Virtual Private Network VPN Tips

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

  • Wayne Firewall, VPN, Intrusion Detection, and Router Tips
    This is a new page I have started
  • VPN clients and dangers of split tunneling

  • SSL VPN vs IPsec VPN

  • Ports:

    PPTP VPNs need TCP and UDP port 1723 open and IP port 47 must pass the General Routing Encapsulation (GRE) protocol. L2TP VPNs need TCP and UDP port 1701 and GRE protocol access to port 47.

  • Proxying firewalls and NAT PPTP tunnels can place the VPN server behind the firewall if the firewall supports GRE packet editing. GRE is its own protocol and does not use ports per see but rather call ID numbers to establish sessions. Most firewalls support GRE editing. L2TP VPN servers cannot sit behind a proxying or NAT firewall. L2TP packets hitting the firewall can not route to a VPN server behind the firewall because the protocol encrypts the GRE header in the packet, making it impossible to edit.

  • Router to Router Connections

    To create a tunnel between two Windows 2000 RRAS servers, you have to make sure each server contains a dedicated user account for the other server to log in with. Each server must also contain a demand-dial VPN connection named the same name as the login credentials the other computer will use. For example, if Server A will be connecting to Server B using account name VPN1, Server B must contain a user account named VPN1 and a demand-dial RRAS connection named VPN1. Likewise, the connection on Server A should be named the same as the login account Server B will authenticate with, say, VPN2. This will allow the servers to connect and create the proper routing entries.

  • L2TP with no certificates

    L2TP tunnels are considered more secure than PPTP tunnels because the IP headers are encrypted under L2TP, preventing hackers from even seeing what type of tunnel traffic is being encrypted, let alone the traffic itself. There is a misconception that L2TP requires each VPN server to trust a common certificate authority. If this is a problem for your environment, the RRAS documentation includes a method for configuring each VPN server with an identical "shared secret" that can be used in place of a normal certificate. If you are not going to use certificates, make sure the shared secret is impossible to break - make it long 20+ characters with a mix of symbols, uppercase letters, lowercase letters and numbers.

Featured Links