Pass-Through VPN Scenario

As described in "Internet and Intranet-Based VPN Connections" earlier in this chapter, a pass-through VPN allows a remote access client connected to one company's intranet to access the resources of another company's intranet across the Internet. A remote access VPN connection is passed to one intranet through another intranet and the Internet.

In a typical case, company A and company B are business partners, and an employee of company A visits company B. When the employee of company A attends a meeting and connects a laptop computer to the company B intranet, a company B intranet IP address configuration is obtained. If the employee of company A needs to connect to the company A intranet, it can be done in one of two ways:

• Using a phone line in the conference room, the employee of company A can directly dial a company A remote access server to make a dial-up connection to the company A intranet or can dial a local ISP and make a VPN connection to the company A intranet.
• As illustrated in Figure 9.19, using VPN technology and the appropriate infrastructure, the employee of company A can create a tunnel across the company B intranet to the Internet and then create another tunnel across the company B intranet and the Internet to the company A intranet.

With the latter method, the VPN connection to the company A intranet is created by activating two connection objects in the Connections folder using the existing local physical network connection. Note that Tunnel 2 is inside Tunnel 1 on the company B intranet.

Configuration of the Company A VPN Server

Configure the company A VPN server to accept remote access VPN connections from remote clients on the Internet with the appropriate remote access policies to require strong authentication and encryption.

For more information, see Windows 2000 Server Help.

Configuration of the Company B VPN Server

Configure the company B VPN server as follows:

1. Configure the company B VPN server to accept remote access VPN connections. For more information, see Windows 2000 Server Help.
2. Manually configure the IP address pool that contains a range of public IP addresses.
3. Create a Windows 2000 group to contain the user accounts for visiting employees of other companies that are making pass-through VPN connections. For example, create the group VPN_PassThrough.
4. Create the user account that is used by the visiting employee of company A.

Assuming that this VPN server is only to be used for pass-through VPNs for the visiting employees of business partners, delete the default remote access policy called Allow access if dial-in permission is enabled and create a remote access policy called VPN Pass-Through for Business Partners with the remote access policy permission setting, Grant remote access permission, selected. Then set the conditions and profile settings as listed in Tables 9.7 and 9.8. For detailed information about configuring these settings, see Windows 2000 Server Help.

Table 9.7 Remote Access Policy Conditions for Company B VPN Server

Table 9.8 Remote Access Policy Profile Settings for Company B VPN Server

The remote access policy settings outlined in Tables 9.7 and 9.8 assume that you are managing remote access on a group basis by setting the remote access permission on all user accounts to Control access through Remote Access Policy.

Note

The remote access policy profile settings do not require encryption. The tunnel from the employee of company A to the company B VPN server does not need to be encrypted because the tunnel from the employee of company A to the company A VPN server on the Internet is encrypted. Forcing the encryption of the first tunnel causes encryption to occur twice when it is not necessary and can impact performance.

Filtering Configuration

To ensure that the company B VPN server connected to the Internet is confined to accepting and forwarding pass-through VPN traffic, configure the following filters using the Routing and Remote Access snap-in.

To configure PPTP filtering

1. On the intranet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
   • Destination IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and TCP destination port of 1723.
   • Destination IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and IP protocol of 47.
2. On the intranet interface, configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:
   • Source IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and TCP source port of 1723.
   • Source IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and IP protocol 47.
3. On the Internet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
   • Destination IP address and subnet mask of the public IP address pool and TCP source port of 1723.
   • Destination IP address and subnet mask of the public IP address pool and IP protocol of 47.
4. On the Internet interface, configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:
   • Source IP address and subnet mask of the public IP address pool and TCP destination port of 1723.
   • Source IP address and subnet mask of the public IP address pool and IP protocol of 47.

To configure L2TP over IPSec filtering

1. On the intranet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
   • Destination IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and destination UDP port of 1701.
   • Destination IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and destination UDP port of 500.
2. On the intranet interface, configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:
   • Source IP address of VPN server intranet interface, subnet mask of 255.255.255.255, and source UDP port of 1701.
   • Source IP address of VPN server intranet interface, subnet mask of 255.255.255.255, and source UDP port of 500.
3. On the Internet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
   • Destination IP address and subnet mask of the public IP address pool and IP protocol of 50.
   • Destination IP address and subnet mask of the public IP address pool and source UDP port of 500.
4. On the Internet interface configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:
   • Source IP address and subnet mask of the public IP address pool and IP protocol of 50.
   • Source IP address and subnet mask of the public IP address pool and destination UDP port of 500.

Configuration of the VPN Client Computer for a Pass-Through VPN

The following sections detail the configuration of a Windows 2000-based VPN client for PPTP and L2TP over IPSec for a pass-through VPN.

To configure a PPTP connection

1. Create a VPN connection object that connects the employee of company A with the VPN server of company B as follows:
   • On the General tab, type the host name or IP address of the intranet interface of the company B VPN server.
   • On the Security tab, select Secure my password but not my data.
   • On the Networking tab, select Point-to-Point Tunneling Protocol (PPTP) as the type of server into which you are dialing.
2. Create a VPN connection object that connects the employee of company A with the Internet VPN server of company A as follows:
   • On the General tab, type the host name or IP address of the Internet interface of the company A VPN server.
   • On the Security tab, select either Secure my password and data or Custom. If you select Custom, you must also select the appropriate encryption and authentication options.
   • On the Networking tab, select Point-to-Point Tunneling Protocol (PPTP) as the type of server into which you are dialing.

To configure an L2TP over IPSec connection

1. Create a VPN connection object that connects the employee of company A with the VPN server of company B as follows:
   • On the General tab, type the host name or IP address of the intranet interface of the company B VPN server.
   • On the Security tab, select Secure my password but not my data.
   • On the Networking tab, select Layer-2 Tunneling Protocol (L2TP) as the type of server into which you are dialing.
2. Create a VPN connection object that connects the employee of company A with the Internet VPN server of company A as follows:
   • On the General tab, type the host name or IP address of the Internet interface of the company A VPN server.
   • On the Security tab, select either Secure my password and data or Custom. If you select Custom, you must also select the appropriate encryption and authentication options.
   • On the Networking tab, select Layer-2 Tunneling Protocol (L2TP) as the type of server into which you are dialing.

Creating the Pass-Through VPN Connection

After the following pass-through VPN connection is made, the employee of company A can access any company A intranet resource for the duration of the VPN connection with the company A VPN server.

To create a pass-through connection

The employee of company A creates a pass-through VPN connection to the company A VPN server on the Internet using the following process:

1. In the Connections folder, double-click the connection object that creates the tunnel to the company B VPN server on the company B intranet.
2. When prompted for user credentials, type the credentials corresponding to the company B user account.
3. In the Connections folder, double-click the connection object that creates the VPN to the company A VPN server on the Internet.
4. When prompted for user credentials, type the credentials corresponding to the company A corporate account.