Virtual Private Network VPN Tips
- Wayne Firewall, VPN, Intrusion Detection, and Router
This is a new page I have started
- VPN clients and dangers of split tunneling
- SSL VPN vs IPsec VPN
PPTP VPNs need TCP and UDP port 1723 open and IP port 47 must pass the
General Routing Encapsulation (GRE) protocol. L2TP VPNs need TCP and UDP port
1701 and GRE protocol access to port 47.
- Proxying firewalls and NAT PPTP tunnels can place the VPN server behind the
firewall if the firewall supports GRE packet editing. GRE is its own protocol
and does not use ports per see but rather call ID
numbers to establish sessions. Most firewalls support GRE editing. L2TP
VPN servers cannot sit behind a proxying or NAT firewall. L2TP packets hitting
the firewall can not route to a VPN server behind the firewall because the
protocol encrypts the GRE header in the packet, making it impossible to edit.
- Router to Router Connections
To create a tunnel between two Windows 2000 RRAS servers, you have to make
sure each server contains a dedicated user account for the other server to log
in with. Each server must also contain a demand-dial VPN connection named the
same name as the login credentials the other computer will use. For example, if
Server A will be connecting to Server B using account name VPN1, Server B must
contain a user account named VPN1 and a demand-dial RRAS connection named VPN1.
Likewise, the connection on Server A should be named the same as the login
account Server B will authenticate with, say, VPN2. This will allow the servers
to connect and create the proper routing entries.
- L2TP with no certificates
L2TP tunnels are considered more secure than PPTP tunnels because the IP
headers are encrypted under L2TP, preventing hackers from even seeing what type
of tunnel traffic is being encrypted, let alone the traffic itself. There is a
misconception that L2TP requires each VPN server to trust a common certificate
authority. If this is a problem for your environment, the RRAS documentation
includes a method for configuring each VPN server with an identical "shared
secret" that can be used in place of a normal certificate. If you are not going
to use certificates, make sure the shared secret is impossible to break - make
it long 20+ characters with a mix of symbols, uppercase letters, lowercase
letters and numbers.