Setting Up a Virtual Private Networkby Wei-Meng Lee, author of Windows XP Unwired
If you're out of the office and need to use a network resource such as a printer or file server, you're often out of luck. Unless you dial directly into the company's server, you won't be able to access network resources. Moreover, using a dialup line is not a cheap alternative (besides the slow speed), especially if you are overseas.
Your best bet is to use a Virtual Private Network (VPN), which allows you to establish a secure, encrypted connection to the office's network, using a public network such as the Internet. Using a VPN, you can work as though you are connected to your company's network, no matter where you are in the world.
There are two main types of VPNs:
This type of VPN allows a client to use a VPN to connect to a secure network, such as a corporate intranet.
This type of VPN connects two networks via a VPN connection. This effectively combines two disparate networks into one, eliminating the need for a Wide Area Network (WAN).
In this article I will explain the basics of VPNs and show you how to set up one yourself using Windows 2003 Server and Windows XP Professional.
In a VPN, two computers communicate through a VPN tunnel. Tunneling is the process of encapsulating packets within other packets to protect their integrity and privacy during transit. A tunnel performs such tasks as encryption, authentication, packet forwarding, and masking of IP private addresses. Think of a tunnel as a private link between the two computers; whatever one sends to the other is only visible to the other, even though it is sent through a public network like the Internet.
If you're curious about what goes on under the hood of a VPN, there are three protocols you need to know about -- PPTP, L2TP, and IPSec.
This was designed by Microsoft (and other companies) to create a secure tunnel between two computers. PPTP provides authentication and encryption services and encapsulates PPP packets within IP packets. It supports multiple Microsoft networking protocols such as LAN-to-LAN and dialup connections. However, it is proprietary and the encryption is weak.
This works like PPTP, except that it does not include encryption. L2TP was proposed by Cisco Systems and like PPTP, L2TP supports multiple networking protocols.
This protocol addresses the shortcomings of L2TP by providing encryption and authentication of IP packets. As such, L2TP is often used together with IPSec to provide a secure connection.
PPTP and L2TP are among the most likely proposals as the basis for a new Internet Engineering Task Force (IETF) standard.
In the following sections, I will illustrate how to set up a VPN host and client -- the host server using Windows 2003 Server and the client using Windows XP Professional.
Let's start with setting up the VPN host.
On the desktop, right-click on My Network Places.
Select Create a new connection.
On the New Connection Wizard window, select Set up an advanced connection (see Figure 1). Click Next.
Figure 1. Choosing the network connection type.
Select Accept Incoming connections. Click Next.
In the next window, you can select the other devices to accept the incoming connection. Click Next.
Select Allow virtual private connections and click Next (see Figure 2).
Figure 2. Allowing a VPN connection.
Select the users you want to allow to connect to your computer using the VPN connection (see Figure 3). Click Next.
Figure 3. Granting access rights to users.
The next window allows you to install additional networking software for this connection (see Figure 4). After you choose your protocols and software, click Next.
Figure 4. Installing the networking software for the VPN connection.
Click Next and then click Finish to complete the process.
To configure Windows XP to connect to a VPN:
On the desktop, right-click on Network Connections.
Select Create a new connection.
Select Connect to the network at my workplace (see Figure 5). Click Next.
Figure 5. Selecting the network connection type.
Select Virtual Private Network connection. Click Next.
Enter a name for the VPN connection (see Figure 6). Click Next.
Figure 6. Giving your VPN connection a name.
Select "Do not dial the initial connection." Click Next.
Enter the IP address of the VPN server (see Figure 7). Click Next.
Figure 7. Specifying the IP address of the VPN host.
Select My use only. Click Next.
Check the "Add a shortcut to this connection to my desktop" checkbox. Click Finish.
That's it! When the process is completed, an icon will be shown on the desktop (see Figure 8).
Figure 8. The icon for the VPN connection.
To connect to the VPN server, double-click on the icon and login with your user name information (see Figure 9). You can now work as though you were working on a computer in your office; most (if not all) of your network resources, such as file and print servers will be accessible.
Figure 9. Logging in to a VPN connection.
Resist the temptation to check the box titled Save this User Name and Password for the following users. If you enable this, your password will be saved on your computer, and if your computer is stolen or compromised, an attacker will be able to connect to the VPN and access everything it protects.
One common error you might encounter has to do with setting a proxy server in Internet Explorer. My ISP does not require me to use a proxy server when surfing the Web. But when I connect to the VPN server in my workplace, I am suddenly unable to connect to the Web. As it turned out, my company requires me to use a proxy server to connect to the Web. With the proxy server configured in IE, I am now able to connect to the Web (see Figure 10). Check with your network administrator for proxy information, and how to set it up.
Figure 10. Setting a proxy server for a VPN connection.
Most routers support a feature known as "IPSec and PPTP pass through." You may need to enable that feature on your router; check its documentation for details.
IPSec and PPTP are security protocols that provide authentication and encryption over the Internet. The "pass through" feature of the router allows secure packets to flow through the router but the router itself does not perform any authentication or encryption operation.
IPSec works in two modes -- transport mode and tunnel mode. Transport mode secures IP packets from source-to-destination, whereas tunnel mode puts an IP packet into another packet that is sent to the tunnel's endpoint. Only tunnel mode (ESP) IPSec can be passed through.
Wei-Meng Lee (Microsoft MVP) http://weimenglee.blogspot.com is a technologist and founder of Developer Learning Solutions http://www.developerlearningsolutions.com, a technology company specializing in hands-on training on the latest Microsoft technologies.
Return to WindowsDevCenter.com.
Copyright © 2009 O'Reilly Media, Inc.