L2TP-based remote access VPN deployment
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
L2TP-based remote access VPN deployment
You can use remote access with products in the Windows Server 2003 family to provide access to a corporate intranet for remote access clients who are making Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPSec) connections across the Internet. If you want your remote access server to support multiple L2TP/IPSec connections, complete the following steps:
Configure the connection to the Internet.
Configure the connection to the intranet.
Configure the remote access server as a corporate intranet router.
Configure the VPN server.
Install certificates.
Configure firewall packet filters.
Configure remote access policies.
The following illustration shows the elements of a remote access server running Windows Server 2003 that provides L2TP/IPSec remote access to a corporate intranet.
For more information, see Remote access VPN connection and Layer Two Tunneling Protocol.
Notes
The following configuration assumes that computer certificates, also known as machine certificates, are already installed on the VPN server and remote access client computers. For more information, see Computer certificates for L2TP/IPSec VPN connections and Network access authentication and certificates.
On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.
Configuring the connection to the Internet
The connection to the Internet from a computer running a Windows Server 2003 family operating system is a dedicated connection--a WAN adapter installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, or Frame Relay adapter. You must contract with a local telephone company to run the appropriate physical wiring to your premises. You need to verify that the WAN adapter is compatible with products in the Windows Server 2003 family. To verify compatibility, see the Compatible Hardware and Software section at Support resources.
The WAN adapter includes drivers that are installed in members of the Windows Server 2003 family so that the WAN adapter appears as a network adapter.
You need to configure the following TCP/IP settings on the WAN adapter:
IP address and subnet mask assigned from the InterNIC or an Internet service provider (ISP).
Default gateway of the ISP router.
To enable VPN clients to connect to your VPN server by name rather than by IP address, request that your ISP register your VPN server in DNS.
Configuring the connection to the intranet
The connection to the intranet from a computer running a Windows Server 2003 operating system is a LAN adapter that is installed in the computer. You need to verify that the LAN adapter is compatible with products in the Windows Server 2003 family. To verify compatibility, see the Compatible Hardware and Software section at Support resources.
You need to configure the following TCP/IP settings on the LAN adapter:
IP address and subnet mask assigned from the network administrator.
DNS and WINS name servers of corporate intranet name servers.
Configuring the remote access server as a corporate intranet router
In order for the remote access server to properly forward traffic on the corporate intranet, you must configure it as a router with either static routes or routing protocols so that all of the locations of the intranet are reachable from the remote access server. For information about routing concepts, see Routing Overview. For information about setting up the remote access server as a router, see Deploying Routing.
Configuring the VPN server
You can configure your VPN server by running the Routing and Remote Access Server Setup Wizard. You can use the wizard to configure the following settings:
A basic firewall on the public interface.
The method by which the VPN server assigns addresses to remote access clients (either using addresses that the VPN server obtains from a DHCP server or using addresses from a specified range of addresses that you configure).
Forwarding of authorization and authentication messages to a Remote Authentication Dial-In User Service (RADIUS) server (configuration of the VPN server as a RADIUS client).
Once the wizard is run, the following Routing and Remote Access settings are automatically configured:
Network interfaces
PPTP and L2TP ports (five or 128 of each, depending on the choices you made when you ran the wizard)
Multicast support using Internet Group Management Protocol (IGMP)
IP routing
Installation of the DHCP Relay Agent component.
For more information about enabling Routing and Remote Access and running the wizard, see Enable the Routing and Remote Access service.
Installing certificates
In order to create L2TP/IPSec remote access VPN connections using computer certificate authentication for IPSec, you must install computer certificates, also known as machine certificates, on the VPN client and the VPN server. For more information, see Network access authentication and certificates and Computer certificates for L2TP/IPSec VPN connections.
Configuring firewall packet filters
If you are using a firewall, you need to configure L2TP/IPSec packet filters on your firewall to allow L2TP/IPSec traffic between Internet-based VPN clients and the VPN server computer. For more information, see VPN servers and firewall configuration.
Configuring remote access policies
For an access-by-user administrative model, you need to set the remote access permission to Allow access on the user accounts for those users who will be making VPN connections. For an access-by-policy model, make the appropriate changes to the remote access permission of the user accounts. For more information, see Introduction to remote access policies.
To configure a remote access policy to control the authentication and encryption options for VPN connections, create a remote access policy with the following settings:
Set Policy name to VPN Access (example).
For conditions, set the NAS-Port-Type condition to Virtual (VPN) and the Tunnel-Type condition to Layer Two Tunneling Protocol.
Select the Grant remote access permission option.
For profile settings, select the appropriate authentication and encryption options.
Then, either delete the default remote access policies or position them after the new policy. This remote access policy allows all users with remote access permission to create a VPN connection.
If you want to distinguish dial-up remote access users from VPN remote access users, do the following:
Create an Active Directory group whose members can create virtual private networking connections with the VPN server. For example, VPN_Users.
Add the appropriate user accounts to the new Active Directory group.
Create a new remote access policy with the following properties:
Set Policy name to VPN Access if member of VPN_Users (example).
For conditions, set the Windows-Groups condition to VPN_Users (example), set the NAS-Port-Type condition to Virtual (VPN), and set the Tunnel-Type condition to Layer Two Tunneling Protocol.
Select the Grant remote access permission option.
Move the default remote access policies after the new policy.
The default encryption settings allow no encryption and all levels of encryption strength. To require encryption, clear the No Encryption option and select the appropriate encryption strengths on the Encryption tab of the remote access policy profile. The encryption strengths are:
Basic
This option uses 56-bit DES encryption.
Strong
This option uses 56-bit DES encryption.
Strongest
This option uses triple DES (3DES) encryption.
For more information, see Configure encryption.