Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect
Microsoft Corporation
Author: Dave Bishop
Editor: Scott Somohano
Published: May 22, 2009
Abstract
VPN Reconnect is a new feature of Routing and Remote Access Services (RRAS) in Windows® 7 or Windows Server® 2008 R2 that provides users with seamless and consistent VPN connectivity, automatically reestablishing a VPN when users temporarily lose their Internet connections. This guide provides step-by-step instructions for setting up VPN Reconnect in a test lab with three computers and then demonstrating persistent connectivity through a change in the network connection used to access the Internet.
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release.
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Server, ActiveX, and Internet Explorer are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Contents
Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect 5
About Remote Access with VPN Reconnect 6
Setting Up the Test Lab for VPN Reconnect 7
Windows Firewall with Advanced Security and VPN Reconnect traffic 7
Configuring DC1 8
Install the operating system 8
Configure TCP/IP 8
Install Active Directory and DNS 9
Create a user account with remote access permission 10
Create a shared folder and file 11
Configuring VPN1 12
Install the operating system 12
Configure TCP/IP 13
Name the computer and join the Contoso domain 14
Install Active Directory Certificate Services and Web Server 14
Create and install the Server Authentication certificate 15
Install Network and Policy Access Server Role 18
Configure Routing and Remote Access 19
Configure the Network Policy Server (NPS) to grant access for EAP-MSCHAPv2 authentication 20
Configuring CLIENT1 22
Install the operating system 22
Configure TCP/IP 22
Configure the VPN client with the root certificate 24
Creating and Configuring the Remote Connection with VPN Reconnect on CLIENT1 25
Simulating Connection Persistence When the Internet Link Changes 27
Conclusion 28
This guide provides step-by-step instructions that enable you to configure three computers in a test lab environment with which you can configure and test virtual private network (VPN) remote access using the VPN Reconnect feature available in the Windows® 7 or Windows Server® 2008 R2 operating systems.
Important
The following instructions are for configuring a test lab using a minimum number of computers and procedure steps. To minimize setup time and complexity, services were combined on the network servers rather than using individual computers to separate the services in a more secure manner. This configuration is designed to reflect neither best practices nor a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network.
For a complete view of Windows 7 resources, articles, demos, and guidance, please visit the Springboard Series for Windows 7 on the Windows Client TechCenter.
VPN Reconnect refers to the support in Routing and Remote Access service (RRAS) for a new tunneling protocol, IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2), which is described in RFC 4306. With the functionality provided by the IKEv2 Mobility and Multihoming protocol (MOBIKE), which is described in RFC 4555, this tunneling protocol offers inherent advantages in scenarios where the client moves from one IP network to another (for example, from WLAN to WWAN). Specifically, for mobile phones and other mobility scenarios, this tunneling method enables the VPN tunnel to stay alive even when the client moves from one access point or location to another.
When using other VPN protocols, and the network connection is interrupted for any reason, the user typically loses the VPN tunnel completely and must manually reestablish the VPN tunnel. VPN Reconnect allows the underlying network connection to be interrupted for a configurable amount of time, without losing the tunnel. As soon as network connectivity is reestablished, even through a different network interface, the tunnel is automatically restored with no interaction required from the user. For example, this permits a user with an active IKEv2 VPN tunnel to disconnect a laptop from a wired connection, walk down the hall to a conference room, connect to a wireless network, and have the IKEv2 VPN tunnel automatically reconnected with no noticeable interruption to the user.
Note
If your laptop hibernates when you close the lid, then the connection is lost and you will have to manually reinitiate the connection.
Unlike other VPN tunnels such as PPTP, L2TP/IPSec, and SSTP, IPsec Tunnel Mode with IKEv2 does not run PPP-based handshake on top of the tunnel.Setting Up the Test Lab for VPN Reconnect
The VPN Reconnect test lab network consists of three computers, which perform the following services:
· DC1: A computer running Windows Server 2008 R2 that is acting as a domain controller, a Domain Name System (DNS) server, and a file server on a private (intranet) network.
Alternatively, DC1 can run Windows Server 2008 or Windows Server 2003.
· VPN1: A computer running Windows Server 2008 R2, with two network adapters installed. VPN1 is configured with the Network Policy and Access Services (NPAS) and Active Directory Certificate Services (AD CS) server roles. The RRAS role service is installed to allow VPN1 to acts as a VPN server. In addition, VPN1 is configured with Network Policy Services (NPS) to configure and enable remote access policies required for a VPN connection.
· CLIENT1: A computer running Windows 7 that acts as a VPN client on a public (Internet) network.
The following diagram shows the configuration of the VPN test lab.
The firewall illustrated in the diagram is not a separate device or computer; instead it is the Windows Firewall that runs as part of Windows on VPN1. In a production environment, the scenario likely does include a separate firewall through which the VPN tunnel must be able to pass. For more information, see the next section.
VPN Reconnect requires that the firewall rules on VPN1 and CLIENT1 allow UDP ports 500 and 4500 for IKE traffic, as well as IP Protocol ID 50 for Encapsulating Security Protocol (ESP) traffic. When you install Routing and Remote Access Services on VPN1, Windows Firewall rules are automatically created to allow this traffic. On CLIENT1, outbound traffic that CLIENT1 initiates is automatically allowed.
Unless you or another service alters the firewall rules, this traffic will not be blocked. However, if the firewall configuration on either VPN1 or CLIENT1 has been modified, you may need to create inbound and outbound firewall rules on these computers to allow this traffic. For more information about creating firewall rules, see Windows Firewall with Advanced Security and IPsec.
DC1 is a computer running Windows Server 2008 R2 that provides the following services:
· A domain controller for the contoso.com Active Directory® domain.
· A DNS server for the Contoso.com DNS domain.
· A file server.
The configuration of DC1 requires the following steps:
· Install the operating system.
· Configure TCP/IP.
· Install Active Directory and DNS.
· Create a user account with remote access permission.
· Create a shared folder and file.
The following sections explain these steps in detail.
To install Windows Server 2008 R2
1. On DC1, start your computer using the Windows Server 2008 R2 product disc.
2. Follow the instructions that appear on your screen.
3. When prompted to provide a password for the Administrator user account, type Pass@word1
4. After installation completes and the Initial Configuration Tasks window appears, under 1. Provide Computer Information, click Provide computer name and domain.
If the Initial Configuration Tasks window does not appear, or if you closed it after selecting Do not show this window at logon, you can start it by clicking Start, typing oobe, and pressing ENTER.
5. On the Computer Name tab, click Change.
6. In the Computer name text box, type DC1, and then click OK.
7. On the confirmation window, click OK, click Close on the System Properties dialog box, and then click Restart Now.
Configure TCP/IP properties so that DC1 has a static IP address of 192.168.0.1 with the subnet mask 255.255.255.0 and a default gateway of 192.168.0.2.
To configure TCP/IP properties
1. After DC1 restarts, in the Initial Configuration Tasks window, under 1. Provide Computer Information, click Configure networking.
2. In the Network Connections dialog box, right-click Local Area Connection, and then click Properties.
3. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. Click Use the following IP address, and configure the following settings:
a. In IP address, type 192.168.0.1.
b. In Subnet mask, type 255.255.255.0.
c. In Default gateway, type 191.168.0.2.
d. In Preferred DNS server, type 192.168.0.1.
5. Click OK, and then click Close.
6. Close the Network Connections window.
Configure the computer as a domain controller for the Contoso.com domain. This will be the first and only domain controller in this network.
To configure DC1 as a domain controller
1. On DC1, in the Initial Configuration Tasks window, under 3. Customize This Server, click Add roles, and then perform the following steps in the Add Roles Wizard.
a. In the Add Roles Wizard, on the Before You Begin page, click Next.
b. On the Select Server Roles page, select Active Directory Domain Services.
c. In the Add features required for Active Directory Domain Services dialog box, click Add Required Features.
d. Back on the Select Server Roles page, click Next.
e. On the Active Directory Domain Services page, click Next, and then on the Confirm Installation Selections...
qfx