Tune up your VPN network connections
Dr. Thomas Shinder MCSE
Published: 16 May 2002 21:22 BST
DHCP
If you work on a network of any appreciable size, you probably already have a DHCP server providing IP addressing information to your internal network clients. That same DHCP server or servers can be used to assign IP addresses to your VPN clients. You can create custom scopes for your VPN clients to make it easier to control the IP address assignment to these machines.
A note about scopes
A scope is a collection of IP addresses that belong to a particular network ID. When a DHCP server is configured with a scope, it can service requests for IP addresses from clients on that network ID.
The DHCP server can be on the same network as the internal interface of the VPN server or on a remote network. If you need to use a DHCP server on a remote network, you must configure a DHCP Relay Agent, which acts as a router for DHCP messages. The VPN server will be able to obtain addresses for the DHCP clients by taking advantage of the DHCP message routing capabilities of the DHCP Relay Agent, which is why the DHCP Relay Agent is considered a routing protocol.
Installing and configuring the DHCP Relay Agent on the VPN server is easy. In the RRAS console, expand your server name and expand the IP Routing node. Right-click on the General node and select New Routing Protocol. In the New Routing Protocol dialog box, click on the DHCP Relay Agent entry and click OK.
The DHCP Relay Agent will appear in the left pane. Right-click on the DHCP Relay Agent node and select New Interface. Click on Internal and then click OK. In the DHCP Relay Properties dialog box, leave the defaults -- unless you want the DHCP packets to hop more than four routers -- and click OK. Right-click the DHCP Relay Agent node and open its properties sheet. In the DHCP Relay Agent Properties dialog box, type in the IP address of the DHCP server and then click Add and OK. The DHCP Relay Agent will now forward DHCP messages to the DHCP server you entered in the Properties dialog box.
Note that if you place the DHCP server on a remote network, the server should have a NIC installed with an IP address for each network ID for which it has scopes. If you try to logically multihome the server, all the addresses will be served from the scope matching the primary IP address bound to the network interface. Each interface is connected to the same physical segment. The Relay Agent will allow assignment from the appropriate scope, but DHCP clients on the same physical segment as the multihomed DHCP server can receive addresses from any of the scopes.
Multihomed DHCP servers
You can multihome a DHCP server so that it supports scopes on multiple network IDs. However, the server must be physically, instead of logically, multihomed because the DHCP server service will bind only the primary IP address on each interface. The primary IP address is the IP address on the top of the list of IP addresses found in the Advanced tab of the TCP/IP configuration for the interface.
Routing tables
When you have a single network segment on your internal network, you don't have to worry about router issues. The VPN clients can be assigned IP addresses on the same network ID as the internal interface of the VPN server and reach all resources on the local network segment. However, problems arise when the internal network has multiple subnets.
If the internal network has multiple network IDs, and VPN clients need to reach resources on these multiple network IDs, configure the routing table on the VPN server. The VPN clients take advantage of the router table on the VPN server to reach resources on remote networks.
If there are only a few internal subnets, and there's only a single path to each subnet, you can manually configure the routing table on the VPN server. The routing table can be configured using either the Route Add command or by using the Routing And Remote Access console. I recommend that you use the RRAS console to create new routing table entries, as the GUI is easier to use and leads to fewer mistakes in configuration.
Large networks that allow multiple paths to internal network resources don't lend themselves to static routing table entries. These networks require that you use a routing protocol. The Windows 2000 RRAS supports both the Routing Information Protocol version 2 (RIPv2) and Open Shortest Path First (OSPF). RIPv2 is the easiest to configure; it requires little or no configuration after it's installed. RIPv2 supports Variable Length Subnet Masking (VLSM) and password protection for sharing routing information with its neighbors. OSPF is a more powerful routing protocol that provides a great array of routing options, but it is more complex to configure and shouldn't be considered a plug-and-play routing protocol solution. While RIPv2 is much easier to set up and configure, it doesn't scale well because it's a broadcast-based protocol.
Once the VPN server has routing table entries for all the subnets on the internal network, the VPN clients will be able to reach all segments on the internal network.
Previous
Did you find this article useful?
132 out of 300 people found this useful
- Share this article:
Full Talkback thread
2 comments
