand-dial interface. For each route of the corporate office, configure the interface, destination, network mask, and metric. For the interface, select the demand-dial interface that corresponds to the corporate office previously created.
For example, the route that corresponds to the corporate office is 10.0.00 with a subnet mask of 255.0.0.0. This route becomes a static route with the following configuration:
Interface: CorpOffice
Destination: 10.0.0.0
Network mask: 255.0.0.0
Metric: 1
Note
- Because the PPTP connection is a point-to-point connection, the Gateway IP address is not configurable.
For more information, see Add a static route.
Configuring firewall packet filters
If you are using a firewall in the branch office, you need to configure PPTP packet filters on your firewall to allow PPTP traffic between the corporate office router and the branch office router. For more information, see VPN servers and firewall configuration.
Initiating the PPTP router-to-router VPN connection
To test the branch office router to the corporate router, in Routing and Remote Access, right-click the demand-dial interface that connects to the corporate office, and then click Connect.
For information about troubleshooting a router-to-router VPN, see Troubleshooting router-to-router VPNs.