1. Home
  2. Microsoft Products
  3. Windows XP unwired

4.2 Virtual Private Networks

Imagine you are out of the office and need to access a printer or file server on the office network. Unless you dial in to the company's server, it is not possible for you to access the resources in the office. Moreover, using a dial-up line is not a cheap alternative (despite the slow speed), especially if you are overseas.

A Virtual Private Network (VPN) allows you to establish a secure, encrypted connection to the office's network, all through a public network such as the Internet. Using a VPN, you can work as though you are connected to your company's network.

There are two main types of VPN:


User-to-Network

This type allows a client to use a VPN to connect to a secure network, such as a corporate intranet.


Network-to-Network

This type connects two networks via a VPN connection. This effectively combines two disparate networks into one, eliminating the need for a Wide Area Network (WAN).

4.2.1 Tunneling

Tunneling is the process of encapsulating packets within other packets to protect their integrity and privacy during transit. A tunnel performs such tasks as encryption, authentication, packet forwarding, and masking of IP private addresses. Figure 4-1 shows a tunnel established between two computers through the Internet. Think of a tunnel as a private link between the two computers: whatever one sends to another is only visible to the other, even though it is sent through a public network like the Internet.

Figure 4-1. A tunnel established between two computers in a VPN
figs/xpuw_0401.gif

The following section discusses some tunneling protocols available for VPNs.

4.2.1.1 PPTP, L2TP, and IPSec

If you're curious about what goes on under the hood of a VPN, there are three protocols that you need to know: PPTP, L2TP, and IPSec:


Point-to-Point Tunneling Protocol (PPTP)

This was designed by Microsoft (and other companies) to create a secure tunnel between two computers. PPTP provides authentication and encryption services, and encapsulates PPP packets within IP packets. It supports multiple Microsoft networking protocols such as LAN to LAN and dial-up connections. However, it is proprietary and the encryption is weak.


Layer 2 Tunneling Protocol (L2TP)

This works like PPTP, except that it does not include encryption. L2TP was proposed by Cisco Systems, and like PPTP, supports multiple networking protocols.


IPSec

This addresses the shortcomings of L2TP by providing encryption and authentication of IP packets. As such, L2TP is often used together with IPSec to provide a secure connection.

If possible, a VPN should be used together with 802.1X. 802.1X adds an additional layer of protection that the VPN itself does not possess. For more information on VPNs, see Virtual Private Networks (O'Reilly).


4.2.2 Setting Up a VPN Connection Between Two Computers

In the following sections, I illustrate how to set up a VPN host as well as a client using two Windows XP Professional systems.

4.2.2.1 On the host computer

Let's start with setting up the VPN host:

  1. On the desktop, right-click on Network Connections.

  2. Select "Create a new connection".

  3. In the New Connection Wizard window, select "Set up an advanced connection" (see Figure 4-2). Click Next.

    Figure 4-2. Choosing the network connection type
    figs/xpuw_0402.gif

  4. Select "Accept incoming connections". Click Next.

  5. In the next window, you can select the other devices to accept the incoming connection. Click Next.

  6. Select "Allow virtual private connections" and click Next (see Figure 4-3).

    Figure 4-3. Allowing a VPN connection
    figs/xpuw_0403.gif

  7. Select the users that you want to allow to connect to your computer using the VPN connection (see Figure 4-4). Click Next.

    Figure 4-4. Granting access rights to users
    figs/xpuw_0404.gif

  8. The next window allows you to install additional networking software for this connection (see Figure 4-5). Click on Next to go to the next screen.

    Figure 4-5. Installing the networking software for the VPN connection
    figs/xpuw_0405.gif

  9. Click on Next and then Finish to complete the process.
4.2.2.2 On the client

To configure Windows XP to connect to a VPN:

  1. On the desktop, right-click on Network Connections.

  2. Select "Create a new connection".

  3. Select "Connect to the network at my workplace" (see Figure 4-6).

    Figure 4-6. Selecting the network connection type
    figs/xpuw_0406.gif

  4. Select "Virtual Private Network connection" (see Figure 4-7). Click Next.

    Figure 4-7. Selecting the network connection
    figs/xpuw_0407.gif

  5. Enter a name for the VPN connection (see Figure 4-8). Click Next.

    Figure 4-8. Giving your VPN connection a name
    figs/xpuw_0408.gif

  6. Select "Do not dial the initial connection". Click Next.

  7. Enter the IP address of the VPN server (see Figure 4-9). Click Next.

    Figure 4-9. Specifying the IP address of the VPN host
    figs/xpuw_0409.gif

  8. Select "My use only" (see Figure 4-10). Click Next.

    Figure 4-10. Setting the connection availability
    figs/xpuw_0410.gif

  9. Turn on the "Add a shortcut to this connection to my desktop" checkbox. Click Finish.

That's it! When the process is completed, an icon is shown on the desktop (see Figure 4-11).

Figure 4-11. The icon for the VPN connection
figs/xpuw_0411.gif

To connect to the VPN server, double-click on the icon and log in with your username information (see Figure 4-12). You can now work as though you are working on a computer in your office: most (if not all) of your network resources, such as file and print servers, will be accessible.

Resist the temptation to check the box titled "Save this user name and password for the following users" (see Figure 4-12). If you enable this, your password will be saved on your computer; if your computer is stolen or compromised, an attacker will be able to connect to the VPN and access everything it protects.


Figure 4-12. Logging in to a VPN connection
figs/xpuw_0412.gif

One common error that you might encounter has to do with setting a proxy server in Internet Explorer. For example, my ISP does not require me to use a proxy server when surfing the Web. But when I connected to the VPN server in my workplace, I was suddenly unable to connect to the Web. As it turns out, my company requires me to use a proxy server to connect to the Web. With the proxy server configured in IE (Tools Internet Options Connections Connection Name Settings), I am now able to connect to the Web (see Figure 4-13).


Figure 4-13. Setting a proxy server for a VPN connection
figs/xpuw_0413.gif

IPSec and PPTP Pass Through

Most wireless routers support a feature known as "IPSec and PPTP pass through." What does it do?

IPSec and PPTP are security protocols that provide authentication and encryption over the Internet. The "pass through" feature of the wireless router allows secure packets to flow through the router, but the router itself does not perform any authentication and encryption operation.

IPSec works in two modes: transport and tunnel. Transport mode secures IP packets from source to destination, whereas tunnel mode puts an IP packet into another packet that is sent to the tunnel's endpoint. Only tunnel mode (ESP) IPSec can be passed through.




    		Preface
    		Chapter 1. Wireless Networking Fundamentals
    		Chapter 2. Wi-Fi on Your Notebook
    		Chapter 3. Wi-Fi on the Road
    		Chapter 4. Communicating Securely
    		4.1 Secure Wireless Computing
    		4.2 Virtual Private Networks
    		4.3 Secure Shell (SSH)
    		4.4 Firewalls
    		4.5 Wi-Fi Security
    		4.6 Are 802.11 Networks Really Secure?
    		Chapter 5. Configuring Wireless Access Points
    		Chapter 6. Bluetooth
    		Chapter 7. Infrared
    		Chapter 8. Cellular Networking
    		Chapter 9. Global Positioning System (GPS)
    		Chapter 10. Microsoft Smart Display and Remote Desktop
    		Colophon