Home > Uncategorized > Chap 7: Managing Remote Access Services

Chap 7: Managing Remote Access Services


Today’s class will be covering Chapter 7 “Managing Remote Access Services“.


I will be covering the following topics today:

  • Three phases of PPP negotiation
  • How VPN’s work
  • PPTP compared to L2TP
  • Advantages of using PPTP
  • Advantages of using L2TP
  • Installing RRAS
  • Configuring VPN
  • Troubleshooting VPN
  • Managing RRAS
  • Integrating RRAS with DHCP
  • Configure a VPN Client

Although the book begins with Dial Up Networking, I’ve choosen to skip this as dialup is dead as far as I’m concerned. I have included the PPP negotiation process as it is used for serial connections and is something you will be tested on for the CCNA exam as well. When possible, I include material from the CCNA exam as well as 70-291. There are at least six distinct protocols that run on top of PPP. I encourage using Wikipeida.com and you can find more info on PPP by clicking here.

Three Phases of PPP Negotiation

Phase 1: PPP & Link Control Protocol

Phase 2: PPP & PAP or CHAP

Phase 3: PPP & CBCP, CCP & IPCP, IP Datagram exchange

How VPN’s Work

1.  Client establishes connection to internet

2. Client sends VPN connection request to server. Exact format of request varies depending on whether you are using PPTP or L2TP

3. Client authenticates to server. (again varies on protocol used)

4. Client and server negotiate parameters of VPN session, such as encryption algorithm and strength

      5. Client and server go throught the PPP negotiation process 

PPTP Compared to L2TP/IPSec
Both PPTP and L2TP/IPSec use PPP to provide an initial envelope for the data, and then append additional headers for transport through the internetwork. However, there are the following differences:

· With PPTP, data encryption begins after the PPP connection process (and, therefore, PPP authentication) is completed. With L2TP/IPSec, data encryption begins before the PPP connection process by negotiating an IPSec security association.

· PPTP connections use MPPE, a stream cipher that is based on the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm and uses 40, 56, or 128-bit encryption keys. Stream ciphers encrypt data as a bit stream. L2TP/IPSec connections use the Data Encryption Standard (DES), which is a block cipher that uses either a 56-bit key for DES or three 56-bit keys for 3-DES. Block ciphers encrypt data in discrete blocks (64-bit blocks, in the case of DES).

· PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP/IPSec connections require the same user-level authentication and, in addition, computer-level authentication using computer certificates.

Advantages of L2TP/IPSec over PPTP
The following are the advantages of using L2TP/IPSec over PPTP:

·IPSec provides per packet data authentication (proof that the data was sent by the authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (prevention from interpreting captured packets without the encryption key). By contrast, PPTP provides only per-packet data confidentiality.

· L2TP/IPSec connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol.

· PPP packets exchanged during user-level authentication are never sent in an unencrypted form because the PPP connection process for L2TP/IPSec occurs after the IPSec security associations (SAs) are established. If intercepted, the PPP authentication exchange for some types of PPP authentication protocols can be used to perform offline dictionary attacks and determine user passwords. By encrypting the PPP authentication exchange, offline dictionary attacks are only possible after the encrypted packets have been successfully decrypted.

Advantages of PPTP over L2TP/IPSec
The following are advantages of PPTP over L2TP/IPSec:

· PPTP does not require a certificate infrastructure. L2TP/IPSec requires a certificate infrastructure for issuing computer certificates to the VPN server computer (or other authenticating server) and all VPN client computers.

· PPTP can be used by computers running Windows XP, Windows 2000\2003\2008, Windows NT version 4.0, Windows Millennium Edition (ME), Windows 98, and Windows 95 with the Windows Dial-Up Networking 1.3 Performance & Security Update. L2TP/IPSec can only be used with Windows XP and Windows 2000\2003\2008 VPN clients. Only these clients support the L2TP protocol, IPSec, and the use of certificates.

· PPTP clients and server can be placed behind a network address translator (NAT) if the NAT has the appropriate editors for PPTP traffic. L2TP/IPSec-based VPN clients or servers cannot be placed behind a NATunless both support IPSec NAT Traversal (NAT-T). IPSec NAT-T is supported by Windows Server 2003, Microsoft L2TP/IPSec VPN Client

Installing Routing & Remote Access Services

Exercise 7.1 Installing the Routing and Remote Access Services

Configuring RRAS

Exercise 7.2: Controlling Multilink for Incoming Calls

Troubleshooting VPN

· Is server configured to allow remote access?

· Is server configured to allow VPN traffic and if so what type?

· Are there any available VPN ports?

· Does user account have remote access persmission

Monitoring Remote Access

· Event Log files (systemroot\system32\LogFiles\iaslog.log

· Monitoring Ports and Port Activity

Integrating RRAS with DHCP

*You can’t install the relay agent on a computer that is already acting as a DHCP server

*You can’t install it on a system running NAT with the addressing component installed

*Add New Routing Protocol for DHCP Relay Agent

Exercise 7.6: Installing and Configuring the DHCP Relay Agent on a RRAS server

Configure a VPN Client

Exercise 7.8: Configuring Windows XP as a VPN Client

Here is a complete list of exercises for Chapter 7

UNIT 7 – Managing Remote Access Service

____7-1 – Installing the Routing and Remote Access Services

____7.2 – Controlling Multilink for Incoming Calls

____7.3 – Configuring Incoming Connections

____7.4 – Installing the Routing and Remote Access Service as a VPN Server

____7.5 – Changing Remote Access Logging Settings

____7.6 – Installing and Configuring the DHCP Relay Agent on an RRAS Server

____7.7 – Configuring the DHCP Relay Agent on a Network Interface

____7.8 – Configuring Windows XP Professional as a VPN Client

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: