Virtual Private Network VPN Tips


  • Wayne Firewall, VPN, Intrusion Detection, and Router
    Tips

    This is a new page I have started


  • VPN clients and dangers of split tunneling


  • SSL VPN vs IPsec VPN


  • Ports:

    PPTP VPNs need TCP and UDP port 1723 open and IP port 47 must pass the
    General Routing Encapsulation (GRE) protocol. L2TP VPNs need TCP and UDP port
    1701 and GRE protocol access to port 47.


  • Proxying firewalls and NAT PPTP tunnels can place the VPN server behind the
    firewall if the firewall supports GRE packet editing. GRE is its own protocol
    and does not use ports per see but rather call ID
    numbers
    to establish sessions. Most firewalls support GRE editing. L2TP
    VPN servers cannot sit behind a proxying or NAT firewall. L2TP packets hitting
    the firewall can not route to a VPN server behind the firewall because the
    protocol encrypts the GRE header in the packet, making it impossible to edit.


  • Router to Router Connections

    To create a tunnel between two Windows 2000 RRAS servers, you have to make
    sure each server contains a dedicated user account for the other server to log
    in with. Each server must also contain a demand-dial VPN connection named the
    same name as the login credentials the other computer will use. For example, if
    Server A will be connecting to Server B using account name VPN1, Server B must
    contain a user account named VPN1 and a demand-dial RRAS connection named VPN1.
    Likewise, the connection on Server A should be named the same as the login
    account Server B will authenticate with, say, VPN2. This will allow the servers
    to connect and create the proper routing entries.


  • L2TP with no certificates

    L2TP tunnels are considered more secure than PPTP tunnels because the IP
    headers are encrypted under L2TP, preventing hackers from even seeing what type
    of tunnel traffic is being encrypted, let alone the traffic itself. There is a
    misconception that L2TP requires each VPN server to trust a common certificate
    authority. If this is a problem for your environment, the RRAS documentation
    includes a method for configuring each VPN server with an identical “shared
    secret” that can be used in place of a normal certificate. If you are not going
    to use certificates, make sure the shared secret is impossible to break – make
    it long 20+ characters with a mix of symbols, uppercase letters, lowercase
    letters and numbers.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top