Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect

Microsoft Corporation Author: Dave Bishop Editor: Scott Somohano Published: May 22, 2009

Abstract
VPN Reconnect is a new feature of Routing and Remote Access Services (RRAS) in Windows 7 or Windows Server 2008 R2 that provides users with seamless and consistent VPN connectivity, automatically reestablishing a VPN when users temporarily lose their Internet connections. This guide provides step-by-step instructions for setting up VPN Reconnect in a test lab with three computers and then demonstrating persistent connectivity through a change in the network connection used to access the Internet.

This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Server, ActiveX, and Internet Explorer are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents
Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect.................1 Abstract ...................................................................................................................................1 Contents..........................................................................................................................................3 Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect.................4 About Remote Access with VPN Reconnect...................................................................................5 Windows Firewall with Advanced Security and VPN Reconnect traffic........................................6 Configuring DC1.............................................................................................................................7 Install the operating system.........................................................................................................7 Configure TCP/IP.........................................................................................................................7 Install Active Directory and DNS..................................................................................................8 Create a user account with remote access permission................................................................9 Create a shared folder and file..................................................................................................10 Configuring VPN1.........................................................................................................................11 Install the operating system.......................................................................................................11 Configure TCP/IP.......................................................................................................................12 Name the computer and join the Contoso domain.....................................................................13 Install Active Directory Certificate Services and Web Server.....................................................13 Create and install the Server Authentication certificate..............................................................14 Install Network and Policy Access Server Role.........................................................................17 Configure Routing and Remote Access.....................................................................................18 Configure the Network Policy Server (NPS) to grant access for EAP-MSCHAPv2 authentication ...............................................................................................................................................19 Configuring CLIENT1....................................................................................................................21 Install the operating system.......................................................................................................21 Configure TCP/IP.......................................................................................................................21 Configure the VPN client with the root certificate.......................................................................23 Creating and Configuring the Remote Connection with VPN Reconnect on CLIENT1.................25 Simulating Connection Persistence When the Internet Link Changes..........................................27 Conclusion.................................................................................................................................28

Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect
This guide provides step-by-step instructions that enable you to configure three computers in a test lab environment with which you can configure and test virtual private network (VPN) remote access using the VPN Reconnect feature available in the Windows 7 or Windows Server 2008 R2 operating systems. Important The following instructions are for configuring a test lab using a minimum number of computers and procedure steps. To minimize setup time and complexity, services were combined on the network servers rather than using individual computers to separate the services in a more secure manner. This configuration is designed to reflect neither best practices nor a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For a complete view of Windows 7 resources, articles, demos, and guidance, please visit the Springboard Series for Windows 7 on the Windows Client TechCenter.

About Remote Access with VPN Reconnect

VPN Reconnect refers to the support in Routing and Remote Access service (RRAS) for a new tunneling protocol, IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2), which is described in RFC 4306. With the functionality provided by the IKEv2 Mobility and Multihoming protocol (MOBIKE), which is described in RFC 4555, this tunneling protocol offers inherent advantages in scenarios where the client moves from one IP network to another (for example, from WLAN to WWAN). Specifically, for mobile phones and other mobility scenarios, this tunneling method enables the VPN tunnel to stay alive even when the client moves from one access point or location to another. When using other VPN protocols, and the network connection is interrupted for any reason, the user typically loses the VPN tunnel completely and must manually reestablish the VPN tunnel. VPN Reconnect allows the underlying network connection to be interrupted for a configurable amount of time, without losing the tunnel. As soon as network connectivity is reestablished, even through a different network interface, the tunnel is automatically restored with no interaction required from the user. For example, this permits a user with an active IKEv2 VPN tunnel to disconnect a laptop from a wired connection, walk down the hall to a conference room, connect to a wireless network, and have the IKEv2 VPN tunnel automatically reconnected with no noticeable interruption to the user. Note If your laptop hibernates when you close the lid, then the connection is lost and you will have to manually reinitiate the connection. Note Unlike other VPN tunnels such as PPTP, L2TP/IPSec, and SSTP, IPsec Tunnel Mode with IKEv2 does not run PPP-based handshake on top of the tunnel.

Setting Up the Test Lab for VPN Reconnect The VPN Reconnect test lab network consists of three computers, which perform the following services: DC1: A computer running Windows Server 2008 R2 that is acting as a domain controller, a Domain Name System (DNS) server, and a file server on a private (intranet) network. Note Alternatively, DC1 can run Windows Server 2008 or Windows Server 2003. VPN1: A computer running Windows Server 2008 R2, with two network adapters installed. VPN1 is configured with the Network Policy and Access Services (NPAS) and Active Directory Certificate Services (AD CS) server roles. The RRAS role service is installed to allow VPN1 to acts as a VPN server. In addition, VPN1 is configured with Network Policy Services (NPS) to configure and enable remote access policies required for a VPN connection. CLIENT1: A computer running Windows 7 that acts as a VPN client on a public (Internet) network. The following diagram shows the configuration of the VPN test lab.

Note The firewall illustrated in the diagram is not a separate device or computer; instead it is the Windows Firewall that runs as part of Windows on VPN1. In a production environment, the scenario likely does include a separate firewall through which the VPN tunnel must be able to pass. For more information, see the next section.

Windows Firewall with Advanced Security and VPN Reconnect traffic

VPN Reconnect requires that the firewall rules on VPN1 and CLIENT1 allow UDP ports 500 and 4500 for IKE traffic, as well as IP Protocol ID 50 for Encapsulating Security Protocol (ESP) traffic. When you install Routing and Remote Access Services on VPN1, Windows Firewall rules are automatically created to allow this traffic. On CLIENT1, outbound traffic that CLIENT1 initiates is automatically allowed. Unless you or another service alters the firewall rules, this traffic will not be blocked. However, if the firewall configuration on either VPN1 or CLIENT1 has been modified, you may need to create inbound and outbound firewall rules on these computers to allow this traffic. For more information about creating firewall rules, see Windows Firewall with Advanced Security and IPsec.

Configuring DC1
DC1 is a computer running Windows Server 2008 R2 that provides the following services: A domain controller for the contoso.com Active Directory domain. A DNS server for the Contoso.com DNS domain. A file server. Install the operating system. Configure TCP/IP. Install Active Directory and DNS. Create a user account with remote access permission. Create a shared folder and file.

The configuration of DC1 requires the following steps:

The following sections explain these steps in detail.

Install the operating system

To install Windows Server 2008 R2 1. On DC1, start your computer using the Windows Server 2008 R2 product disc. 2. Follow the instructions that appear on your screen. 3. When prompted to provide a password for the Administrator user account, type Pass@word1 4. After installation completes and the Initial Configuration Tasks window appears, under 1. Provide Computer Information, click Provide computer name and domain. Note If the Initial Configuration Tasks window does not appear, or if you closed it after selecting Do not show this window at logon, you can start it by clicking Start, typing oobe, and pressing ENTER. 5. On the Computer Name tab, click Change. 6. In the Computer name text box, type DC1, and then click OK. 7. On the confirmation window, click OK, click Close on the System Properties dialog box, and then click Restart Now.

Configure TCP/IP
Configure TCP/IP properties so that DC1 has a static IP address of 192.168.0.1 with the subnet mask 255.255.255.0 and a default gateway of 192.168.0.2. 7

To configure TCP/IP properties 1. After DC1 restarts, in the Initial Configuration Tasks window, under 1. Provide Computer Information, click Configure networking. 2. In the Network Connections dialog box, right-click Local Area Connection, and then click Properties. 3. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 4. Click Use the following IP address, and configure the following settings: a. In IP address, type 192.168.0.1. b. In Subnet mask, type 255.255.255.0. c. In Default gateway, type 191.168.0.2. d. In Preferred DNS server, type 192.168.0.1. 5. Click OK, and then click Close. 6. Close the Network Connections window.

Install Active Directory and DNS

Configure the computer as a domain controller for the Contoso.com domain. This will be the first and only domain controller in this network. To configure DC1 as a domain controller 1. On DC1, in the Initial Configuration Tasks window, under 3. Customize This Server, click Add roles, and then perform the following steps in the Add Roles Wizard. a. In the Add Roles Wizard, on the Before You Begin page, click Next. b. On the Select Server Roles page, select Active Directory Domain Services. c. In the Add features required for Active Directory Domain Services dialog box, click Add Required Features. d. Back on the Select Server Roles page, click Next. e. On the Active Directory Domain Services page, click Next, and then on the Confirm Installation Selections click Install. f. On the Installation Results page click Close this wizard and launch the Active Directory Services Installation Wizard (dcpromo.exe). 2. In the Active Directory Domain Services Installation Wizard, perform the following steps: a. On the Welcome page, click Next. b. On the Operating System Compatibility page, click Next. c. On the Choose a Deployment Configuration page, select Create a new domain in a new forest, and then click Next. d. On the Name the Forest Root Domain page, type contoso.com, and then click 8

Next. e. On the Set Forest Functional Level page, select Windows Server 2008 R2, and then click Next. Note The choice does not affect the outcome of this step-by-step guide. f. In the Additional Domain Controller Options page, ensure that DNS server is selected, and then click Next. g. On the notice dialog that indicates that a delegation for the DNS server cannot be created, click Yes. h. On the Location for Database, Log Files, and SYSVOL page, click Next. i. On the Directory Services Restore Mode Administrator Password page, type Pass@word1 in both text boxes, and then click Next. j. k. l. Important You must allow the computer to restart after installing Active Directory before proceeding. On the Summary page, click Next. On the progress dialog box, select Reboot on completion. On the Completing page, click Finish, and then click Restart Now.

Create a user account with remote access permission

Create a user account and configure the account with remote access permission. To create and grant permission to a user account in Active Directory 1. After DC1 restarts, logon as Contoso\Administrator 2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. 3. In the navigation tree, expand contoso.com, right-click Users, click New, and then click User. 4. In Full name, type user1, and in User logon name, type user1. Click Next. 5. In Password, type Pass@word1, and in Confirm password, type Pass@word1 again. 6. Clear the User must change password at next logon check box, and then select the User cannot change password and Password never expires check boxes. 7. Click Next, and then click Finish. To grant remote access permission to user1: 1. In the left tree, click Users. In the details pane, double-click user1. 2. On the Dial-in tab, under Network Access Permission, click Allow access, and 9

then click OK. 3. Close Active Directory Users and Computers.

Create a shared folder and file

DC1 is a file server that should be accessible to a remote user after access and authentication methods have been configured. To create a shared folder and file 1. On DC1, click Start, and then click My Computer. 2. Double-click Local Disk (C:). 3. On the toolbar, click New folder, and then type the nameCorpData. 4. Right-click the CorpData folder, click Share with, and the click Specific people. 5. In the File Sharing dialog box, type Everyone, and then click Add. 6. In the list, click the entry for Everyone, and then click Read/Write. 7. Click Share, and then Done to complete the process.The folder is now accessible as \\dc1\corpdata. 8. Double-click the CorpData folder, and then right-click in the blank space. Point to New, and then click Text Document. 9. Name the document VPNTest (the .txt file type extension is added automatically). 10. Open VPNTest and add some text. 11. Save and close VPNTest.

10

Configuring VPN1
VPN1 is a computer running Windows Server 2008 R2 that provides the following roles and services: Active Directory Certificate Services, a certification authority (CA) that issues the computer certificate to a VPN server required for a remote connection with VPN Reconnect. Certification Authority Web Enrollment, a service that enables the issuing of certificates through a Web browser. Web Server (IIS), which is installed as a required role service for Certification Authority Web Enrollment. Network Policy and Access Services, which provides support for VPN connections through NPS and RRAS. VPN1 configuration consists of the following steps: Install the operating system. Configure TCP/IP for Internet and intranet networks. Name the computer and join the Contoso.com domain Install the Active Directory Certificate Services and Web Server (IIS) server roles. Create and install the Server Authentication certificate. Install the NPAS server role Configure VPN1 to be a VPN server. Configure the NPS server to grant access for EAP-MSCHAPv2 authentication.

The following sections explain these steps in detail.

Install the operating system

VPN1 must run Windows Server 2008 R2. To install Windows Server 2008 R2 1. On VP1n, start your computer using the Windows Server 2008 R2 product disc. 2. Follow the instructions that appear on your screen. 3. When prompted to provide a password for the Administrator user account, type Pass@word1 4. After installation completes, and the Initial Configuration Tasks window appears Note If the Initial Configuration Tasks window does not appear, or if you closed it after selecting Do not show this window at logon, you can start it by clicking Start, typing oobe in the text box, and pressing ENTER. 11

Configure TCP/IP
Configure TCP/IP properties so that VPN1 has a static IP address of 131.107.0.2 for the public (Internet) connection and 192.168.0.2 for the private (intranet) connection. To configure TCP/IP properties 1. On VPN1, in the Initial Configuration Tasks window, under 1. Provide Computer Information, click Configure networking. 2. In the Network Connections dialog box, right-click the connection for the adapter that is connected to the public (Internet) network, and then click Properties. 3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 4. Click Use the following IP address, and configure the following settings: a. In IP address, type 131.107.0.2. b. In Subnet mask, type 255.255.0.0. c. Do not configure a default gateway or DNS server on this connection. d. Click OK twice to return to Network Connections. 5. Right-click the connection for the adapter that is connected to the private network, and then click Properties. 6. Click Use the following IP address, and configure the following settings: a. In IP address, type 192.168.0.2. b. In Subnet mask, type 255.255.255.0. c. Do not configure a default gateway on this connection. d. In Preferred DNS server, type 192.168.0.1. e. Click OK twice to return to Network Connections. 7. To rename the network connections, right-click a network connection, and then click Rename. 8. Rename the network connections with the following names: a. On the interface connected to the public (Internet) network, type Public. b. On the interface connected to the private (intranet) network, type Private. 9. Close the Network Connections window. Use the ping command to verify network connectivity between VPN1 and DC1, and to verify that VPN1 can use DC1 for name resolution. To use the ping command to check network connectivity 1. On VPN1, click Start, click Run, in the Open box, type cmd, and then click OK. In the Command Prompt window, type ping dc1 /4. 2. Verify that you can successfully ping DC1. 3. Close the Command Prompt window. 12

Name the computer and join the Contoso domain

Configure VPN1 with its name, and join it to the Contoso.com domain. To name VPN1 and join it to the Contoso.com domain 1. On VPN1, in the Initial Configuration Tasks window, under 1. Provide Computer Information, click Provide computer name and domain. Note If the Initial Configuration Tasks window is not already open, to open it, click Start, click Run, type oobe in the text box, and then click OK. 2. In the System Properties dialog box, on the Computer Name tab, click Change. 3. In Computer name, clear the text and type VPN1. 4. In Member of, click Domain, type contoso, and then click OK. 5. Enter administrator for the user name and Pass@word1 for the password. 6. When you see a dialog box welcoming you to the contoso.com domain, click OK. 7. When you see a dialog box telling you to restart the computer, click OK. Click Close, and then click Restart Now.

Install Active Directory Certificate Services and Web Server

To support IKEv2-enabled VPN connections, first install the Active Directory Certificate Services and Web Server (IIS) server roles to enable Web enrollment of a computer certificate. To install the certificate services and prerequisite roles 1. After VPN1 restarts, log on as contoso\administrator with the password Pass@word1. 2. In the Initial Configuration Tasks window, under 3. Customize This Server, click Add roles. Note If the Initial Configuration Tasks window is not already open, to open it, click Start, type oobe in the text box, and then click OK. 3. In the Add Roles Wizard dialog box, on the Before You Begin page, click Next. 4. On the Select Server Roles page, select Active Directory Certificate Services, and then click Next. 5. On the Introduction to Active Directory Certificate Services page, click Next. 6. On the Select Role Services page, select both Certification Authority and Certification Authority Web Enrollment. 7. In the Add role services and features required for Certification Authority Web 13

Enrollment? dialog box, click Add Required Role Services. 8. Click Next. 9. On the Specify Setup Type, select Enterprise, and then click Next. 10. On the Specify CA Type page, select Root CA, and then click Next. 11. On the Set Up Private Key page, select Create a new private key, and then click Next. 12. On the Configure Cryptography for CA page, click Next to accept the default cryptographic settings. 13. On the Configure CA Name page, click Next to accept the default CA common name and suffix. 14. On the Set Validity Period page, click Next to accept the default validity period. 15. On the Configure Certificate Database page, click Next to accept the default locations. 16. On the Web Server (IIS) page, click Next. 17. On the Select Role Services page, click Next to accept the default choices. 18. In the Confirm Installation Selections dialog box, click Install. The installation might take several minutes. 19. In the Installation Results dialog box, click Close.

Create and install the Server Authentication certificate

The Server Authentication certificate is used by CLIENT1 to authenticate VPN1. The certificate must have the Server Authentication and IP security IKE intermediate extended key usage (EKU) options applied. To create a certificate template with the required EKUs 1. On VPN1, click Start, click Administrative Tools, and then click Certification Authority. 2. In the navigation tree, expand contoso-VPN1-CA. 3. Right-click Certificate Templates, and then click Manage. The Certificate Templates Console appears. 4. Right-click the IPsec template in the list, and then click Duplicate Template. 5. In the Duplicate Template dialog box, select Windows Server 2003 Enterprise, and then click OK. 6. On the General tab, change the Template display name to VPN Reconnect. 7. Check the Validity period. The default is 2 years. You can adjust this per your organizations requirements. 8. On the Request Handling tab, select Allow private key to be exported. 14

9. On the Subject Name tab, select Supply in the request. If a warning message appears, click OK. 10. On the Extensions tab, select Application Policies, and then click Edit. 11. The IP security IKE intermediate policy is already present. Keep it. If there are any others, select them and click Remove. 12. Click Add, select Server Authentication, and then click OK. 13. Click OK to return to the Extensions tab. 14. Select Key Usage, and then click Edit. 15. In the Signature section, ensure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK. 16. Click OK to save your completed template. 17. Close the Certificate Templates Console window. The certificate template has been created. It must be issued before it can be used to request a certificate. To issue the certificate template 1. In the Certification Authority console window, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 2. In the Enable Certificate Templates dialog box, select VPN Reconnect, and then click OK. The template is now ready to be used for certificate requests. Before you can request one, you must configure Internet Explorer security settings to work with the certificate publishing web page. To configure Internet Explorer to allow certificate publishing 1. On VPN1, click Start, right-click Internet Explorer, and then click Run as administrator. 2. Click Tools, and then click Internet Options. 3. On the Security tab, under Select a zone to view or change security settings, click Local intranet. 4. Change the security level for Local intranet from Medium-low to Low, and then click OK. Note In a real-world scenario, you should configure individual ActiveX control settings using Custom level rather than lowering the overall security level. Internet Explorer is now ready to be used to request and install certificates on the local computer.

15

To request a Server Authentication certificate using Internet Explorer 1. On VPN1, in the Internet Explorer address bar, type http://localhost/certsrv, and then press ENTER. 2. Under Select a Task, click Request a Certificate. 3. Under Request a Certificate, click Advanced Certificate Request. 4. Under Advanced Certificate Request, click Create and submit a request to this CA. 5. On the first confirmation dialog box, click Yes to allow the ActiveX control. 6. On the second confirmation dialog box, click Yes to allow the certificate operation. 7. In the Certificate Template list, select VPN Reconnect. 8. Under Identifying Information, in the Name field, type vpn1.contoso.com. Note The name is the certificate subject name and must be the same as the Internet address used in the IKEv2 connection settings configured later in this document. 9. Under Key Options, select Mark keys as exportable, and then click Submit. 10. Click Yes in each of the confirmation dialog boxes. The server authentication certificate is created in the user personal store. It must be moved to the machine store to be used. To move the certificate to the machine store 1. On VPN1, click Start, type MMC, and then press ENTER. 2. In Console1, click File, and then click Add/Remove Snap-in. 3. Under Available snap-ins, click Certificates, and then click Add. 4. Click Finish to accept the default setting of My user account. 5. Click Add a second time, click Computer account, and then click Next. 6. In the Select Computer dialog box, click Finish to accept the default setting of Local computer. 7. Click OK to close the Add or Remove Snap-ins dialog box. 8. In the navigation tree, expand Certificates - Current User, expand Personal, and then click Certificates. 9. In the details pane, right-click the vpn1.contoso.com certificate, click All Tasks, and then click Export. 10. On the Welcome page, click Next. 11. On the Export Private Key page, click Yes, export the private key, and then click Next. 12. On the Export File Format page, click Next to accept the default file format. 13. On the Password page, type Pass@word1 in both text boxes, and then click Next. 16

14. On the File to Export page, click Browse. 15. Under Favorites, click Desktop 16. In the File name text box, type vpn1cert, and then click Save to save the certificate to the desktop. 17. Back on the File to Export page, click Next. 18. On the Completing the Certificate Export Wizard page, click Finish to close the wizard, and then click OK in the confirmation dialog box. 19. In the console tree pane, expand Certificates (Local Computer), and then expand Personal. 20. Right-click Certificates, point to All Tasks, and then click Import. 21. On the Welcome page, click Next. 22. On the File to Import page, click Browse. 23. Under Favorites, click Desktop. 24. In the file type drop-down list, select Personal Information Exchange (*.pfx, *.p12). 25. In the list of files, double-click vpn1cert. 26. Back on the File to Import page, click Next. 27. On the Password page, type Pass@word1, and then click Next. 28. On the Certificate Store page, click Next to accept the Personal store location. 29. Click Finish to close the Import Export Wizard, and then click OK in the confirmation dialog box. To generate the trusted root certificate 1. On VPN1, in the Internet Explorer address bar, type http://localhost/certsrv, and then press ENTER. 2. Under Select a task, click Download a CA certificate, certificate chain, or CRL. 3. Click Yes to allow the ActiveX control, and Yes to allow the certificate operation. 4. Click Download CA certificate. 5. Click Save, select Desktop, type the name RootCACert, click Save, and then click Close. Later, you will move this certificate to the Client1 computer. Important The root certificate for the CA is already installed on VPN1, because the root certificate for a CA is installed when the computer is made a CA. If your CA is a separate computer from VPN1, then you must separately download and install the root CA certificate to VPN1.

Install Network and Policy Access Server Role

Configure VPN1 with Routing and Remote Access to function as a VPN server. 17

To install the NPS and RRAS service roles 1. On VPN1, in the Initial Configuration Tasks window, under Customize This Server, click Add roles. Note If the Initial Configuration Tasks window is not already open, you can open it by clicking Start, typing oobe in the text box, and then clicking OK. 2. On the Before You Begin page, click Next. 3. On the Select Server Roles page, click Network Policy and Access Services, click Next. 4. On the Network Policy and Access Services page, click Next. 5. On the Select Role Services page, select both Network Policy Server and Routing and Remote Access Services, and then click Next. 6. On the Confirm Installation Selections page, click Install. 7. On the Installation Results page, click Close. Now that the services are installed, you can configure them.

Configure Routing and Remote Access

Configure VPN1 to be a VPN server providing remote access for Internet-based VPN clients. To configure VPN1 to be a VPN server 1. On VPN1, click Start, point to Administrative Tools, and then click Routing and Remote Access. 2. In the navigation tree, right-click VPN1 (local), and then click Configure and Enable Routing and Remote Access. 3. On the Welcome to the Routing and Remote Access Server Setup Wizard page, click Next. 4. On the Configuration page, click Next to accept the default setting of Remote access (dial-up or VPN). 5. On the Remote Access page, select VPN, and then click Next. 6. On the VPN Connection page, under Network interfaces, select Public. This is the interface that will connect VPN1 to the Internet. 7. Clear the option Enable security on the selected interface by setting up static packet filters, and then click Next. Note In a production environment, you should leave security enabled on the public interface. For the purposes of testing lab connectivity, you should disable it. 8. On the IP Address Assignment page, select From a specified range of addresses, and then click Next. 18

9. On the Address Range Assignment page, click New. 10. On the New IPv4 Address Range dialog box, in Start IP address type 192.168.0.200, in End IP address type 192.168.0.210, click OK to add the range, and then click Next. (This is the set of IP addresses available to assign to VPN clients). 11. On the Managing Multiple Remote Access Servers page, click Next to accept the default setting of not working with a RADIUS server. In this scenario, RRAS uses Windows Authentication. 12. On the Completing the Routing and Remote Access Server Setup Wizard page, click Finish. 13. On the warning about possible NPS policy conflicts, click OK. 14. On the warning about the need to configure the DHCP Relay Agent, click OK.

Configure the Network Policy Server (NPS) to grant access for EAP-MSCHAPv2 authentication
Configure VPN1 by using Network Policy Services (NPS) to enable and configure the remote access policies required for an IKEv2-based VPN connection. Note You can choose to have NPS installed on any other server also have the NPS installed on DC1 or any other server. NPS running on Windows Server 2008 is also supported. For the sake of simplicity in this guide, we are deploying it on VPN1. IKEv2 supports both machine certificate and EAP based authentication. NPS is required to when using EAP-based authentication, and is not required when using machine certificate based authentication. Configuring the NPS server 1. click Start, point to Administrative Tools, and then click Routing and Remote Access. 2. On VPN1, in the Routing and Remote Access navigation tree, expand VPN1 (local). 3. Right-click Remote Access Logging & Policies, and then select Launch NPS. 4. In the Network Policy Server window, in the Network Access Policies section, click the Network Access Policies link. 5. Double-click Connections to Microsoft Routing and Remote Access server. 6. On the Overview tab, in the Access Permission section, select Grant access. Grant access if the connection request matches this policy. 7. On the Constraints tab, in the Contstraints list, select Authentication Methods. 8. If Microsoft: Secured password (EAP-MSCHAPv2) is not present in the EAP 19

Types list, then follow these steps: a. Click Add. b. In the Add EAP dialog box select Microsoft: Secured Password (EAPMSCHAP v2), and then click OK. 9. Select Microsoft: Smart Card or other certificate and click Remove to remove the EAP type. 10. Click OK to save your changes. 11. Close the Network Policy Server window.

20

Configuring CLIENT1
CLIENT1 is a computer running Windows 7 that functions as a remote access VPN client for the Contoso.com domain.CLIENT1 configuration consists of the following steps: Install the operating system Configure TCP/IP Configure the VPN Client with the root certificate

Note When configuring the client, a trusted root certificate is not required when using EAP based authentication. However, the trusted root certificate is required when computercertificate-based authentication is used.

Install the operating system

CLIENT1 must run Windows 7. To install Windows 7 1. On CLIENT1, start your computer using the Windows 7 product disc. Follow the instructions that appear on your screen. 2. When prompted for the installation type, choose Custom Installation. 3. When prompted for the user name, type user1. 4. When prompted for the computer name, type CLIENT1. 5. When prompted for the computer location, choose Home.

Configure TCP/IP
Configure TCP/IP properties so that CLIENT1 has a static IP address of 131.107.0.3 for the public (Internet) connection. To configure TCP/IP properties 1. On CLIENT1, click Start, and then click Control Panel. 2. Under Network and Internet, click View network status and tasks. 3. In Network and Sharing Center, click Change adapter settings. 4. In Network Connections, right-click Local Area Connection, and then click Properties. 5. In the Local Area Connection Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 6. In the Intenet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the 21

following IP address. In IP address type 131.107.0.3, and in Subnet mask type 255.255.0.0 for the subnet mask. 7. Click OK, and then click Close. Configure the hosts file to have a record for VPN1. This simulates a real-world scenario in which the corporate VPN server would have a publicly resolvable host name. To configure the hosts file 1. On CLIENT1, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. 2. In the User Account Control dialog box, click Continue. 3. In the Administrator: Command Prompt window, type the following and then press ENTER: notepad %windir%\system32\drivers\etc\hosts. 4. Add the following text in a new line at the end of the document: 131.107.0.2 vpn1.contoso.com 5. Save and close the hosts file. Use Windows Firewall with Advanced Security to ensure that the appropriate firewall rules are enabled. To ensure that appropriate firewall rules in Windows Firewall with Advanced Security are enabled and configured to allow connections 1. On VPN1, click Start, type wf.msc and the press ENTER. 2. In the navigation tree, click Inbound Rules. 3. In the details pane, double-click File and Printer Sharing (Echo Request - ICMPv4In) for the Private and Public profiles. 4. In the rule properties dialog box, under General select Enabled, under Action select Allow the connection, and then click OK. 5. Close the Windows Firewall with Advanced Security window. For the purposes of this test lab, a successful ping response from vpn1.contoso.com to CLIENT1 signifies that the remote user can connect to the office VPN server over the public Internet. To use ping to verify connection to vpn1.contoso.com 1. On CLIENT1, in the Administrator: Command Prompt window, type ping vpn1.contoso.com, and then press ENTER. 2. Verify that you can successfully ping VPN1. 3. Close the Command Prompt window.

22

Configure the VPN client with the root certificate

Install the root certificate for the CA that issued the server authentication certificate. This is required for the client computer to trust the server authentication certificate and complete the VPN connection. To install the root certificate on the client 1. On CLIENT1, click Start, type mmc, and then press ENTER. 2. In the Console1 window, click File, and then click Add/Remove snap-in. 3. Under Available snap-ins, select Certificates, and then click Add. 4. In the Certificates snap-in dialog box, select Computer account, and then click Next. 5. In the Select Computer dialog box, click Finish to accept the default selection of Local computer. 6. Click OK to close the Add/Remove snap-ins dialog box. 7. In the navigation pane, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, click All Tasks, and then click Import 8. On the Certificate Import Wizard welcome page, click Next. 9. On the File to Import page, click Browse. 10. In the File name text box, type \\vpn1.contoso.com\c$\users\administrator.contoso\desktop, and then press ENTER. Note This works in our lab scenario, because VPN1 has file share enabled, and the firewall is not blocking file sharing on the external network adapter. In a production environment, you would need to provide the root certificate to your client computers by using some other secure method. 11. When asked for credentials, type contoso\administrator and Pass@word1. Note Because you logged in as the local administrator before you joined VPN1 to the domain, adding the domain administrator account created a separate profile that is named Administrator with the name of the domain appended. 12. Select RootCACert from the file list, and then Click Open. 13. With the path to certificate now complete, click Next. 14. On the Certificate Store page, click Next to select the default value of placing the certificate in the Trusted Root Certification Authorities store. 15. On the completion page, click Finish, and then on the successful import notice, click OK. 23

24

Creating and Configuring the Remote Connection with VPN Reconnect on CLIENT1
On CLIENT1, you use Network and Sharing Center to create a connection to vpn1.contoso.com and save the connection. You then configure the properties of that connection to use VPN Reconnect. To create the VPN Reconnect connection to vpn1.contoso.com 1. On CLIENT1, click Start, and then click Control Panel. 2. Under Network and Internet, click View network status and tasks. 3. In Networking and Sharing Center, click Set up a new connection or network 4. Click Connect to a workplace, and then click Next. 5. Click Use my Internet connection (VPN). 6. Click I'll set up an Internet connection later. 7. In Internet address, type vpn1.contoso.com. In Destination name, type VPN Reconnect Connection and then click Next. 8. In the Type your user name and password dialog box, type the following information: In User name, type user1. In Password, type Pass@word1. Click Remember this password. In Domain, type contoso.

9. Click Create, and then click Close. To configure and test the VPN Reconnect Connection 1. On CLIENT1, in Network and Sharing Center, click Change adapter settings. 2. Double-click VPN Reconnect Connection, and then click Properties. 3. On the Security tab, in the Type of VPN list, select IKEv2, and then click OK. 4. In the Connect VPN Reconnect Connection dialog box, click Connect. 5. If the Set Network Location dialog box appears, select Work. CLIENT1 should successfully connect to VPN1 using the VPN Reconnect connection. To verify the connection, access the corporate file server from the CLIENT1 using the VPN Reconnect connection you just set up.

25

To test the remote connection by connecting to a remote file share 1. Click Start, click All Programs, click Accessories, and then click Run. 2. Click Start, type \\dc1.contoso.com\corpdata, and then press ENTER. 3. Double-click VPNTest to open it, add some text, and then save the file. 4. Close Notepad. 5. In the Network Connections window, right-click VPN Reconnect Connection, and then click Disconnect.

26

Simulating Connection Persistence When the Internet Link Changes

In the previous section, you tested a remote connection with VPN Reconnect settings. Now we can simulate the interface switch for the remote connection with VPN Reconnect and demonstrate seamless reconnection. Following are the steps on CLIENT1 required to simulate the interface switch: 1. Establish the remote connection with VPN Reconnect between the client computer and the VPN server. 2. Disconnect the client computer from the local internet interface (Ethernet Wired LAN). Note here that the VPN Reconnect connection still sustains and does not get automatically disconnected. 3. Establish the internet interface through a Wireless LAN. The VPN Reconnect connection will automatically detect the new interface and will switch to it, restoring the VPN connection and application connectivity. Important This step assumes that a wireless access point for Internet is available on the client side for CLIENT1 to establish the Internet interface. For more information, see 4 steps to set up your home wireless network on the Microsoft Web site. Alternatively, for simulating the VPN Reconnect switch without a wireless network, you can: 4. Verify that the connection switch was completed successfully. To establish the remote connection with VPN Reconnect between the client and the VPN server 1. On CLIENT1, click the network icon in the notification area of the Start bar, which by default is in the lower right of the display. 2. Click VPN Reconnect Connection, and then click Connect. 3. In the connection dialog box, click Connect. 4. Verify that the connection was completed successfully: Click the network icon in the notification area of the Start bar again. The VPN Reconnect Connection displays the status Connected. To disconnect the client from the local internet interface 1. On CLIENT1, unplug the Ethernet cable from your network adapter. 2. Click the network icon in the notification area of the Start bar again. The status of the VPN Reconnect Connection has changed to Dormant: Server Unavailable.

27

To establish the Internet interface through a wireless (or other) network connection 1. In Network and Sharing Center, click Connect to a network. 2. Select the wireless (or other) Internet connection from the list of available connections, and then click Connect. 3. Open Network and Sharing Center and under View your active networks, note Identifying for your new internet interface. 4. Wait for a few seconds until Internet connectivity is restored. The VPN Reconnect connection automatically restores the application connectivity after the restoration of Internet connectivity. 5. Click the network icon in the notification area of the Start bar again. The status of your connection changes to Dormant: waiting to reconnect, and then changes to Connected. 6. Click Start, type cmd and then press ENTER. 7. In the Command Prompt window, type ping dc1.contoso.com. 8. Verify that you can successfully ping DC1 again.

Conclusion
In this guide you configured a lab computer to serve as a VPN gateway server that could accept IKEv2-based VPN connections from a remote client. For more information about RRAS and VPN servers, see Routing and Remote Access Server (http://go.microsoft.com/fwlink/?linkid=149606) in the Windows Server Technical Library.

28