I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Transcription

1 Table of Content I. What is VPN?... 2 II. Types of VPN connection... 2 III. Types of VPN Protocol... 3 IV. Remote Access VPN configuration... 4 a. PPTP protocol configuration... 4 Network Topology... 4 b. L2TP/IPSec protocol configuration V. Site-to-Site VPN configuration a. PPTP protocol configuration i. Network Topology i. PNH VPN Server configuration ii. BTB VPN Server configuration iii. Client connection testing b. L2TP/IPSec protocol configuration i. Network Topology ii. PNH VPN Server configuration iii. BTB VPN Server configuration iv. Client connection testing c. IPsec protocol configuration i. Network Topology ii. ISP Network Routing Configuration iii. PNH VPN Server configuration iv. BTB VPN Server configuration v. Client connection testing... 77

2 I. What is VPN? A Virtual Private Network (VPN) is a network technology that creates a secure network connection over a public network such as the Internet or a private network owned by a service provider. A VPN can connect multiple sites over a large distance just like a Wide Area Network (WAN). VPNs are often used to extend intranets worldwide to disseminate information and news to a wide user base. II. Types of VPN connection There are two types of VPN connection: Remote Access VPN Site-to-site VPN Remote Access VPN connections enable users working at home or on the road to access a server on a private network using the infrastructure provided by a public network, such as the Internet. From the user s perspective, the VPN is a point-to-point connection between the computer (the VPN client) and an organization s server. The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link. Site-to-site VPN connections (also known as router-to-router VPN connections) enable organizations to have routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated WAN link. A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and, for mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.

3 III. Types of VPN Protocol There are a number of VPN protocols in use that secure the transport of data traffic over a public network infrastructure. Each protocol varies slightly in the way that data is kept secure. IP security (IPSec) is used to secure communications over the Internet. IPSec traffic can use either transport mode or tunneling to encrypt data traffic in a VPN. The difference between the two modes is that transport mode encrypts only the message within the data packet (also known as the payload) while tunneling encrypts the entire data packet. IPSec is often referred to as a "security overlay" because of its use as a security layer for other protocols. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) use cryptography to secure communications over the Internet. Both protocols use a "handshake" method of authentication that involves a negotiation of network parameters between the client and server machines. To successfully initiate a connection, an authentication process involving certificates is used. Certificates are cryptographic keys that are stored on both the server and client. Point-To-Point Tunneling Protocol (PPTP) is another tunneling protocol used to connect a remote client to a private server over the Internet. PPTP is one of the most widely used VPN protocols because of its straightforward configuration and maintenance and also because it is included with the Windows operating system. Layer 2 Tunneling Protocol (L2TP) is a protocol used to tunnel data communications traffic between two sites over the Internet. L2TP is often used in tandem with IPSec (which acts as a security layer) to secure the transfer of L2TP data packets over the Internet. Unlike PPTP, a VPN implementation using L2TP/IPSec requires a shared key or the use of certificates.

4 IV. Remote Access VPN configuration a. PPTP protocol configuration Network Topology In the ISA 2006, we assign the following IP addresses:

5 Firstly, we need to create the User with the Dial-in permission as below Create a group, which contains the member of the User with Dial-in permission

6 Configure the IP address for the VPN connection Specify the IP Address range to be assigned for the VPN Client connection and click OK

7 Now start configuring the VPN Client Access setting In the General tab, enable VPN Client access and specify the number of VPN session and click Apply

8 In Groups tab, add the User, which has been created with Dial-in permission, and click Apply In Protocols tab, select Enable PPTP and click OK

9 Save configuration by click on Apply OK Now let s create a rule to grant access for the VPN client to Local Network. Go to Firewall Policy Create Access Rule

10 Give a name to the Rule, any at your convenience, and click Next Select Allow and click Next

11 Now select the protocol needed for the service permitted for the VPN Client to the Internal, and click Next As we need the two Networks to be accessible each other, we have to add the two for the source and then click Next

12 We also need to add the two networks in the destination and then click Next Click Next

13 Click Finish to complete the Wizard Select Apply OK to save change and update the configuration

14 Now at the client site, we need to create a new connection for the VPN When the wizard appears, click on Next

15 Select Connect to the network at my workplace and click Next Select Virtual Private Network connection and click Next

16 Provide a name for the connection and click Next This section, we need to put the IP address of VPN server and click Next

17 Click Finish to complete the Wizard After that the Dial-up connection appears, put the username and password and click Connect

18 After the connection has been established, you ll see the protocol being used is PPTP Test the connection from the VPN client to the Internal Network of VPN Server b. L2TP/IPSec protocol configuration In order to configure the L2TP/IPsec VPN protocol, just follow the steps being shown for PPTP above, but in the Protocol tab, you need to select Enable L2TP/IPsec instead of Enable PPTP

19 By default, the L2TP/IPsec protocol will use the certificate for the authentication. Since we are configuring the VPN using Pre-shared Key, not Certificate, go to Select Authentication Methods to specify the Pre-shared key for this.

20 In Authentication tab, select Allow customer IPsec policy for L2TP connection and specify the Preshared Key and then click OK At the VPN client site, click on Properties

21 In Networking tab, change the Type of VPN to L2TP IPsec VPN and click OK In the Security tab, select IPSec Setting

22 Then, specify the Pre-shared Key and click OK Click OK Click Connect

23 After the connection has been established, you ll see the protocol being used is L2TP V. Site-to-Site VPN configuration a. PPTP protocol configuration i. Network Topology

24 i. PNH VPN Server configuration The following IP addresses are configured on the PNH Server Go to Virtual Private Network Remote Sites Create VPN Site-to-Site connection

25 Provide the Site-to-site network name, and click Next Select Point-to-Point Tunneling Protocol (PPTP) and click Next

26 The alert message will appear, showing you that a user account matching the network name is required to create. This account, with the Dial-in permission, will be used for the BTB VPN Server to access the local site. Just click OK Specify the IP address to be assigned for incoming VPN Client connection. Here, there are two options for the IP allocation, Static and DHCP. Remember that if you are assigning the static pool for the connection, the pool cannot overlap with any existing network. Then, click Next

27 Specify the connection owner, and click Next In this step, it requires you to specify the Remote Site Gateway, which could be a FQDN or IP address. Since we are not having a DNS service, we just use the BTB External IP address instead, and then click Next

28 Configure the Remote Authentication by enable the function and provide the account information for the Local site to be able to initiate connection to the Remote site. Note: the PNH user account must be created with Dial-in permission in BTB VPN Server. Specify the Internal IP address ranges of the BTB VPN Server and click Next

29 Since we do not have any Network Load Balancing, just disable it and click Next This step will guide you to create a rule to grant access from the VPN connection to Local Network. Specify the rule name at your convenience and click Next

30 Here, allow the protocols that you require for the connection and click Next Click Finish to complete the Wizard

31 It immediately appears a message that BTB user is required to create with Dial-in permission Click on Apply and OK to save changes and update the configuration

32 Next, create a user account named BTB with Dial-in permission as below ii. BTB VPN Server configuration The following IP addresses are configured on the BTB VPN Server

33 Go to Virtual Private Network Remote Sites Create VPN Site-to-Site connection Provide the Site-to-site network name, and click Next

34 Select Point-to-Point Tunneling Protocol (PPTP) and click Next The alert message will appear, showing you that a user account matching the network name is required to create. This account, with the Dial-in permission, will be used for the PNH VPN Server to access the local site. Just click OK.

35 Specify the IP address to be assigned for incoming VPN Client connection. Here, there are two options for the IP allocation, Static and DHCP. Remember that if you are assigning the static pool for the connection, the pool cannot overlap with any existing network. Then, click Next Specify the connection owner, and click Next

36 In this step, it requires you to specify the Remote Site Gateway, which could be a FQDN or IP address. Since we are not having a DNS service, we just use the BTB External IP address instead, and then click Next Configure the Remote Authentication by enable the function and provide the account information for the Local site to be able to initiate connection to the Remote site. Note: the BTB user account must be created with Dial-in permission in PNH VPN Server.

37 Specify the IP address ranges of the PNH VPN Server and click Next Since we do not have any Network Load Balancing, just disable it and click Next

38 This step will guide you to create a rule to grant access from the VPN connection to Local Network. Specify the rule name at your convenience and click Next Here, allow the protocols that you require for the connection and click Next

39 Click Finish to complete the Wizard It immediately appears a message that PNH user is required to create with Dial-in permission

40 Click on Apply and OK to save changes and update the configuration Next, create a user account named PNH with Dial-in permission as below

41 iii. Client connection testing Test the connection by pinging from Client in PNH to Client in BTB Test the connection by pinging from Client in BTB to Client in PNH

42 b. L2TP/IPSec protocol configuration i. Network Topology ii. PNH VPN Server configuration The following IP addresses are configured on the PNH Server

43 Go to Virtual Private Network Remote Sites Create VPN Site-to-Site connection Provide the Site-to-site network name, and click Next

44 Select Point-to-Point Tunneling Protocol (PPTP) and click Next The alert message will appear, showing you that a user account matching the network name is required to create. This account, with the Dial-in permission, will be used for the BTB VPN Server to access the local site. Just click OK.

45 Specify the IP address to be assigned for incoming VPN Client connection. Here, there are two options for the IP allocation, Static and DHCP. Remember that if you are assigning the static pool for the connection, the pool cannot overlap with any existing network. Then, click Next Specify the connection owner, and click Next

46 In this step, it requires you to specify the Remote Site Gateway, which could be a FQDN or IP address. Since we are not having a DNS service, we just use the BTB External IP address instead, and then click Next Configure the Remote Authentication by enable the function and provide the account information for the Local site to be able to initiate connection to the Remote site. Note: the PNH user account must be created with Dial-in permission in BTB VPN Server.

47 L2TP protocol requires both authentication user and Pre-shared key, so specify the Out-going Preshared key as below Specify the Incoming Pre-shared Key as below

48 Specify the IP address ranges of the BTB VPN Server and click Next Since we do not have any Network Load Balancing, just disable it and click Next

49 This step will guide you to create a rule to grant access from the VPN connection to Local Network. Specify the rule name at your convenience and click Next Here, allow the protocols that you require for the connection and click Next

50 Click Finish to complete the Wizard It immediately appears a message that BTB user is required to create with Dial-in permission

51 Click on Apply and OK to save changes and update the configuration Next, create a user account named BTB with Dial-in permission as below

52 iii. BTB VPN Server configuration The following IP addresses are configured on the BTB VPN Server Go to Virtual Private Network Remote Sites Create VPN Site-to-Site connection

53 Provide the Site-to-site network name, and click Next Select Point-to-Point Tunneling Protocol (L2TP) and click Next

54 The alert message will appear, showing you that a user account matching the network name is required to create. This account, with the Dial-in permission, will be used for the PNH VPN Server to access the local site. Just click OK Specify the IP address to be assigned for incoming VPN Client connection. Here, there are two options for the IP allocation, Static and DHCP. Remember that if you are assigning the static pool for the connection, the pool cannot overlap with any existing network. Then, click Next

55 Specify the connection owner, and click Next In this step, it requires you to specify the Remote Site Gateway, which could be a FQDN or IP address. Since we are not having a DNS service, we just use the PNH External IP address instead, and then click Next

56 Configure the Remote Authentication by enable the function and provide the account information for the Local site to be able to initiate connection to the Remote site. Note: the BTB user account must be created with Dial-in permission in PNH VPN Server. L2TP protocol requires both authentication user and Pre-shared key, so specify the Out-going Preshared key as below

57 Specify the Incoming Pre-shared Key as below Specify the IP address ranges of the PNH VPN Server and click Next

58 Since we do not have any Network Load Balancing, just disable it and click Next This step will guide you to create a rule to grant access from the VPN connection to Local Network. Specify the rule name at your convenience and click Next

59 Here, allow the protocols that you require for the connection and click Next Click Finish to complete the Wizard

60 It immediately appears a message that PNH user is required to create with Dial-in permission Click on Apply and OK to save changes and update the configuration

61 Next, create a user account named PNH with Dial-in permission as below iv. Client connection testing Test the connection by pinging from Client in PNH to Client in BTB

62 Test the connection by pinging from Client in BTB to Client in PNH c. IPsec protocol configuration i. Network Topology

63 ii. ISP Network Routing Configuration For the ISA Server located at the ISP, it is required at least two NIC for the two network routing. Note each IP address assigned on the ISP ISA Server is the default gateway of each site; /30 is the gateway for PNH, /30 is the default gateway for the BTB Below is the NIC configured as the gateway for the two sites (PNH & BTB)

64 In the Network Rules, route the two networks Create a rule to allow both networks to be able to communicate each other

65 iii. PNH VPN Server configuration Configure the following IP addresses for the ISA Server. Start configuring the VPN site to site using IPsec Protocol by going to Virtual Private Network Remote Sites Create VPN Site-to-Site connection

66 Provide a name for the VPN connection and click Next Select IP Security protocol (IPsec) tunnel mode and click Next

67 Select the Connection Owner and click Next Here, just put the other site public IP address for the Remote VPN gateway IP address and local public IP for the Local VPN gateway address and click Next

68 In this scenario, we are going to configure only the Pre-shared key for the authentication, so specify the pre-shared key and click Next In this step, it requires you to put all the remote internal network IP address range

69 Now create a rule for the VPN connection to Internal network Specify the protocol needed and click Next

70 Click Finish to complete and close the Wizard Select Apply -- > OK to save change and update the configuration

71 iv. BTB VPN Server configuration The following IP addresses are assigned for the BTB VPN Server Start configuring the VPN site to site by going to Virtual Private Network Remote Sites Create VPN Site-to-Site connection

72 Assign a name for the VPN connection and click Next Select IP Security protocol (IPsec) tunnel mode and click Next

73 Select the Connection Owner and click Next Here, just put the other site public IP address for the Remote VPN gateway IP address and local public IP for the Local VPN gateway address

74 Specify the Pre-shared key and click Next Put all the remote network internal IP address and click Next

75 Create a rule for the VPN connection to the Internal Network and click Next Allow protocols needed and click Next

76 Click Finish to complete and close the Wizard Click Apply OK

77 v. Client connection testing Test the connection from client of PNH to the client of BTB Test the connection from client of BTB to the client of PNH