Thursday, February 26, 2009

vpn

Virtual Private Networking with Windows Server 2003: Overview

Microsoft Corporation
Published: March 2003




Abstract
This white paper provides an overview of virtual private networking and the virtual private network (VPN) technologies supported by Windows Server 2003 and Windows XP. Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec) are described as the two industry standard methods for VPN connections. This paper also describes the set of features in Windows Server 2003 and Windows XP that provides advanced security capabilities and simplified administration of VPN connections for enterprise networks.






The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2003 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows NT, Windows Server, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents
Introduction 1
Common Uses of VPNs 2
Remote Access Over the Internet 2
Connecting Networks Over the Internet 2
Connecting Computers Over an Intranet 3
Basic VPN Requirements 4
Tunneling Basics 5
Tunneling Protocols 6
How Tunneling Works 6
Tunneling Protocols and the Basic VPN Requirements 6
Point-to-Point Protocol (PPP) 7
Phase 1: PPP Link Establishment 7
Phase 2: User Authentication 7
Phase 3: PPP Callback Control 9
Phase 4: Invoking Network Layer Protocol(s) 9
Data-Transfer Phase 9
Point-to-Point Tunneling Protocol (PPTP) 9
Layer Two Tunneling Protocol (L2TP) 10
PPTP Compared to L2TP/IPSec 11
Advantages of L2TP/IPSec Over PPTP 11
Advantages of PPTP Over L2TP/IPSec 12
Tunnel Types 12
Voluntary Tunneling 12
Compulsory Tunneling 13
Advanced VPN Security Features 14
EAP-TLS and Certificate-based Authentication 14
Digital Certificates 14
Extensible Authentication Protocol (EAP) 15
EAP-Transport Level Security (EAP-TLS) 15
Network Access Quarantine Control 15
Remote Access Account Lockout 16
Remote Access Policy Profile Packet Filtering 16
VPN Administration 18
Authorizing VPN Connections 18
Scalability 18
RADIUS 18
Connection Manager and Managed VPN Connections 19
Connection Manager Client Dialer 19
Connection Manager Administration Kit 19
Connection Point Services 20
Accounting, Auditing, and Alarming 21
Summary 22
Related Links 23

Introduction
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. A VPN enables you to send data between two computers across a shared or public internetwork in a manner that emulates the properties of a point-to-point private link. The act of configuring and creating a virtual private network is known as virtual private networking.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information allowing it to traverse the shared or public transit internetwork to reach its endpoint. To emulate a private link, the data being sent is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The portion of the connection in which the private data is encapsulated is known as the tunnel. The portion of the connection in which the private data is encrypted is known as the virtual private network (VPN) connection.

Figure 1: Virtual private network connection
VPN connections allow users working at home or on the road to connect in a secure fashion to a remote organization server using the routing infrastructure provided by a public internetwork (such as the Internet). From the user's perspective, the VPN connection is a point-to-point connection between the user's computer and an organization server. The nature of the intermediate internetwork is irrelevant to the user because it appears as if the data is being sent over a dedicated private link.
VPN technology also allows a corporation to connect to branch offices or to other companies over a public internetwork (such as the Internet), while maintaining secure communications. The VPN connect