Chapter 10, Routing and Remote Access Service Chapter 10, Lesson 1 Introduction to Routing and Remote Access Service

cagamosisthingyNetworking and Communications

Oct 27, 2013 (3 years and 10 months ago)

111 views


Chapter 10, Routing and Remote Access Service


Chapter 10, Lesson 1


Introduction to Routing and Remote Access Service


1.

Microsoft Windows 2000 Routing and Remote Access
Service

|1|

A.

Overview of Routing and Remote Access Service (RRAS)


1.

When RRAS w
as implemented in Microsoft Windows

NT 4.0, it added
support for a number of features.


a.

RIP version 2 for IP (RIP for IP version 1 is still supported.)


b.

Open Shortest Path First (OSPF) routing protocol for IP


c.

Demand
-
dial routing (routing over per
sistent or on
-
demand wide area
network [WAN] links such as analog phone lines)


d.

Internet Control Message Protocol (ICMP) router discovery


e.

Remote Authentication Dial
-
In User Service (RADIUS) client to
benefit from the services provided by a RADIUS se
rver


f.

RADIUS server for providing centralized authentication,
authorization, accounting, and remote access policy to dial
-
up and
virtual private network (VPN) remote access clients (included with
the Windows

NT 4.0 Option Pack)


g.

IP and IPX packet fil
tering for protocol
-
level security


h.

A graphical user interface (GUI) administrative program called
Routing and RAS Admin and a command
-
line utility called
Routemon


2.

Windows 2000 builds on RRAS in Windows

NT 4.0 and adds a number
of new features.


a.

Internet Group Management Protocol (IGMP) and support for
multicast boundaries


b.

Network address translation with addressing and name resolution
components that simplify the connection of a small office/home
office (SOHO) network to the Internet


c.

Inte
grated AppleTalk routing


d.

Layer 2 Tunneling Protocol (L2TP) over IP Security (IPSec) support
for VPN connections


e.

Improved administration and management tools. The graphical user
interface program is the Routing and Remote Access snap
-
in. The
command
-
line utility is netsh (Net Shell)


f.

Improved IAS


3.

RRAS is fully integrated with Windows 2000 Server.


4.

RRAS is extensible with application programming interfaces (APIs) that
third
-
party developers can use to create custom networking solutions and
t
hat vendors can use to participate in internetworking.


5.

The combined features of Windows 2000 RRAS allow a Windows 2000
Server computer to function as a multiprotocol router, a demand
-
dial
router, and a remote access server.

2

Outline,
Chapter 10


Microsoft Windows 2000 Server


a.

An RRAS computer can rou
te IP, IPX, and AppleTalk
simultaneously.


b.

An RRAS computer can route IP and IPX over on
-
demand or
persistent WAN links or over VPN connections by using either Point
-
to
-
Point Tunneling Protocol (PPTP) or L2TP over IPSec.


c.

An RRAS computer can act as
a remote access server providing
remote access connectivity to dial
-
up or VPN remote access clients
that use IP, IPX, AppleTalk, or NetBEUI.

|2|

B.

Combining Routing and Remote Access Service


1.

Routing services and remote access services have been combin
ed
because of Point
-
to
-
Point Protocol (PPP), which is the protocol suite that
is commonly used to negotiate point
-
to
-
point connections.


2.

Demand
-
dial routing connections also use PPP to provide the same
kinds of services as remote access connections.


3.

The PPP infrastructure of Windows 2000 Server supports several types
of access.


a.

Dial
-
up remote access as either the client or server


b.

VPN remote access as either the client or server


c.

On
-
demand or persistent dial
-
up demand
-
dial routing as either

the
calling router or the answering router


d.

On
-
demand or persistent VPN demand
-
dial routing as either the
calling router or the answering router

|3|

C.

Installation and Configuration


1.

Windows 2000 RRAS is automatically installed in a disabled state.


2.

You can use the Routing and Remote Access snap
-
in to enable and
configure RRAS.


3.

Each computer on the intranet served by the RRAS server should use a
private IP address in one of the supported blocks of addresses.

|4|

D.

Disabling RRAS


1.

You can
use the Routing and Remote Access snap
-
in to disable RRAS.


2.

You can refresh the RRAS configuration by first disabling the service
and then enabling it.

|5|

2.

Authentication and Authorization


A.

The distinction between authentication and authorization
is important.


1.

Authentication is the verification of the credentials of the connection
attempt.


2.

Authorization is the verification that the connection attempt is allowed.


B.

For a connection attempt to be accepted, the connection must be both
authen
ticated and authorized.


C.

Types of authentication


1.

If the remote access server is configured for Windows authentication,
Windows 2000 security verifies the authentication and authorization.


2.

If the remote access server is configured for RADIUS auth
entication, the
credentials of the connection attempt are passed to the RADIUS server
for authentication and authorization.

Outline,
Chapter 10

3

Microsoft Windows 2000 Server


D.

You can configure the authentication provider on the Security tab of the
properties of a remote access router in the Routing and

Remote Access
snap
-
in.


Chapter 10, Lesson 2


Features of the Routing and Remote Access Service

|6|

1.

Unicast IP Support


A.

Windows 2000 provides extensive support for unicast IP routing.


B.

In unicasting, two computers establish a two
-
way, point
-
to
-
po
int
connection.


C.

Routing and Remote Access Service includes a number of features to
support unicast IP routing.


1.

Static IP routing


2.

RIP versions 1 and 2


3.

OSPF


4.

DHCP Relay Agent


5.

Network address translation (NAT)


6.

IP packet filtering


7
.

ICMP router discovery

|7|

2.

Multicast IP Support


A.

Windows 2000 supports the sending, receiving, and forwarding of IP
multicast traffic.


B.

Multicast traffic is sent to a single host but is processed by multiple
hosts who listen for this type of traf
fic.


C.

Routing and Remote Access Service includes a number of features to
support multicast IP routing.


1.

Multicast forwarding


2.

IGMP versions 1 and 2


3.

Specific forwarding and routing


4.

Multicast boundaries

|8|

3.

IPX Support


A.

The Windows 200
0 Server router is a fully functional IPX router.


B.

Routing and Remote Access Service includes a number of features to
support IPX routing.


1.

IPX packet filtering


2.

RIP for IPX


3.

SAP for IPX


4.

NetBIOS over IPX

|9|

4.

AppleTalk


A.

Windows 2000 RR
AS can operate as an AppleTalk router by forwarding
AppleTalk packets and supporting the use of RTMP.

4

Outline,
Chapter 10


Microsoft Windows 2000 Server


B.

Most large AppleTalk networks are AppleTalk internets that are
connected by routers.


C.

A Windows 2000

based server can provide routing and seed rout
ing
support.

|10|

5.

Demand
-
Dial Routing


A.

Windows 2000 provides support for demand
-
dial routing.


B.

IP and IPX can be forwarded over demand
-
dial interfaces over
persistent or on
-
demand WAN links.

|11
|

6.

Remote Access


A.

RRAS enables a computer to be
a remote access server.


B.

RRAS accepts remote access connections from remote access clients
that use traditional dial
-
up technologies.

|12|

7.

VPN Server


A.

RRAS enables a computer to be a VPN server.


B.

RRAS supports PPTP and L2TP over IPSec.

|13
|

8.

RADIUS Client
-
Server


A.

IAS is the Microsoft implementation of a RADIUS server.


B.

RADIUS is a client
-
server protocol that enables RADIUS clients to
submit authentication and accounting requests.


C.

The RADIUS server has access to user account informati
on and can
check remote access authentication credentials.


D.

RADIUS supports remote access user authentication and authorization
and allows accounting data to be maintained in a central location.

|14|

9.

SNMP MIB Support


A.

RRAS provides Simple Network
Management Protocol (SNMP) agent
functionality with support for Internet MIB II.


B.

RRAS includes support for additional MIB enhancements beyond
Internet MIB II.


1.

IP Forwarding Table MIB


2.

Microsoft RIP version 2 for Internet Protocol MIB


3.

Wellfle
et
-
Series7
-
MIB for OSPF


4.

Microsoft BOOTP for Internet Protocol MIB


5.

Microsoft IPX MIB


6.

Microsoft RIP and SAP for IPX MIB


7.

Internet Group Management Protocol MIB


8.

IP Multicast Routing MIB


C.

MIB support is also provided for Windows 2000 func
tions, legacy LAN
Manager MIB functions, and the WINS, DHCP, and IIS services.

|15|

10.

API Support for Third
-
Party Components


A.

RRAS has fully published API sets for unicast and multicast routing
protocol and administration utility support.

Outline,
Chapter 10

5

Microsoft Windows 2000 Server


B.

Develope
rs can write additional routing protocols and interfaces directly
into RRAS architecture.


Chapter 10, Lesson 3


Remote Access

|16|

1.

Overview of Remote Access


A.

Remote access clients are either connected to only the remote access
server’s resources, or

they are connected to the RAS server’s
resources and beyond.


B.

A Windows 2000 remote access server provides two remote access
connection methods.


1.

With dial
-
up remote access, a remote access client uses the
telecommunications infrastructure to create

a temporary physical circuit
or a virtual circuit to a port on a remote access server.


2.

With VPN network remote access, a VPN client uses an IP internetwork
to create a virtual point
-
to
-
point connection with a RAS server acting as
the VPN server.

|17|

2.

Dial
-
Up Remote Access Connections

|18|

A.

Remote access client


1.

A number of remote access clients can connect to a Windows 2000
remote access server.


a.

Windows 2000


b.

Windows

NT 3.51 or later


c.

Windows

98


d.

Windows

95


e.

Windows for Workgrou
ps


f.

MS
-
DOS


g.

Microsoft LAN Manager


2.

Almost any third
-
party PPP remote access clients can connect to a
Windows 2000 remote access server.


3.

The Microsoft remote access client can dial into a Serial Line Interface
Protocol (SLIP) server.

|19|

B.

Re
mote access service server


1.

The remote access server accepts dial
-
up connections.


2.

The remote access server forwards packets between remote access
clients and the network to which the remote access server is attached.

|20|

C.

Dial
-
up equipment and WA
N infrastructure

|21|

1.

Public Switched Telephone Network (PSTN)


a.

PSTN is an analog telephone system designed to carry the minimum
frequencies to distinguish human voices.


b.

The maximum bit rate that a PSTN connection can support is limited.

|22|

2.

Digital links and V.90

6

Outline,
Chapter 10


Microsoft Windows 2000 Server


a.

The maximum bit rate of the PSTN is a function of the range of
frequencies passed by the PSTN switches and the signal
-
to
-
noise
ratio of the connection.


b.

When a RAS server is connected through a digital switch based on T
-
Carrie
r or Integrated Services Digital Network (ISDN) rather than an
analog PSTN switch, there is no analog
-
to
-
digital conversion when
the remote access server sends information to the remote access
client.


c.

With V.90, remote access clients can send data at 3
3.6 Kbps and
receive data at 56 Kbps.


d.

Specific conditions must be met to obtain V.90 speeds.


(1)

The remote access client must be using a V.90 modem.


(2)

The RAS server must be using a V.90 digital switch and must
be using a digital link, such as T
-
C
arrier or ISDN, to connect
to the PSTN.


(3)

There cannot be any analog
-
to
-
digital conversions in the path
from the RAS server to the remote access client.

|23|

3.

Integrated Services Digital Network


a.

ISDN is a set of international specifications for di
gital replacement of
the PSTN.


b.

ISDN provides a single digital network to handle voice, data, fax, and
other services over existing local loop wiring.

|24|

4.

X.25


a.

X.25 is an international standard for sending data across public
packet switching net
works.


b.

Windows 2000 remote access supports X.25 in two ways.


(1)

The remote access client supports the use of X.25 smart cards.


(2)

Windows 2000 remote access server supports only direct
connections to X.25 networks by using an X.25 smart card.

|25|

5.

Asynchronous Transfer Mode (ATM) over Asymmetric Digital
Subscriber Line (ADSL)


a.

ADSL provides higher bit rates than PSTN and ISDN connections.


b.

The bit rate is not the same in the upstream and downstream
directions.


c.

ADSL equipment can appear
to Windows 2000 as either an Ethernet
interface or a dial
-
up interface.


(1)

When an ADSL adapter appears as an Ethernet interface, the
ADSL connection operates in the same way as an Ethernet
connection to the Internet.


(2)

When an ADSL adapter appears as

a dial
-
up interface, ADSL
provides a physical connection, and the individual LAN
protocol packets are set by using ATM.

|26|

D.

Remote access protocols


1.

Remote access protocols control the establishment of connections and
the transmission of data over
WAN links.

Outline,
Chapter 10

7

Microsoft Windows 2000 Server


2.

Windows 2000 remote access supports three types of remote access
protocols.


a.

Point
-
to
-
Point Protocol (PPP) is an industry
-
standard set of protocols
providing the best security, multi
-
protocol support, and
interoperability.


b.

Serial Line

Internet Protocol (SLIP) is used by older remote access
servers. A Windows 2000 RAS server does not support SLIP dial
-
up
connections.


c.

Microsoft RAS protocol, also known as Asynchronous NetBEUI
(AsyBEUI), is a remote access protocol used by legacy remo
te access
clients running Microsoft operating systems.

|27|

E.

LAN protocols


1.

LAN protocols are the protocols used by remote access clients to access
resources on the network connected to the RAS server.


2.

Windows 2000 remote access supports TCP/IP, I
PX, AppleTalk, and
NetBEUI.


3.

Remote Access Security

|28|

A.

Secure user authentication


1.

Secure user authentication is obtained through the encrypted exchange
of user credentials.


2.

Secure authentication is possible through the use of PPP and one of

the
supported authentication protocols.


a.

Extensible Authentication Protocol (EAP)


b.

Microsoft Challenge Handshake Authentication Protocol
(MS
-
CHAP)


c.

Challenge Handshake Authentication Protocol (CHAP)


d.

Shiva Password Authentication Protocol (SPA
P)

|29|

B.

Mutual authentication


1.

Mutual authentication is obtained by authenticating both ends of the
connection through the encrypted exchange of user credentials.


2.

It is possible for a RAS server not to request authentication from the
remote acces
s client.

|30|

C.

Data encryption


1.

Data encryption encrypts the data sent between the remote access client
and the RAS server.


2.

Data encryption on a remote access connection is based on a secret
encryption key known to the RAS server and remote acces
s client.


3.

Data encryption is possible over dial
-
up remote access links when using
PPP along with EAP
-
TLS or MS
-
CHAP.


4.

Windows 2000, Windows

NT 4.0, Windows

98, and Windows

95
remote access clients and remote access servers support Microsoft Point
-
to
-
Point Encryption (MPPE).

|31|

D.

Callback


1.

The RAS server calls the remote access client after the user credentials
have been verified.

8

Outline,
Chapter 10


Microsoft Windows 2000 Server


2.

Callback can be configured on the server to call the remote access client
back at a number specified by the user

of the remote access client.


3.

Callback can be configured to always call back the remote access client
at a specific number.

|32|

E.

Caller ID


1.

Caller ID can be used to verify that the incoming call is coming from a
specified phone number.


2.

Caller

ID requires that the caller’s telephone line, phone system, RAS
server’s telephone line, and the Windows 2000 driver for the dial
-
up
equipment support caller ID.

|33|

F.

Remote access account lockout


1.

The remote access account lockout feature is used t
o specify how many
times a remote access authentication can fail against a valid user account
before access is denied.


2.

The feature does not distinguish between malicious attempts from
authentic users.


3.

An administrator must decide on two remote acce
ss account lockout
variables.


a.

The number of failed attempts before future attempts are denied


b.

How often the failed attempts counter is reset


4.

Managing Remote Access

|34|

A.

Managing users


1.

Set up a master account database in the Active Direct
ory store or on a
RADIUS server.


2.

A master account database allows the RAS server to send the
authentication credentials to a central authenticating device.

|35|

B.

Managing addresses


1.

For PPP connections, IP, IPX, and AppleTalk, addressing informati
on
must be allocated to remote access clients during the establishment of
the connection.


2.

The RAS server must be configured to allocate IP addresses, IPX
network and node addresses, or AppleTalk network and node addresses.


C.

Managing access

|36|

1.

O
verview of access management


a.

Remote access connections are accepted based on the dial
-
in
properties of a user account and the remote access policies.


b.

Multiple remote access policies


(1)

Different sets of conditions can be applied to different remo
te
access clients.


(2)

Different requirements can be applied to the same remote
access client based on the parameters of the connection
attempts.


c.

Multiple remote access policies can be used to meet various
conditions.

Outline,
Chapter 10

9

Microsoft Windows 2000 Server


(1)

Allow or deny connections if

the user account belongs to a
specific group.


(2)

Define different days and times for different user accounts
based on group membership.


(3)

Configure different authentication methods for dial
-
up and
VPN remote access clients.


(4)

Configure different a
uthentication or encryption settings for
PPTP or L2TP connections.


(5)

Configure different maximum session times for different user
accounts based on group membership.


(6)

Send network access server

specific RADIUS attributes to a
RADIUS client.


d.

RRAS

and IAS use remote access policies to determine whether to
accept or reject connection attempts.

|37|

2.

Access by user account


a.

The user account for a stand
-
alone or Active Directory

based
computer contains a set of dial
-
in properties that are used wh
en
allowing or denying a connection attempt made by a user.


b.

Remote Access Permission (Dial
-
in or VPN)


(1)

You can set remote access to be explicitly allowed, denied, or
determined through remote access policies.


(2)

The Control access through Remote
Access Policy option is
available only on user accounts in a native
-
mode domain or for
local accounts on remote access servers running stand
-
alone
Windows 2000 computers.


c.

Verify caller ID


(1)

The server verifies the caller’s phone number.


(2)

If the
caller’s phone number does not match the configured
phone number, the connection attempt is denied.


(3)

Caller ID must be supported by the caller, the phone system
between the caller, and the remote access server.


d.

Callback options


(1)

The server call
s the caller back at a telephone number set by
the caller or at a specific phone number.


(2)

The limits on the number of characters in a callback number
depends on the type of domain.


e.

The Assign a Static IP Address option allows you to assign a specif
ic
IP address to a user.


f.

The Apply Static Routes option allows you to define a series of static
IP routes.

|38|

3.

Access by policy


a.

The access by policy administrative model is intended for RAS
servers that are either stand
-
alone servers or members

of a Windows
2000 native
-
mode domain.

10

Outline,
Chapter 10


Microsoft Windows 2000 Server


b.

The Remote Access Policies node appears in the Routing and Remote
Access snap
-
in when the authentication provider is set to Windows
authentication.


c.

A typical use of policy
-
based access is to allow access throu
gh group
membership.

|39|

4.

Accepting a connection attempt

|40|

5.

Managing account lockout


a.

Changing settings in the registry on the authenticating computer
configures the account lockout feature.


b.

If the RAS server is configured for Windows authen
tication, modify
the registry on the RAS server computer.


c.

If the RAS server is configured for RADIUS authentication and IAS
is being used, modify the registry on the IAS server.

|41|

D.

Managing authentication


1.

Windows authentication


a.

The user cr
edentials sent by users attempting remote access
connections are authenticated through normal Windows
authentication mechanisms.


b.

If the remote access server is a member server of a Windows 2000
domain and is configured for Windows authentication, the c
omputer
account of the RAS server must be a member of the RAS and IAS
Servers security group.


2.

RADIUS authentication


a.

User credentials and parameters of the connection request are sent as
a series of RADIUS request messages to a RADIUS server.


b.

Th
e RADIUS server receives a user
-
connection request from the
RAS server and authenticates the client against its authentication
database.


c.

RADIUS can respond to authentication requests based on its own
database, or it can be a front end to another databa
se server.


3.

Windows and RADIUS accounting


a.

A remote access server supports the logging of accounting
information for remote access server connections in local logging
files.


b.

Logging is separate from the events recorded in the system event log.


c
.

A remote access server supports the logging of accounting
information for remote access server connections at a RADIUS
server.


Chapter 10, Lesson 4


Virtual Private Networks


1.

Introduction to Virtual Private Networks

|42|

A.

Overview

Outline,
Chapter 10

11

Microsoft Windows 2000 Server


1.

VPNs allow re
mote users to connect securely to a remote corporate
server by using the routing infrastructure provided by a public
internetwork, such as the Internet.


2.

VPN is a point
-
to
-
point connection between the user’s computer and a
corporate server.


3.

VPN allo
ws a corporation to connect with its branch offices or with
other companies over a public internetwork.


4.

The secure connection across the internetwork appears to the user as a
virtual network interface.

|43|

B.

Connecting networks over the Internet


1.

Dedicated lines


a.

The branch office and the corporate hub routers connect to the
Internet through the use of a local dedicated circuit and local ISP.


b.

A VPN is created between the branch office router and the corporate
hub router across the Internet.


2.

Dial
-
up lines


a.

The router at the branch office calls its ISP.


b.

A VPN is created between the branch office router and the corporate
hub router across the Internet.

|44|

C.

Connecting computers over an intranet


1.

VPNs allow a department’s LAN to
be physically connected to the
corporate internetwork but separated by a VPN server.


2.

The VPN server is not acting as a router between the corporate
internetwork and the department LAN.


2.

Tunneling Basics

|45|

A.

Overview


1.

Tunneling is a method of
using an internetwork infrastructure to transfer
a payload.


2.

Instead of sending the frame as produced by the originating node, the
frame is encapsulated with an additional header, which provides routing
information.


3.

The process of encapsulation and
transmission of packets is known as
tunneling.


4.

The logical path through which the encapsulated packets travel the
transit internetwork is called a tunnel.

|46|

B.

Tunnel maintenance and data transfer


1.

Tunnel maintenance protocol


a.

A tunnel mainten
ance protocol is used as the mechanism to manage
the tunnel.


b.

For some tunneling technologies, both endpoints of the tunnel must
agree to the tunnel and be aware of its presence.


c.

A tunnel must be created before data transfer can occur.


(1)

The tunn
el creation is initiated by one end of the tunnel, the
tunnel client.

12

Outline,
Chapter 10


Microsoft Windows 2000 Server


(2)

At the other end of the tunnel, the tunnel server receives the
connection request.


d.

Tunneling maintenance is typically performed through a keep
-
alive
process that periodically po
lls the other end of the tunnel when no
data is being transferred.


e.

Certain tunneling technologies allow either end of the tunnel to
gracefully terminate the tunnel through an exchange of tunnel
termination messages.


2.

Tunnel data transfer protocol


a
.

Once the tunnel is established, tunneled data can be sent.


b.

A tunnel data transfer protocol encapsulates the data to be transferred
across the tunnel.


c.

The encapsulated payload is sent across the transit internetwork and
routed to the tunnel server
.


d.

The tunnel server accepts the packets, removes the tunnel data
transfer protocol header, and forwards the payload appropriately.

|47|

C.

Tunnel types


1.

Voluntary tunnels


a.

Voluntary tunnels are configured and created through a conscious
action by

the user at the tunnel client computer.


b.

Voluntary tunneling occurs when the client volunteers to create the
tunnel to the target tunnel server.


c.

Voluntary tunneling can occur in one of two cases.


(1)

The client already has a connection to the tran
sit internetwork
that can provide routing of encapsulated payloads between the
client computer and its chosen tunnel server.


(2)

The client may have to establish a connection (via dial
-
up) to
the transit internetwork before the client can set up a tunnel.


2.

Compulsory tunnels


a.

Overview


(1)

Compulsory tunnels are configured and created automatically
for users without their knowledge or intervention.


(2)

If a client does not have a tunneling protocol installed, it is
possible for another computer or n
etwork device to create the
tunnel on the client’s behalf.


(3)

With compulsory tunneling, the client computer makes a
single PPP connection, and when a client dials into a Network
Access Server (NAS), a tunnel is created and all traffic is
automatically r
outed through the tunnel.


b.

Static compulsory tunnels


(1)

Static tunnel configurations typically require either dedicated
equipment or manual configuration.


(2)

In automatic tunneling, all dial
-
in clients to the access
concentrator are automatically tu
nneled to a specific tunnel
server.

Outline,
Chapter 10

13

Microsoft Windows 2000 Server


(3)

In realm
-
based tunneling schemes, the access concentrator
examines a portion of the user’s name to decide where to
tunnel the traffic.


c.

Dynamic compulsory tunnels


(1)

The choice of tunnel destination is made on
a per
-
user basis at
the time the user connects to the access concentrator.


(2)

Dynamic tunneling permits the access concentrator to be a
multi
-
use NAS.


3.

VPN Protocols

|48|

A.

PPTP


1.

PPTP encapsulates PPP frames into IP datagrams for transmission over

an IP internetwork.


2.

PPTP uses a TCP connection for tunnel maintenance and uses modified
GRE encapsulated PPP frames for tunneled data.


3.

PPTP tunnels must be authenticated by using the same authentication
mechanisms as PPP connections.

|49|

B.

L2TP


1.

L2TP is a combination of PPTP and Layer 2 Forwarding (L2F).


2.

L2TP is a network protocol that encapsulates PPP frames to be sent over
IP, X.25, Frame Relay, or ATM networks.


3.

L2TP uses UDP and a series of L2TP messages for tunnel maintenance.


4.

An L2TP tunnel is created between an L2TP client and an L2TP server.


5.

Creation of L2TP tunnels must be authenticated by using the same
authentication mechanisms as PPP connections.

|50|

C.

PPTP vs. L2TP


1.

PPTP requires that the transit internetwork be

an IP internetwork. L2TP
requires only that the tunnel media provide packet
-
oriented point
-
to
-
point connectivity.


2.

When header compression is enabled, L2TP operates with 4 bytes of
overhead, compared to 6 bytes for PPTP.


3.

L2TP provides tunnel auth
entication, while PPTP does not.


4.

PPTP uses PPP encryption and L2TP does not.

|51|

D.

IPSec


1.

Overview


a.

IPSec is a series of standards that support the secured transfer of
information across an IP internetwork.


b.

IPSec ESP tunnel mode supports th
e encapsulation and encryption of
entire IP datagrams for secure transfer across a private or public IP
internetwork.


c.

With IPSec ESP tunnel mode, a complete IP datagram is
encapsulated and encrypted with ESP.


d.

Upon receipt of the encrypted datagram,

the tunnel server processes
and discards the clear text IP header and authenticates and decrypts
the ESP and IP packets.


2.

ESP tunnel mode vs. ESP transport mode

14

Outline,
Chapter 10


Microsoft Windows 2000 Server


a.

The main difference between ESP tunnel mode and ESP transport
mode is that the former h
as an encapsulated IP header.


b.

By using ESP transport mode, the packet is always decrypted by the
time it reaches its final destination.


3.

IPSec ESP tunnel mode packet structure


a.

IPSec ESP tunnel mode is performed through multiple layers of
encapsu
lation.


(1)

First layer of encapsulation


(2)

Second layer of encapsulation


(3)

Third layer of encapsulation


(4)

Data link layer of encapsulation


b.

IPSec tunnel mode is an OSI layer 3 tunneling technique.

|52|

E.

IP
-
IP


1.

IP
-
IP is a simple OSI layer
3 tunneling technique.


2.

A virtual network is created by encapsulating an IP packet with an
additional IP header.


3.

The primary use of IP
-
IP is for tunneling multicast traffic over sections
of a network that does not support multicast routing.


4.

The
IP payload includes everything above IP.


4.

Managing Virtual Private Networks

|53|

A.

Managing users


1.

A master account database is usually set up on a domain controller or on
a RADIUS server.


2.

The same user account is used for both dial
-
in remote ac
cess and VPN
remote access.

|54|

B.

Managing addresses and name servers


1.

The VPN server must have IP addresses available in order to assign
them to the VPN server’s virtual interface and to VPN clients.


2.

By default, the IP addresses assigned to VPN c
lients are obtained
through DHCP.

|55|

C.

Managing access


1.

If you are managing remote access on a user basis, configure the
properties on the Dial
-
In tab of the users’ properties and modify remote
access policy as necessary.


2.

If you are managing remo
te access on a group basis, configure the
properties on the Dial
-
In tab of the users’ properties and modify remote
access policy as necessary.

|56|

D.

Managing authentication


1.

The VPN server can be configured to use either Windows or RADIUS
authenticati
on.


2.

If Windows is selected, the user credentials are authenticated by using
Windows authentication and remote access policy.


3.

If RADIUS is selected, user credentials and parameters are sent as a
series of RADIUS request messages to the RADIUS server
.

Outline,
Chapter 10

15

Microsoft Windows 2000 Server

|57|

5.

Troubleshooting


A.

Connection attempt is rejected when it should be accepted.


B.

Connection attempt is accepted when it should be rejected.


C.

Unable to reach locations beyond the VPN server.


D.

Unable to establish a tunnel.


Chapter 10, Less
on 5


RRAS Tools

|58|

1.

Routing and Remote Access Snap
-
In


A.

The Routing and Remote Access snap
-
in allows you to perform a
number of management tasks.


B.

The Routing and Remote Access snap
-
in is the primary management
utility for configuring Windows 200
0 local and remote access servers
and routers.

|59|

2.

Net Shell Command
-
Line Utility


A.

Overview of Net Shell


1.

Net Shell is a command
-
line and scripting utility for Windows 2000
networking components for local or remote computers.


2.

Net Shell can su
pport multiple Windows 2000 components through the
addition of netsh helper DLLs.


B.

The Net Shell utility includes a number of options.


1.

-
a <AliasFile>


2.

-
c <Context>


3.

Command


4.

-
f <ScriptFile>


5.

-
r <RemoteComputerName or IP_address>


C.

Comm
ands can be abbreviated to the shortest unambiguous string.


D.

Commands can be either global or context specific.


E.

Global commands can be issued in any context and are used for
general netsh functions.


F.

Netsh has two command modes.


1.

In online mod
e, commands issued at a netsh command prompt are
carried out immediately.


2.

In offline mode, commands issued at a netsh command prompt are
accumulated and carried out as a batch by issuing the commit global
command.


G.

You can run a script either by usi
ng the
-
f option or by typing the exec
global command while in the Net Shell command window.


H.

To create a script of the current configuration, type the global dump
command.


I.

The Net Shell command includes context
-
specific commands.


1.

ras


2.

aaaa

16

Outline,
Chapter 10


Microsoft Windows 2000 Server


3.

routing


4.

interface

|60|

3.

Authentication and Accounting Logging


A.

RRAS supports the logging of authentication and accounting
information for PPP
-
based connection attempts when Windows
authentication or accounting is enabled.


B.

The authentication

and accounting information is stored in a
configurable log file or files.


C.

You can configure the type of activity to log and log file settings.

|61|

4.

Event Logging


A.

The Windows 2000 Router performs extensive error logging in the
system event log.


B.

Four levels of logging are available.


1.

Log errors only.


2.

Log errors and warnings.


3.

Log the maximum amount of information.


4.

Disable event logging.


C.

Take specific steps if an OSPF router is unable to establish an
adjacency on an interface.


1.

Disable OSPF on the interface.


2.

Change the level of logging for OSPF to log the maximum amount of
information.


3.

Enable OSPF on the interface.


4.

Examine the system event log for information about the OSPF adjacency
process.


5.

Change the l
evel of logging for OSPF to log errors only.


D.

The level of event logging can be set from various places with the
Routing and Remote Access snap
-
in.


E.

Logging consumes system resources and should be used sparingly.

|62|

5.

Tracing


A.

RRAS has an exte
nsive tracing capability that you can use to
troubleshoot complex network problems.


B.

Tracing records internal component variables, function calls, and
interactions.


C.

You can enable tracing for each routing protocol by setting the
appropriate registry

values.


D.

Tracing consumes system resources and should be used sparingly.


E.

To enable file tracing for each component, you must set specific values
within the registry.