How VPN Works Updated: March 28, 2003 Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2 How VPN Works In this section VPN Architecture VPN Tunneling VPN Authentication VPN Encryption VPN Addressing and Routing VPN and Firewalls VPN and NAT Related Information Microsoft Windows Server 2003 includes extensive support for virtual private network (VPN) technology, which leverages the IP connectivity of the Internet to connect remote clients and remote sites. A VPN connection is the extension of a private network that includes links across shared or public networks, such as the Internet. VPN connections (VPNs) enable organizations to send data between two computers across the Internet in a manner that emulates the properties of a point-to-point private link. VPN Architecture Using VPNs, an organization can help secure private network traffic over an unsecured network, such as the Internet. VPN helps provide a secure mechanism for encrypting and encapsulating private network traffic and moving it through an intermediate network. Data is encrypted for confidentiality, and packets that might be intercepted on the shared or public network are indecipherable without the correct encryption keys. Data is also encapsulated, or wrapped, with an IP header containing routing information. VPNs help enable users working at home, on the road, or at a branch office to connect in a secure fashion to a remote corporate server using the Internet. From the users perspective, the VPN is a point-to-point connection between the user's computer and a corporate server. The nature of the intermediate network, the Internet, is irrelevant to the user because it appears as if the data is being sent over a dedicated private link. There are a number of ways to use VPN. The most common scenario is when a remote user accesses a private network across the Internet using a remote access VPN connection. In another scenario, a remote office connects to the corporate network using either a persistent or an ondemand site-to-site VPN connection (also known as a router-to-router VPN connection). Each of these VPN scenarios can be deployed to provide connectivity over a public network, such as the Internet, or over a private intranet. VPN connections can also be deployed in an extranet scenario to communicate securely with business partners. An extranet functions as an intranet that can be securely shared with a designated business partner. With both the remote access and site-to-site connections, VPNs enable an organization to replace long distance dial-up or leased lines with local dial-up or leased lines to an Internet service provider (ISP). Remote access VPN A remote access VPN connection is made by a remote access client. A remote access client is a single computer user who connects to a private network from a remote location. The VPN server provides access to the resources of the network to which the VPN server is connected. The packets sent across the VPN connection originate at the VPN client. The VPN client authenticates itself to the VPN server and, for mutual authentication, the VPN server authenticates itself to the VPN client. Site-to-site VPN A site-to-site VPN connection connects two portions of a private network or two private networks. For example, this allows an organization to have routed connections with separate offices, or with other organizations, over the Internet. A routed VPN connection across the Internet logically operates as a dedicated Wide Area Network (WAN) link. The VPN server provides a routed connection to the network to which the VPN server is attached. On a site-to-site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and, for mutual authentication, the answering router authenticates itself to the calling router. Internet-based VPN Connections Using an Internet-based VPN connection, an organization can avoid long-distance charges while taking advantage of the global availability of the Internet. Remote Access VPN Connections over the Internet A remote access VPN connection over the Internet enables a remote access client to initiate a dial-up connection to a local ISP instead of connecting to a corporate or outsourced network access server (NAS). By using the established physical connection to the local ISP, the remote access client initiates a VPN connection across the Internet to the organization’s VPN server. When the VPN connection is created, the remote access client can access the resources of the private intranet. The following figure shows remote access over the Internet. VPN Connecting a Remote Client to a Private Intranet Site-to-Site VPN Connections Over the Internet When networks are connected over the Internet, as shown in the following figure, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link. VPN Connecting Two Remote Sites Across the Internet Intranet-based VPN Connections The intranet-based VPN connection takes advantage of IP connectivity in an organization’s Local Area Network (LAN). Remote Access VPN Connections over an Intranet In some organization intranets, the data of a department, such as human resources, is so sensitive that the network segment of the department is physically disconnected from the rest of the intranet. While this protects the data of the human resources department, it creates information accessibility problems for authorized users not physically connected to the separate network segment. VPN connections help provide the required security to enable the network segment of the human resources department to be physically connected to the intranet. In this configuration, a VPN server can be used to separate the network segments. The VPN server does not provide a direct routed connection between the corporate intranet and the separate network segment. Users on the corporate intranet with appropriate permissions can establish a remote access VPN connection with the VPN server and gain access to the protected resources. Additionally, all communication across the VPN connection is encrypted for data confidentiality. For those users who are not authorized to establish a VPN connection, the separate network segment is hidden from view. The following figure shows remote access over an intranet. VPN Connection Allowing Remote Access to a Secured Network over an Intranet Site-to-Site VPN Connections over an Intranet Two networks can be connected over an intranet using a site-to-site VPN connection. This type of VPN connection might be necessary, for example, for two departments in separate locations, whose data is highly sensitive, to communicate with each other. For instance, the finance department might need to communicate with the human resources department to exchange payroll information. The finance department and the human resources department are connected to the common intranet with computers that can act as VPN clients or VPN servers. When the VPN connection is established, users on computers on either network can exchange sensitive data across the corporate intranet. The following figure shows two networks connected over an intranet. VPN Connecting Two Networks over an Intranet VPN Tunneling Tunneling is a network technology that enables the encapsulation of one type of protocol packet within the datagram of a different protocol. For example, Windows VPN connections can use Point-to-Point Tunneling Protocol (PPTP) packets to encapsulate and send private network traffic, such as TCP/IP traffic over a public network such as the Internet. For PPTP and Layer Two Tunneling Protocol (L2TP), a tunnel is similar to a session. Both of the tunnel endpoints must agree to the tunnel and must negotiate configuration variables, such as address assignment, encryption, or compression parameters. In most cases, data transferred across the tunnel is sent using a datagram-based protocol. A tunnel management protocol is used as the mechanism to create, maintain, and terminate the tunnel. After the tunnel is established, data can be sent. The tunnel client or server uses a tunnel data transfer protocol to prepare the data for transfer. For example, when the tunnel client sends a payload to the tunnel server, the tunnel client first appends a tunnel data transfer protocol header to the payload. The client then sends the resulting encapsulated payload across the network, which routes it to the tunnel server. The tunnel server accepts the packets, removes the tunnel data transfer protocol header, and forwards the payload to the target network. Information sent between the tunnel server and the tunnel client behaves similarly. There are two types of tunneling: Voluntary tunneling Compulsory tunneling Voluntary Tunneling A user or client computer can issue a VPN request to configure and create a voluntary tunnel. In this case, the users computer is a tunnel endpoint and acts as the tunnel client. Voluntary tunneling occurs when a client computer or routing server creates a virtual connection to the target tunnel server. To accomplish this, tunneling client software and the appropriate tunneling protocol must be installed on the client computer. For the protocols discussed in this technical reference, voluntary tunnels require an IP connection (either LAN or dial-up). In a dial-up situation, the client must establish a dial-up connection to the network before the client can set up a tunnel. This is the most common case. The best example of this is the dial-up Internet user, who must dial an ISP and obtain an Internet connection before a tunnel over the Internet can be created. For a LAN-attached client computer, there is already a connection to the network that can provide routing of encapsulated payloads to the chosen LAN tunnel server. This would be the case for a client that is using an always-on broadband Internet connection. It is a common misconception that VPN connections require a dial-up connection. They require only IP connectivity between the VPN client and VPN server. Some clients (such as home computers) use dial-up connections to the Internet to establish IP transport. This is a preliminary step in preparation for creating a tunnel and is not part of the tunnel protocol itself. Compulsory Tunneling In compulsory tunneling, a VPN-capable remote access server configures and creates a compulsory tunnel. With a compulsory tunnel, the user's computer is not a tunnel endpoint. Another device, the dial-up access server, between the user's computer and the tunnel server is the tunnel endpoint and acts as the tunnel client. A number of vendors that sell dial-up access servers have implemented the ability to create a tunnel on behalf of a dial-up client. The computer or network device providing the tunnel for the client computer is variously known as a Front End Processor (FEP) for PPTP or an L2TP Access Concentrator (LAC) for L2TP. For the purposes of this reference, the term FEP is used to describe this functionality, regardless of the tunneling protocol. To carry out its function, the FEP must have the appropriate tunneling protocol installed and must be capable of establishing the tunnel when the client computer connects. In compulsory tunneling, the client computer places a dial-up call to a tunneling-enabled NAS at the ISP. For example, a corporation might have contracted with an ISP to deploy a nationwide set of FEPs. These FEPs can establish tunnels across the Internet to a tunnel server connected to the organization’s private network, thus consolidating calls from geographically diverse locations into a single Internet connection at the organization network. This configuration is known as compulsory tunneling because the client is compelled to use the tunnel created by the FEP. Once the initial connection is made, all network traffic to and from the client is automatically sent through the tunnel. With compulsory tunneling, the client computer makes a single PPP connection. When a client dials into the NAS, a tunnel is created and all traffic is automatically routed through the tunnel. An FEP can be configured to tunnel all dial-up clients to a specific tunnel server. The FEP could also tunnel individual clients, based on the user name or destination. Unlike the separate tunnels created for each voluntary client, multiple dial-up clients can share a tunnel between the FEP and the tunnel server. When a second client dials into the access server (FEP) to reach a destination for which a tunnel already exists, there is no need to create a new instance of the tunnel between the FEP and tunnel server. Instead, the data traffic for the new client is carried over the existing tunnel. Since there can be multiple clients in a single tunnel, the tunnel is not terminated until the last user of the tunnel disconnects. PPTP Point-to-Point Tunneling Protocol (PPTP) encapsulates Point-to-Point Protocol (PPP) frames into IP datagrams for transmission over an IP-based network, such as the Internet or over a private intranet. PPTP is described in RFC 2637 in the IETF RFC Database. PPTP uses a TCP connection, known as the PPTP control connection, to create, maintain, and terminate the tunnel. PPTP uses a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames as tunneled data. The payloads of the encapsulated PPP frames can be encrypted, compressed, or both. PPTP assumes the availability of an IP network between a PPTP client (a VPN client using the PPTP tunneling protocol) and a PPTP server (a VPN server using the PPTP tunneling protocol). The PPTP client might already be attached to an IP network that can reach the PPTP server, or the PPTP client might have to use a dial-up connection to a NAS to establish IP connectivity as in the case of dial-up Internet users. Authentication that occurs during the creation of a PPTP-based VPN connection uses the same authentication mechanisms as PPP connections, such as Extensible Authentication Protocol (EAP), Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAP v2), CHAP, Shiva Password Authentication Protocol (SPAP), and Password Authentication Protocol (PAP). PPTP inherits encryption, compression, or both of PPP payloads from PPP. For PPTP connections, EAP-Transport Layer Security (EAP-TLS), MS-CHAP, or MS-CHAP v2 must be used for the PPP payloads to be encrypted using Microsoft Point-to-Point Encryption (MPPE). MPPE provides only link encryption between the VPN client and the VPN server. It does not provide end-to-end encryption, which is data encryption between the client application and the server hosting the resource or service that is being accessed by the client application. If end-toend encryption is required, IPSec can be used to encrypt IP traffic from end-to-end after the PPTP tunnel is established. Tunnel Maintenance with the PPTP Control Connection There is a PPTP control connection between the IP address of the PPTP client using a dynamically allocated TCP port and the IP address of the PPTP server using the reserved TCP port 1723. The PPTP control connection carries the PPTP call control and management messages that are used to maintain the PPTP tunnel. This includes the transmission of periodic PPTP EchoRequest and PPTP Echo-Reply messages to detect a connectivity failure between the PPTP client and PPTP server. PPTP control connection packets consist of an IP header, a TCP header, a PPTP control message, and a data-link trailer and header as shown in the following figure: PPTP Control Connection Packet The following table lists the primary PPTP control messages that are sent over the PPTP control connection. For all of the PPTP control messages, the specific PPTP tunnel is identified by the TCP connection. PPTP Call Control and Connection Management Messages Message Type Start-ControlConnectionRequest Start-ControlConnection-Reply Outgoing-CallRequest Outgoing-CallReply Purpose Sent by the PPTP client to establish the control connection. Each PPTP tunnel requires a control connection to be established before any other PPTP messages can be issued. Sent by the PPTP server to reply to the Start-Control-Connection-Request message. Sent by the PPTP client to create a PPTP tunnel. Included in the OutgoingCall-Request message is a Call ID that is used in the GRE header to identify the tunneled traffic of a specific tunnel. Sent by the PPTP server in response to the Outgoing-Call-Request message. Sent by either the PPTP client or PPTP server as a keep-alive mechanism. If the Echo-Request is not answered, the PPTP tunnel is eventually terminated. The reply to an Echo-Request. The PPTP Echo-and Echo-Reply messages Echo-Reply are not related to the ICMP Echo Request and Echo Reply messages. Sent by the PPTP server to all VPN clients to indicate error conditions on WAN-Error-Notify the PPP interface of the PPTP server. Set-Link-Info Sent by the PPTP client or PPTP server to set PPP-negotiated options. Call-Clear-Request Sent by the PPTP client, indicating that a tunnel is to be terminated. Sent by the PPTP server in response to a Call-Clear-Request or for other Call-Disconnectreasons to indicate that a tunnel is to be terminated. If the PPTP server Notify terminates the tunnel, a Call-Disconnect-Notify is sent. Stop-ControlSent by the PPTP client or the PPTP server to inform the other that the Connectioncontrol connection is being terminated. Request Stop-ControlThe reply to the Stop-Control-Connection-Request message. Connection-Reply Echo-Request For information about the exact structure of PPTP control messages, see RFC 2637 in the IETF RFC Database. PPTP Data Tunneling PPTP data tunneling is performed through multiple levels of encapsulation. The following figure shows the resulting structure of tunneled PPTP data. Tunneled PPTP Data PPP and GRE encapsulation The initial PPP payload is encrypted and encapsulated with a PPP header to create a PPP frame. The PPP frame is then encapsulated with a modified GRE header. GRE is described in RFC 1701 and RFC 1702 in the IETF RFC Database and was designed to provide a simple, general purpose mechanism for encapsulating data sent over IP networks. GRE is a client protocol of IP using IP protocol 47. For PPTP, the GRE header is modified in the following ways: An acknowledgement bit is used to indicate that a 32-bit acknowledgement field is present and significant. The Key field is replaced with a 16-bit Payload Length field and a 16-bit Call ID field. The Call ID field is set by the PPTP client during the creation of the PPTP tunnel. A 32-bit Acknowledgement field is added. Within the GRE header, the Protocol Type is set to 0x880B, the EtherType value for a PPP frame. Note GRE is sometimes used by ISPs to forward routing information within an ISP's network. To prevent the routing information from being forwarded to Internet backbone routers, ISPs filter out GRE traffic on the interfaces connected to the Internet backbone. As a result of this filtering, PPTP tunnels can be created using PPTP control messages, but tunneled PPTP data is not forwarded. The resulting encapsulated GRE and PPP payload is then encapsulated with an IP header containing the appropriate source and destination IP addresses for the PPTP client and PPTP server. Encapsulation of the data-link layer To be sent on a local area network (LAN) or WAN link, the IP datagram is finally encapsulated with a header and trailer for the data-link layer technology of the outgoing physical interface. For example, when IP datagrams are sent on an Ethernet interface, the IP datagram is encapsulated with an Ethernet header and trailer. When IP datagrams are sent over a point-to-point WAN link, such as an analog phone line or ISDN, the IP datagram is encapsulated with a PPP header and trailer. Processing of the tunneled PPTP data Upon receipt of the tunneled PPTP data, the PPTP client or PPTP server: Processes and removes the data-link header and trailer. Processes and removes the IP header. Processes and removes the GRE and PPP headers. Decrypts and, if needed, decompresses the PPP payload. Processes the payload for receipt or forwarding. PPTP Packet Development The following figure shows the path that tunneled PPTP data takes through the Windows Server 2003 networking architecture from a VPN client over a remote access VPN connection using an analog modem. The following steps outline this process: 1. An IP datagram is submitted by its appropriate protocol to the virtual interface that represents the VPN connection using Network Driver Interface Specification (NDIS). 2. NDIS submits the packet to NDISWAN, which encrypts and optionally compresses the data and provides a PPP header consisting of only the PPP Protocol ID field. This assumes that address and control field compression were negotiated during the Link Control Protocol (LCP) phase of the PPP connection process. 3. NDISWAN submits the data to the PPTP protocol driver, which encapsulates the PPP frame with a GRE header. In the GRE header, the Call ID field is set to the appropriate value to identify the tunnel. 4. The PPTP protocol driver then submits the resulting packet to the TCP/IP protocol driver. 5. The TCP/IP protocol driver encapsulates the tunneled PPTP data with an IP header and submits the resulting packet to the interface that represents the dial-up connection to the local ISP using NDIS. 6. NDIS submits the packet to NDISWAN, which provides PPP headers and trailers. 7. NDISWAN submits the resulting PPP frame to the appropriate WAN miniport driver representing the dial-up hardware (for example, the asynchronous port for a modem connection). PPTP Packet Development Note It is possible to negotiate an encrypted PPP connection for the dial-up connection with the ISP. This is unnecessary and not recommended because the private data being sent, the tunneled PPP frame, is already encrypted. The additional level of encryption is not needed and can impact performance. L2TP Layer Two Tunneling Protocol (L2TP) is a combination of PPTP and Layer 2 Forwarding (L2F), a technology developed by Cisco Systems, Inc. Rather than having two incompatible tunneling protocols competing in the marketplace and causing customer confusion, the Internet Engineering Task Force (IETF) mandated that the two technologies be combined into a single tunneling protocol that represents the best features of PPTP and L2F. L2TP is described in RFC 2661 in the IETF RFC Database. L2TP encapsulates PPP frames to be sent over IP, X.25, frame relay, or ATM networks. When sent over an IP network, L2TP frames are encapsulated as User Datagram Protocol (UDP) messages. L2TP can be used as a tunneling protocol over the Internet or over private intranets. L2TP uses UDP messages over IP networks for both tunnel maintenance and tunneled data. The payloads of encapsulated PPP frames can be encrypted or compressed (or both); however, L2TP clients do not negotiate the use of MPPE for L2TP connections. Encryption for L2TP connections is provided by IPSec Encapsulating Security Payload (ESP) in transport mode. It is possible to create Windows-based L2TP connections that are not encrypted by IPSec. However, this does not apply to a VPN connection because the private data being encapsulated by L2TP is already not encrypted. Non-encrypted L2TP connections can be used temporarily to troubleshoot an L2TP over IPSec connection by eliminating the IPSec authentication and negotiation process. L2TP for Windows assumes the availability of an IP network between an L2TP client (a VPN client using the L2TP tunneling protocol and IPSec) and an L2TP server (a VPN server using the L2TP tunneling protocol and IPSec). The L2TP client might already be attached to an IP network that can reach the L2TP server, or the L2TP client might have to use a dial-up connection to a NAS to establish IP connectivity as in the case of dial-up Internet users. Authentication that occurs during the creation of L2TP tunnels must use the same authentication mechanisms as PPP connections. An Internet-based L2TP server is an L2TP-enabled remote access server with one interface on the Internet and a second interface on a private intranet. L2TP tunnel maintenance and tunneled data have the same packet structure. Tunnel Maintenance with L2TP Control Messages In contrast to PPTP, L2TP tunnel maintenance is not performed over a separate TCP connection. L2TP call control and management traffic is sent as UDP messages between the L2TP client and the L2TP server. In Windows, the L2TP client and the L2TP server both use UDP port 1701. Note The L2TP client and L2TP server in Windows always use UDP port 1701. The Windows Server 2003 L2TP server supports L2TP clients that use a UDP port other than 1701. L2TP control messages over IP connections are sent as UDP datagrams. In the Windows Server 2003 implementation, L2TP control messages sent as UDP datagrams are sent as the encrypted payload of IPSec ESP transport mode as shown in the following figure. L2TP Control Message Because a TCP connection is not used, L2TP uses message sequencing to ensure delivery of L2TP messages. Within the L2TP control message, the Next-Received field (similar to the TCP Acknowledgment field) and the Next-Sent field (similar to the TCP Sequence Number field) are used to maintain the sequence of control messages. Out-of-sequence packets are dropped. The Next-Sent and Next-Received fields can also be used for sequenced delivery and flow control for tunneled data. L2TP supports multiple calls for each tunnel. In the L2TP control message and the L2TP header for tunneled data is a Tunnel ID that identifies the tunnel and a Call ID that identifies a call within the tunnel. The following table lists the primary L2TP control messages. L2TP Control Messages Message Type Purpose Sent by the L2TP client to establish the control connection. Each L2TP Start-Controltunnel requires a control connection to be established before any other L2TP Connectionmessages can be issued. It includes an Assigned Tunnel-ID that is used to Request identify the tunnel. Start-ControlSent by the L2TP server to reply to the Start-Control-Connection-Request Connection-Reply message. Start-ControlSent in reply to a Start-Control-Connection-Reply message to indicate that Connectiontunnel establishment was successful. Connected Sent by the L2TP client to create an L2TP tunnel. Included in the OutgoingOutgoing-CallCall-Request message is an Assigned Call ID that is used to identify a call Request within a specific tunnel. Outgoing-CallSent by the L2TP server in response to the Outgoing-Call-Request message. Reply Start-ControlSent in reply to a received Outgoing-Call-Reply message to indicate that the Connectioncall was successful. Connected Sent by either the L2TP client or L2TP server as a keep-alive mechanism. If Hello the Hello is not acknowledged, the L2TP tunnel is eventually terminated. Sent by the L2TP server to all VPN clients to indicate error conditions on the WAN-Error-Notify PPP interface of the L2TP server. Set-Link-Info Sent by the L2TP client or L2TP server to set PPP-negotiated options. Call-Disconnect- Sent by either the L2TP server or L2TP client to indicate that a call within a Notify tunnel is to be terminated. Stop-ControlSent by either the L2TP server or L2TP client to indicate that a tunnel is to Connectionbe terminated. Notification For the exact structure of L2TP control messages, see RFC 2661 in the IETF RFC Database. L2TP Data Tunneling L2TP data tunneling is performed using multiple levels of encapsulation. The following figure shows the resulting structure of tunneled L2TP over IPSec data. L2TP Packet Encapsulation L2TP encapsulation The initial PPP payload is encapsulated with a PPP header and an L2TP header. UDP encapsulation The encapsulated L2TP packet is then encapsulated with a UDP header with the source and destination ports set to 1701. IP encapsulation The UDP message is encrypted and encapsulated with an IPSec ESP header and trailer and an ESP Authentication (Auth) trailer. Encapsulation of the data-link layer To send on a LAN or WAN link, the IP datagram is finally encapsulated with a header and trailer for the data-link layer technology of the outgoing physical interface. For example, when an IP datagram is sent on an Ethernet interface, the IP datagram is encapsulated with an Ethernet header and trailer. When an IP datagram is sent over a point-to-point WAN link such as an analog phone line or ISDN, the IP datagram is encapsulated with a PPP header and trailer. Processing of the tunneled L2TP/IPSec data Upon receipt of the tunneled L2TP/IPSec data, the L2TP client or L2TP server: Processes and removes the data-link header and trailer. Processes and removes the IP header. Uses the IPSec ESP Auth trailer to authenticate the IP payload and the IPSec ESP header. Uses the IPSec ESP header to decrypt the encrypted portion of the packet. Processes the UDP header and sends the L2TP packet to the L2TP driver. Uses the Tunnel ID and Call ID in the L2TP header to identify the specific L2TP tunnel. Uses the PPP header to identify the PPP payload and forward it to the proper protocol driver for processing. L2TP with Internet Protocol security (L2TP/IPSec) Tunneling protocols such as PPTP and L2TP are implemented at the data-link layer of the Open Systems Interconnection (OSI) reference model and provide data security by helping to create secure tunnels. In contrast, the IPSec protocol is implemented at the network layer and helps secure data at the packet level. IPSec provides two security protocols: Authentication Header (AH) and ESP. IPSec ESP encapsulation protocol To provide maximum security for L2TP/IPSec packets, ESP can also be used to encapsulate IPSec packets. L2TP Packet Development The figure below shows the path that tunneled L2TP data takes through the Windows Server 2003 networking architecture from a VPN client over a remote access VPN connection using an analog modem. The following steps outline the process: 1. An IP datagram is submitted by the appropriate protocol to the virtual interface that represents the VPN connection using NDIS. 2. NDIS submits a packet to NDISWAN, which optionally compresses and provides a PPP header consisting of only the PPP Protocol ID field. This assumes that address and control field compression were negotiated during the LCP phase of the PPP connection process. 3. NDISWAN submits the PPP frame to the L2TP protocol driver, which encapsulates the PPP frame with an L2TP header. In the L2TP header, the Tunnel ID and the Call ID are set to the appropriate value identifying the specific L2TP connection. 4. The L2TP protocol driver then submits the resulting packet to the TCP/IP protocol driver with information to send the L2TP packet as a UDP message from UDP port 1701 to UDP port 1701 with the IP addresses of the VPN client and the VPN server. 5. The TCP/IP protocol driver constructs an IP packet with the appropriate IP header and UDP header. IPSec then analyzes the IP packet and matches it with a current IPSec policy. Based on the settings in the policy, IPSec encapsulates and encrypts the UDP message portion of the IP packet using the appropriate ESP headers and trailers. 6. The original IP header with the Protocol field set to 50 is added to the front of the ESP payload. 7. Using NDIS, the TCP/IP protocol driver then submits the resulting packet to the interface that represents the dial-up connection to the local ISP using NDIS. 8. NDIS submits the packet to NDISWAN. 9. NSIDWAN provides PPP headers and trailers and submits the resulting PPP frame to the appropriate WAN miniport driver representing the dial-up hardware. L2TP Packet Development Note o It is possible to negotiate an encrypted PPP connection for the dial-up connection with an ISP. This is not necessary and not recommended because the private data being sent, the tunneled PPP frame, is already encrypted with IPSec. The additional level of encryption is not needed and can impact performance. VPN Authentication The VPN server can be configured to use either Windows or Remote Authentication Dial-In User Service (RADIUS) as an authentication provider. If Windows is selected as the authentication provider, the user credentials sent by users attempting VPN connections are authenticated using typical Windows authentication mechanisms, and the connection attempt is authorized using the VPN client’s user account properties and local remote access policies. If RADIUS is selected and configured as the authentication provider on the VPN server, user credentials and parameters of the connection request are sent as RADIUS request messages to a RADIUS server. The RADIUS server receives a user-connection request from the VPN server and authenticates and authorizes the connection attempt. In addition to a yes or no response to an authentication request, RADIUS can inform the VPN server of other applicable connection parameters for this user such as maximum session time, static IP address assignment, and so on. RADIUS can respond to authentication requests based on its own user account database, or it can be a front end to another database server, such as a Structured Query Language (SQL) server or a Windows domain controller (DC). The DC can be located on the same computer as the RADIUS server or elsewhere. In addition, a RADIUS server can act as a proxy client to a remote RADIUS server. The RADIUS protocol is described in RFC 2865 and RFC 2866 in the IETF RFC Database. The VPN server can be configured to use either Windows or RADIUS as an accounting provider. If Windows is selected as the accounting provider, the accounting information accumulates on the VPN server for later analysis. Logging options can be specified from the properties of the Local File or SQL Server objects in the Remote Access Logging folder in the Routing and Remote Access snap-in. If RADIUS is selected, RADIUS accounting messages are sent to the RADIUS server for accumulation and later analysis. Most RADIUS servers can be configured to place authentication request records into an audit file. A number of third parties have written billing and audit packages that read RADIUS accounting records and produce various useful reports. For more information about RADIUS accounting, see RFC 2866 in the IETF RFC Database. The VPN server can be managed using industry-standard network management protocols and infrastructure. The computer acting as the VPN server can participate in a Simple Network Management Protocol (SNMP) environment as an SNMP agent if the Windows Server 2003 SNMP service is installed. The VPN server records management information in various object identifiers of the Internet Management Information Base (MIB) II, which is installed with the Windows Server 2003 SNMP service. Objects in the Internet MIB II are documented in RFC 1213 in the IETF RFC Database. Authentication Protocols The following authentication protocols are used to identify VPN users and grant or deny user access to network resources based on the user's credentials. PAP Password Authentication Protocol (PAP) is a clear-text authentication scheme. The NAS requests the user name and password, and PAP returns them in clear text (unencrypted). Obviously, this authentication scheme is not secure because a malicious user could capture the user's name and password and use it to get subsequent access to the NAS and all of the resources provided by the NAS. PAP provides no protection against replay attacks or remote client impersonation once the user's password is compromised. SPAP The Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva Corporation. A computer running Windows XP Professional uses SPAP when connecting to a Shiva LAN Rover. A Shiva client that connects to a server running Routing and Remote Access also uses SPAP. Currently, this form of authentication is more secure than plaintext but less secure than CHAP or MS-CHAP. CHAP Challenge Handshake Authentication Protocol (CHAP) is an encrypted authentication mechanism that prevents transmission of the actual password on the connection. The NAS sends a challenge, which consists of a session ID and an arbitrary challenge string, to the remote client. The remote client must use the MD5 one-way hashing algorithm to return the user name and a hash of the challenge, session ID, and the client’s password. The user name is sent as plain text. CHAP is an improvement over PAP because the clear-text password is not sent over the link. Instead, the password is used to create a hash from the original challenge. The server knows the client’s clear-text password and can, therefore, replicate the operation and compare the result to the password sent in the client’s response. CHAP protects against replay attacks by using an arbitrary challenge string for each authentication attempt. CHAP protects against remote-client impersonation by unpredictably sending repeated challenges to the remote client throughout the duration of the connection. MS-CHAP Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is an encrypted authentication mechanism very similar to CHAP. As in CHAP, the NAS sends a challenge, which consists of a session ID and an arbitrary challenge string, to the remote client. The remote client must return the user name and an encrypted form of the challenge string, the session ID, and the MD4-hashed password. This design, which uses the MD4 hash of the password, helps provides an additional level of security because it allows the server to store hashed passwords instead of clear-text passwords or passwords that are stored using reversible encryption. MSCHAP also provides additional error codes, including a password-expired code, and additional encrypted client-server messages that permit users to change their passwords during the authentication process. In MS-CHAP, both the client and the NAS independently generate a common initial encryption key for subsequent data encryption by MPPE. MS-CHAP v2 MS-CHAP version 2 (MS-CHAP v2) is an updated encrypted authentication mechanism that provides stronger security for the exchange of user name and password credentials and determination of encryption keys. With MS-CHAP v2, the NAS sends a challenge to the client that consists of a session identifier and an arbitrary challenge string. The remote access client sends a response that contains the user name, an arbitrary peer challenge string, and an encrypted form of the received challenge string, the peer challenge string, the session identifier, and the user's password. The NAS checks the response from the client and sends back a response containing an indication of the success or failure of the connection attempt and an authenticated response based on the sent challenge string, the peer challenge string, the encrypted response of the client, and the user's password. The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection. Using this process, MS-CHAP v2 provides mutual authentication — the NAS verifies that the client has knowledge of the user’s password, and the client verifies that the NAS has knowledge of the user’s password. MS-CHAP v2 also determines two MPPE encryption keys, one for data sent and one for data received. EAP Extensible Authentication Protocol (EAP) is a PPP authentication protocol that allows for an arbitrary authentication method. EAP differs from the other authentication protocols in that, during the authentication phase, EAP does not actually perform authentication. Phase 2 for EAP only negotiates the use of a common EAP authentication method (known as an EAP type). The actual authentication for the negotiated EAP type is performed after Phase 2. During phase 2 of PPP link configuration, the NAS collects the authentication data and then validates the data against its own user database or a central authentication database server, such as one maintained by a Windows domain controller, or the authentication data is sent to a RADIUS server. As stated previously, most implementations of PPP provide a limited number of authentication methods. EAP is an IETF standard extension to PPP that allows for arbitrary authentication mechanisms for the validation of a PPP connection. EAP was designed to allow the dynamic addition of authentication plug-in modules at both the client and authentication server. This allows vendors to supply a new authentication scheme at any time. EAP provides the highest flexibility in authentication uniqueness and variation. EAP is documented in RFC 2284 in the IETF RFC Database, and is supported in Windows Server 2003, Windows XP, and Windows 2000. EAP-MD5 Challenge Extensible Authentication Protocol-Message Digest 5 Challenge (EAP-MD5 Challenge) is a required EAP type that uses the same challenge handshake protocol as PPP-based CHAP, but the challenges and responses are sent as EAP messages. A typical use for EAP-MD5 Challenge is to authenticate the credentials of remote access clients by using user name and password security systems. EAP-MD5 Challenge can be used to test EAP interoperability. EAP-TLS Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is an EAP type that is used in certificate-based security environments. If smart cards are used for remote access authentication, EAP-TLS is the required authentication method. The EAP-TLS exchange of messages provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the remote access client and the authenticator. EAP-TLS provides the strongest authentication and key-determination method. When the Routing and Remote Access service is configured to use Windows authentication, EAP-TLS is supported only when the VPN server is a member of a domain. A VPN server running as a stand-alone server or a member of a workgroup does not support EAP-TLS. EAP-TLS is an IETF standard (RFC 2716 in the IETF RFC Database for a strong authentication method based on public-key certificates. With EAP-TLS, a client presents a user certificate to the server, and the server presents a server certificate to the client. The first provides strong user authentication to the server; the second provides assurance that the VPN client has reached a trusted VPN server. Both systems rely on a chain of trusted certification authorities (CAs) to verify the validity of the offered certificate. The user’s certificate could be stored on the VPN client computer or in an external smart card. In either case, the certificate cannot be accessed without some form of user identification (PIN number or name/password credentials) between the user and the client computer. This approach meets the something-you-know-plus-something-you-have criteria recommended by most security experts. EAP-TLS is supported in Windows Server 2003 and Windows XP. Like MS-CHAP and MSCHAP v2, EAP-TLS returns an encryption key to enable subsequent data encryption by MPPE. RADIUS The Remote Authentication Dial-In User Service (RADIUS) protocol is used to provide centralized administration of authentication, authorization, and accounting (AAA) and an industry-standard security infrastructure. RADIUS is defined in RFCs 2138 and 2139 in the IETF RFC Database. RADIUS enables administrators to manage a set of authorization policies, accumulate accounting information, and access an account database from a central location. Because it is impossible to update separate user accounts on separate servers for the same user simultaneously, most administrators set up a master account database at a domain controller or on a RADIUS server. This enables the VPN server to send the authentication credentials to a central authenticating device, and the same user account can be used for both dial-up remote access and VPN-based remote access. VPN Encryption To help ensure confidentiality of the data as it traverses the shared or public transit network, it is encrypted by the sender and decrypted by the receiver. Because data encryption is performed between the VPN client and VPN server, it is not necessary to use data encryption on the communication link between a dial-up client and its Internet service provider (ISP). For example, a mobile user uses a dial-up networking connection to dial in to a local ISP. Once the Internet connection is made, the user creates a VPN connection with the corporate VPN server. If the VPN connection is encrypted, there is no need to use encryption on the dial-up networking connection between the client and the ISP. Remote access data encryption does not provide end-to-end data encryption. End-to-end encryption is data encryption between the client application and the server that hosts the resource or service being accessed by the client application. To get end-to-end data encryption, use IPSec to help create a secure connection after the remote access connection has been made. Data encryption for PPP or PPTP connections is available only if MS-CHAP, MS-CHAP v2, or EAP-TLS is used as the authentication protocol. Data encryption for L2TP connections relies on IPSec, which does not require a specific PPP-based authentication protocol. The encryption and decryption processes depend on both the sender and the receiver having knowledge of a common encryption key. Intercepted packets sent along the VPN connection in the transit network are unintelligible to any computer that does not have the common encryption key. The length of the encryption key is an important security parameter. Computational techniques can be used to determine the encryption key. Such techniques require more computing power and computational time as the encryption key gets larger. Therefore, it is important to use the largest possible key size. In addition, the more information that is encrypted with the same key, the easier it is to decipher the encrypted data. With some encryption technologies, administrators are given the option to configure how often the encryption keys are changed during a connection. PPTP uses user-level PPP authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption. Data Encryption with MPPE PPTP inherits MPPE encryption, which uses the Rivest-Shamir-Adleman (RSA) RC4 stream cipher. MPPE is available only for PPTP-based VPN connections when the EAP-TLS, MSCHAP, or MS-CHAP v2 authentication protocols are used. For the Routing and Remote Access service, MPPE encryption strengths are configured on the Encryption tab on the properties of a remote access policy to use 40-bit (the Basic setting), 56-bit (the Strong setting), or 128-bit (the Strongest setting) encryption keys. Administrators should use 40-bit MPPE encryption keys to connect with older operating systems that do not support 56-bit or 128-bit encryption keys (this includes older Windows operating systems and operating systems from companies other than Microsoft). Otherwise, use 128-bit encryption keys. Encryption strengths for L2TP/IPSec connections use 56-bit DES (the Basic or Strong setting) or 168-bit 3DES (the Strongest setting). Encryption keys are determined at the time of the connection. By default, the highest key strength supported by the VPN client and VPN server is negotiated during the process of establishing a connection. If the VPN server requires a higher key strength than is supported by the VPN client, the connection attempt is rejected. MPPE was originally designed for encryption across a point-to-point link where packets arrive in the same order in which they were sent with little packet loss. For this environment, the decryption of each packet depends on the decryption of the previous packet. For VPN connections, however, IP datagrams sent across the Internet can arrive in a different order from the one in which they were sent, and a higher proportion of packets can be lost. Therefore, for VPN connections, MPPE changes the encryption key for each packet. The decryption of each packet is independent of the previous packet. MPPE includes a sequence number in the MPPE header. If packets are lost or arrive out of order, the encryption keys are changed relative to the sequence number. VPN Addressing and Routing Based on whether or not a route is added by default, a VPN client has broad access to Internet locations or to locations on the intranet, but not to both: If the currently active default route is pointing to the Internet (and the gateway on the remote network is not being used), Internet locations are reachable, but only intranet locations matching the network ID corresponding to the Internet address class of the assigned IP address can be reached. If the currently active default route is pointing to the intranet (and the gateway on the remote network is being used), all intranet locations are reachable, but only the IP address of the VPN server and locations available through other routes can be reached on the Internet. For most VPN clients with an Internet connection, this does not present a problem, because the client is typically engaged in either intranet communication or Internet communication, but not both. To work around this problem, instead of having the client create a new default route when a connection is made, administrators can configure the client’s routing table with specific routes that direct packets to the organization’s network over the VPN connection. While connected to the intranet, the client can obtain Internet access using the default route that points to the Internet. This configuration is known as split tunneling. Split Tunneling The VPN client can obtain the routes needed for split tunneling in several ways: If the VPN client has a configured connection without a default route, the client adds a route that it infers from the Internet address class of the IP address assigned to it for the current connection. For a simple target network, such as a small office, this one route is sufficient to allow packets to be routed to the target network. However, for a complex network, administrators need to configure multiple routes to successfully direct packets to the remote network. A client running the Microsoft Windows XP or Windows Server 2003 operating systems uses a DHCPINFORM message after the connection to request the DHCP Classless Static Routes option. This DHCP option contains a set of routes that are automatically added to the routing table of the requesting client. This additional information is available only if the Windows Server 2003 DHCP server has been configured to provide the DHCP Classless Static Routes option and if the VPN server has the DHCP Relay Agent routing protocol component configured with the IP address of the DHCP server. If the remote access client is managed using the Connection Manager component of Windows Server 2003, the network administrator can configure routing table updates from the Routing Table Update page of the Connection Manager Administration Kit when creating the Connection Manager profile. If none of the approaches discussed above is an option, a batch file or program can be written that updates the routing table on the client with the necessary routes to the private intranet. Security Considerations for Split Tunneling When a VPN client computer is connected to both the Internet and a private intranet and has routes that allow it to reach both networks, the possibility exists that a malicious Internet user might use the connected VPN client computer to reach the private intranet through the authenticated VPN connection. This is possible if the VPN client computer has IP routing enabled. IP routing is enabled on Windows XP-based computers by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip \Parameters\IPEnableRouter registry entry to 1 (data type is REG_DWORD). If split tunneling is required, administrators can help prevent a malicious user from gaining access over the Internet by doing the following: Use the Network Access Quarantine Control feature in Windows Server 2003 to check whether VPN clients have IP routing enabled and, if so, do not allow VPN access until it has been disabled. Use IP packet filters on the VPN remote access policy profile to discard both inbound traffic on the VPN connection that has not been sent from the VPN client and outbound traffic that is not destined to the VPN client. The default remote access policy, named “Connections to Microsoft Routing and Remote Access server in Windows Server 2003” has these packet filters configured and enabled by default. Note o Using the methods above does not prevent unwanted traffic if a malicious Internet user is remotely controlling the VPN client computer. To prevent this, ensure that the VPN client computer has a firewall enabled (such as Internet Connection Firewall in Windows XP) and an anti-virus program installed and running with the latest virus signature file installed. These are also settings that can be enabled and enforced when using Network Access Quarantine Control. DHCP Classless Static Routes Option Classless static routes are implemented using DHCP scope option 249. Using classless static routes, each DHCP client can be configured with the route to any destination on the network, and the subnet mask can be specified. Because each scope represents a physical subnet, the scope can be viewed as the start location for any message that is to be sent by a client to another subnet. The parameters used to configure option 249 are Destination, Mask, and Router. One or more static routes can be configured with option 249. All DHCP-enabled clients on the network can be provided with routes to all other subnets using option 249. This option is configured as a scope option because the Router IP address, like the DHCP Router option that defines the default gateway for a DHCP client, is different for each subnet. For example, subnets A and D each use a router. The routers they use will be different, and the Router IP address will be different in each case. Static Routing Static routing requires that routing tables be configured and maintained manually. Static routers do not exchange information. Because of this limitation, when compared to dynamic routing, static routing is typically implemented in small networks or in networks that require the highest level of security. Auto-Static Updates If routing protocols are not used to update the routing tables, then the routes must be entered as static routes. The static routes that correspond to the network IDs available across the interface are entered manually or automatically. The automatic entering of static routes for demand-dial interfaces is known as making auto-static updates and is supported by the server running Routing and Remote Access. Auto-static updates are supported by Routing Information Protocol (RIP) for IP, but not by OSPF. Auto-static refers to the automatic adding of the requested routes as static routes in the routing table. The sending of the request for routes is performed through an explicit action, either through Routing and Remote Access or the Netsh utility while the demand-dial interface is in a connected state. Auto-static updates are not automatically performed every time a demand-dial connection is made. When instructed, a demand-dial interface that is configured for auto-static updates sends a request across an active connection to request all of the routes of the router on the other side of the connection. In response to the request, all of the routes of the requested router are automatically entered as static routes in the routing table of the requesting router. The static routes are persistent: They are kept in the routing table even if the interface becomes disconnected or the router is restarted. An auto-static update is a one-time, one-way exchange of routing information. Administrators can automate and schedule auto-static updates by executing the update as a scheduled task. When an auto-static update is requested, the existing auto-static routes are deleted before the update is requested from other routers. If there is no response to the request, then the router cannot replace the routes it has deleted. This might lead to a loss of connectivity to remote networks. Dynamic Routing By implementing a dynamic routing protocol, such as RIP or Open Shortest Path First (OSPF), administrators can configure routers to exchange routing information with each other as needed. RIP The biggest advantage of RIP is that it is extremely simple to configure and deploy. The biggest disadvantage of RIP is its inability to scale to large or very large networks. The maximum hop count used by RIP routers is 15. Networks that are 16 hops or more away are considered unreachable. As networks grow larger in size, the periodic announcements by each RIP router can cause excessive traffic. Another disadvantage of RIP is its high recovery time. When the network topology changes, it might take several minutes before the RIP routers reconfigure themselves to the new network topology. While the network reconfigures itself, routing loops might form that result in lost or undeliverable data. Initially, the routing table for each router includes only the networks that are physically connected. A RIP router periodically sends announcements that contain its routing table entries to inform other local RIP routers of the networks it can reach. RIP version 1 uses IP broadcast packets for its announcements. RIP version 2 can use multicast or broadcast packets for its announcements. RIP routers can also communicate routing information through triggered updates. Triggered updates occur when the network topology changes and updated routing information is sent that reflects those changes. With triggered updates, the update is sent immediately rather than waiting for the next periodic announcement. For example, when a router detects a link or router failure, it updates its own routing table and sends updated routes. Each router that receives the triggered update modifies its own routing table and propagates the change. Routing and Remote Access supports RIP versions 1 and 2. RIP version 2 supports multicast announcements, simple password authentication, and more flexibility in subnetted and Classless InterDomain Routing (CIDR) environments. OSPF The biggest advantage of OSPF is that it is efficient; OSPF requires very little network overhead even in very large networks. The biggest disadvantage of OSPF is its complexity; OSPF requires proper planning and is more difficult to configure and administer. OSPF uses a Shortest Path First (SPF) algorithm to compute routes in the routing table. The SPF algorithm computes the shortest (least cost) path between the router and all the subnets of the network. SPF-calculated routes are always loop-free. Changes to network topology are efficiently flooded across the entire network to ensure that the link state database on each router is synchronized and accurate at all times. Upon receiving changes to the link state database, the routing table is recalculated. As the size of the link state database increases, memory requirements and route computation times increase. To address this scaling problem, OSPF divides the network into areas (collections of contiguous networks) that are connected to each other through a backbone area. Each router only keeps a link state database for those areas that are connected to the router. Area border routers (ABRs) connect the backbone area to other areas. Single-Adapter model With the single-adapter model, also known as the NBMA model, the network for the frame relay service provider (also known as the frame relay cloud) is treated as an IP network and the endpoints on the cloud are assigned IP addresses from a designated IP network ID. To ensure that OSPF traffic is received by all of the appropriate endpoints on the cloud, the frame relay interface must be configured to send unicast OSPF announcements to all of the appropriate endpoints. For the server running Routing and Remote Access, this is done by designating the interface as an NBMA network and adding OSPF neighbors. In addition, in a spoke and hub frame relay topology, the frame relay interface for the hub router must have a router priority set to 1 or greater and the frame relay interfaces for the spoke routers must have a router priority set to 0. Otherwise, the hub router, which is the only router that can communicate with all of the spoke routers, cannot become the designated router and adjacencies cannot form across the frame relay network. Multiple-Adapter model With the multiple-adapter model, each frame relay virtual circuit appears as a point-to-point link with its own network ID, and the endpoints are assigned IP addresses from a designated IP network ID. Because each virtual circuit is its own point-to-point connection, administrators can configure the interface for the point-to-point network type. Virtual links An OSPF-routed network can be subdivided into areas, which are collections of contiguous networks. All areas are connected together through a common area called the backbone area. A router that connects an area to the backbone area is called an area border router (ABR). Normally, ABRs have a physical connection to the backbone area. When it is not possible or practical to have an ABR physically connected to the backbone area, administrators can use a virtual link to connect the ABR to the backbone. A virtual link is a logical point-to-point connection between an ABR of an area and an ABR that is physically connected to the backbone area. For example, a virtual link is configured between the ABR of Area 2 and the ABR of Area 1. The ABR of Area 1 is physically connected to the backbone area. Area 1 is known as the transit area, the area across which the virtual link is created in order to logically connect Area 2 to the backbone. To create a virtual link, both routers, called virtual link neighbors, are configured with the transit area, the router ID of the virtual link neighbor, matching hello and dead intervals, and a matching password. External routes and ASBRs The set of OSPF routers in an organization defines an OSPF autonomous system (AS). By default, only OSPF routes corresponding to directly-connected network segments are propagated within the AS. An external route is any route that is not within the OSPF AS. External routes can come from many sources: Other routing protocols such as RIP for IP (version 1 and version 2) Static routes Routes set on the router through SNMP External routes are propagated throughout the OSPF AS through one or more autonomous system boundary routers (ASBRs). An ASBR advertises external routes within the OSPF AS. For example, if the static routes of a server running Routing and Remote Access need to be advertised, that router must be enabled as an ASBR. External route filters By default, OSPF routers acting as ASBRs import and advertise all external routes. Administrators might want to filter out external routes to keep the ASBR from advertising improper routes. External routes can be filtered on the ASBR by: External route source Administrators can configure the ASBR to accept or ignore the routes of certain external sources such as routing protocols (RIP version 2) or other sources (static routes or SNMP). Individual route Administrators can configure the ASBR to accept or discard specific routes by configuring one or multiple destination, network mask pairs. VPN and Firewalls A firewall uses packet filtering to allow or disallow the flow of specific types of network traffic. IP packet filtering provides a way for administrators to define precisely what IP traffic is allowed to cross the firewall. IP packet filtering is important when private intranets are connected to public networks, such as the Internet. There are two approaches to using a firewall with a VPN server: A firewall is between the VPN server and the Internet. In this configuration, the VPN server is behind the firewall. The VPN server is connected to the Internet and the firewall is between the VPN server and the intranet. In this configuration, the VPN server is in front of the firewall. VPN Server Behind a Firewall In the configuration shown in the following figure, the firewall is connected to the Internet and the VPN server is another intranet resource connected to the perimeter network, also known as a screened subnet or demilitarized zone (DMZ). The perimeter network is an IP network segment that typically contains resources available to Internet users such as Web servers and FTP servers. The VPN server has an interface on the perimeter network and an interface on the intranet. In this approach, the firewall must be configured with input and output filters on its Internet and perimeter network interfaces to allow the passing of tunnel maintenance traffic and tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web servers, FTP servers, and other types of servers on the perimeter network. As an added layer of security, the VPN server should also be configured with PPTP or L2TP/IPSec packet filters on its perimeter network interface as described in “VPN Server in Front of a Firewall” in this section. Because the firewall does not have the encryption keys for each VPN connection, it can only filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes through the firewall. However, this is not a security concern because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server. VPN Server Behind the Firewall Packet Filters for a VPN Server Behind a Firewall If the VPN server is behind a firewall, packet filters must be configured for both an Internet interface and a perimeter network interface. In this scenario, the firewall is connected to the Internet, and the VPN server is an intranet resource that is connected to the perimeter network. The VPN server has an interface on both the perimeter network and the Internet. PPTP connections for the Internet interface of the firewall The following table shows the inbound and outbound PPTP filters on the firewall’s Internet interface. VPN Server Behind a Firewall: PPTP Filters on the Firewall’s Internet Interface Filter Type Inbound Inbound Filter Action Destination IP address = Perimeter network interface of VPN server Allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server. TCP destination port = 1723 (0x6BB) Destination IP address = Perimeter network interface of Allows tunneled PPTP data from the PPTP client to the PPTP VPN server server. IP Protocol ID = 47 (0x2F) Destination IP address = Perimeter network interface of VPN server Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. If all traffic from TCP port 1723 is allowed to reach the VPN server, Inbound network attacks can emanate from sources on the Internet that use this port. Administrators should only use this filter in TCP source port = conjunction with the PPTP filters that are also configured on the VPN server. 1723 (0x6BB) Source IP address = Perimeter network interface of VPN Allows PPTP tunnel maintenance traffic from the PPTP server Outbound server to the PPTP client. TCP source port = 1723 (0x6BB) Source IP address = Perimeter network interface of VPN Allows tunneled PPTP data from the PPTP server to the PPTP Outbound server client. IP Protocol ID = 47 (0x2F) Source IP address Required only when the VPN server is acting as a VPN client (a = Perimeter network calling router) in a site-to-site VPN connection. If all traffic interface of VPN from the VPN server is allowed to reach TCP port 1723, server Outbound network attacks can emanate from sources on the Internet using this port. Administrators should only use this filter in TCP destination conjunction with the PPTP filters that are also configured on the port = 1723 VPN server. (0x6BB) PPTP connections for the perimeter network interface of the firewall The following table shows the inbound and outbound PPTP filters on the firewall’s perimeter network interface. VPN Server Behind a Firewall: PPTP Filters on the Perimeter Network Interface Filter Type Inbound Inbound Inbound Filter Action Source IP address = Perimeter network interface of VPN server Allows PPTP tunnel maintenance traffic from the VPN server to the VPN client. TCP source port = 1723 (0x6BB) Source IP address = Perimeter network interface of VPN server Allows tunneled PPTP data from the VPN server to the VPN client. IP Protocol ID = 47 (0x2F) Source IP address = Required only when the VPN server is acting as a VPN client Perimeter network (a calling router) in a site-to-site VPN connection. If all interface of VPN server traffic from TCP port 1723 is allowed to reach the VPN server, network attacks can emanate from sources on the TCP destination port Internet using this port. = 1723 (0x6BB) Destination IP address = Perimeter network interface of Outbound VPN server TCP source port = 1723 (0x6BB) Destination IP address = Perimeter network interface of Outbound VPN server IP Protocol ID = 47 (0x2F) Destination IP address = Perimeter network interface of Outbound VPN server TCP source port = 1723 (0x6BB) Allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server. Allows tunneled PPTP data from the PPTP client to the PPTP server. Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. If all traffic from the VPN server is allowed to reach TCP port 1723, network attacks can emanate from sources on the Internet using this port. L2TP/IPSec connections for the Internet interface of the firewall The following table shows the inbound and outbound L2TP/IPSec filters on the firewall’s Internet interface. VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall’s Internet Interface Filter Type Inbound Inbound Inbound Filter Destination IP address = Perimeter network interface of VPN server UDP destination port = 500 (0x1F4) Destination IP address = Perimeter network interface of VPN server UDP destination port = 4500 (0x1194) Destination IP address = Perimeter network interface of VPN server IP Protocol ID = 50 (0x32) Action Allows IKE traffic to the VPN server. Allows IPSec NAT-T traffic to the VPN server. Allows IPSec ESP traffic to the VPN server. Outbound Outbound Outbound Source IP address = Perimeter network interface of VPN server UDP source port = 500 (0x1F4) Source IP address = Perimeter network interface of VPN server UDP source port = 4500 (0x1194) Source IP address = Perimeter network interface of VPN server Allows IKE traffic from the VPN server. Allows IPSec NAT-T traffic from the VPN server. Allows IPSec ESP traffic from the VPN server. IP Protocol ID = 50 (0x32) No filters are required for L2TP traffic at UDP port 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted with IPSec ESP. L2TP/IPSec connections for the perimeter network interface of the firewall The following table shows the inbound and outbound L2TP/IPSec filters on the firewall’s perimeter network interface. VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall’s Perimeter Network Interface Filter Type Inbound Inbound Inbound Outbound Filter Source IP address = Perimeter network interface of VPN server UDP source port = 500 (0x1F4) Source IP address = Perimeter network interface of VPN server UDP source port = 4500 (0x1194) Source IP address = Perimeter network interface of VPN server IP Protocol ID = 50 (0x32) Destination IP address = Perimeter network interface of VPN server UDP destination port = 500 (0x1F4) Action Allows IKE traffic from the VPN server. Allows IPSec NAT-T traffic from the VPN server. Allows IPSec ESP traffic from the VPN server. Allows IKE traffic to the VPN server. Outbound Outbound Destination IP address = Perimeter network interface of VPN server UDP destination port = 4500 (0x1194) Destination IP address = Perimeter network interface of VPN server Allows IPSec NAT-T traffic to the VPN server. Allows IPSec ESP traffic to the VPN server. IP Protocol ID = 50 (0x32) VPN Server in Front of a Firewall With the VPN server in front of the firewall and connected to the Internet, as shown in the following figure, administrators need to add packet filters to the Internet interface that allow only VPN traffic to and from the IP address of the VPN server’s interface on the Internet. For inbound traffic, when the tunneled data is decrypted by the VPN server it is forwarded to the firewall, which employs its filters to allow the traffic to be forwarded to intranet resources. Because the only traffic that is crossing the VPN server is traffic generated by authenticated VPN clients, firewall filtering in this scenario can be used to prevent VPN users from accessing specific intranet resources. Because the only Internet traffic allowed on the intranet must go through the VPN server, this approach also prevents the sharing of intranet resources with non-VPN Internet users. VPN Server in Front of the Firewall Packet Filters for a VPN Server in Front of a Firewall When a VPN server is in front of a firewall and connected to the Internet, inbound and outbound packet filters on the VPN server need to be configured to allow only VPN traffic to and from the IP address of the VPN server’s Internet interface. Use this configuration if the VPN server is in a perimeter network, with one firewall positioned between the VPN server and the intranet and another between the VPN server and the Internet. All of the following packet filters are configured, using the Routing and Remote Access snap-in, as IP packet filters on the Internet interface. Depending on the configuration decisions made when running the Routing and Remote Access Server Setup Wizard, these packet filters might already be configured. PPTP connections for the inbound and outbound filters The following table shows the VPN server’s inbound and outbound filters for PPTP. VPN Server in Front of a Firewall: PPTP Packet Filters on the Internet Interface Filter Type Filter Action Destination IP address = Internet interface of VPN server Inbound Subnet mask = 255.255.255.255 Allows PPTP tunnel maintenance to the VPN server. TCP destination port = 1723 Destination IP address = Internet interface of VPN server Inbound Subnet mask = 255.255.255.255 IP Protocol ID = 47 Destination IP address = Internet interface of VPN server Inbound Subnet mask = 255.255.255.255 Allows tunneled PPTP data to the VPN server. Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. Accepts TCP traffic only when a VPN server initiates the TCP connection. TCP (established) source port = 1723 Source IP address = Internet interface of VPN server Outbound Subnet mask = 255.255.255.255 TCP source port = 1723 Outbound Source IP address = Allows PPTP tunnel maintenance traffic from the VPN server. Allows tunneled PPTP data from the VPN server. Internet interface of VPN server Subnet mask = 255.255.255.255 IP Protocol ID = 47 Source IP address = Internet interface of VPN server Outbound Subnet mask = 255.255.255.255 Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. Sends TCP traffic only when a VPN server initiates the TCP connection. TCP (established) destination port = 1723 L2TP/IPSec connections The following table shows the VPN server’s inbound and outbound filters for L2TP/IPSec. VPN Server in Front of a Firewall: L2TP/IPSec Packet Filters on the Internet Interface Filter Type Filter Action Destination IP address = Internet interface of VPN server Inbound Subnet mask = 255.255.255.255 Allows IKE traffic to the VPN server. UDP destination port = 500 Destination IP address = Internet interface of VPN server Inbound Subnet mask = 255.255.255.255 Allows L2TP traffic from the VPN client to the VPN server. UDP destination port = 1701 Destination IP address = Internet interface of VPN server Inbound Subnet mask = 255.255.255.255 UDP destination port = 4500 Allows IPSec NAT-T traffic from the VPN client to the VPN server. Source IP address = Internet interface of VPN server Outbound Subnet mask = 255.255.255.255 Allows IKE traffic from the VPN server. UDP source port = 500 Source IP address = Internet interface of VPN server Outbound Subnet mask = 255.255.255.255 Allows L2TP traffic from the VPN server to the VPN client. UDP source port = 1701 Source IP address = Internet interface of VPN server Outbound Subnet mask = 255.255.255.255 Allows IPSec NAT-T traffic from the VPN server to the VPN client UDP source port = 4500 VPN and NAT A network address translator (NAT) is a device that is typically used to provide shared access for private networks to a public network such as the Internet. Because NAT does not work with protocols that use encryption, a VPN solution that includes a NAT can add a layer of complexity to a VPN deployment. NAT with PPTP Connections If a VPN client that uses a PPTP connection is behind a NAT, the NAT must include a NAT editor that can translate PPTP traffic. The NAT editor is required because tunneled PPTP data has a GRE header rather than a TCP header or a UDP header. The NAT editor uses the Call ID field in the GRE header to identify the PPTP data stream and translate IP addresses and call IDs for PPTP data packets that are forwarded between a private network and the Internet. PPTP NAT editor The NAT/Basic Firewall routing protocol component of the Routing and Remote Access service and the Internet Connection Sharing feature of Network Connections includes a NAT editor for PPTP traffic. NAT with L2TP Connections To use L2TP-based VPN connections behind a NAT, IPSec NAT Traversal (NAT-T) must be implemented at both ends of the VPN connection. IPSec NAT-T IPSec NAT-T addresses the difficulty of using IPSec-based VPNs across a NAT. Windows Server 2003 allows an L2TP/IPSec connection to pass through a NAT. This capability is based on the latest IETF standards. IPSec NAT-T enables IPSec peers to negotiate and communicate when they are behind a NAT. To use IPSec NAT-T, both the remote access VPN client and the remote access VPN server must support IPSec NAT-T. IPSec NAT-T is supported by the Windows Server 2003 Microsoft L2TP/IPSec VPN Client and by the L2TP/IPSec NAT-T Update for Windows XP and the L2TP/IPSec NAT-T Update for Windows 2000. During the IPSec negotiation process, IPSec NAT-T-capable peers automatically determine whether both the initiating IPSec peer (typically a client computer) and responding IPSec peer (typically a server) can perform IPSec NAT-T. In addition, IPSec NAT-T-capable peers automatically determine if there are any NATs in the path between them. If both of these conditions are true, the peers automatically use IPSec NAT-T to send IPSec-protected traffic. User Datagram Protocol-Encapsulating Security Payload (UDP-ESP) IPSec NAT-T provides UDP encapsulation of IPSec packets to enable IKE and ESP-protected traffic to pass through a NAT. IKE automatically detects that a NAT is present and uses UDPESP encapsulation to enable ESP-protected IPSec traffic to pass through the NAT.