VPN Gateway Basics
VPN gateways can take on a number of different forms, including firewalls, servers, or routers. Any device that has the capability to transmit data and perform internetworking can serve as a VPN gateway, but most of the times it’s a physical router device. The purpose of a VPN gateway is to send or receive encrypted traffic through a network and an on-premises location. It is possible to create several connections with one VPN gateway which share the bandwidth. Another term for a VPN gateway is a VPN router, named so because it connects two Local Area Networks (LANs). Corporate networks are connected through VPN servers running Routing and Remote Access Service (RRAS).
Designing VPN Gateways
Several factors that affect how a VPN gateway is designed and implemented include:
Name resolution Dynamic routing Auto-static routing updates Routing table maintenance IP address assignment
Most VPN gateways have a hub-and-spoke configuration design. This is particularly ideal in a corporate network as it allows the network controller to manage Internet access. A good starting point for a VPN gateway is a portal, which allows you to build and configure resources. As your gateway grows, you can switch to a more powerful tool like Power Shell, which can change existing resources and configure new ones. The VPN gateway is installed onto the core VPN site or the VPN infrastructure. The VPN gateway has three options when it is functioning:
Route Traffic: sends it pass into the gateway to its intended destination Block Traffic: does not it pass through the gateway Pass Traffic: sends it out of the gateway to its intended destination
Configuring VPN Gateways
Creating a strong connection of VPN gateways depends on how which settings you select for the resources involved. One of these settings is known as name resolution. All involved clients need to able to communicate with the correct name resolution servers in order to find both local resources and remote resources. The Dynamic Host Configuration Protocol (DHCP) server can provide the IP addresses of the name resolutions servers. This allows the VPN gateway networks to operate. The name resolution servers themselves can operate either on the local LAN or the clients in question can use the existing VPN connection to to forward their needs to access existing resources to the remote access servers. For those using DNS, Internet DNS can provide the name resolution as well. Another important setting for configuration are the routing protocols. Routing protocols allow routers to communicate with each other. They also make available the routes data can take as as well as what routers are the best fit for which type of communication. The four main types of routing protocols that are used in RRAS are:
The Routing Information Protocol (RIP) protocol The Open Shortest Path First (OSPF) protocol The multicast routing protocol IGMP router and proxy The DHCP Relay Agent
RIP and OSPF, the two dynamic protocols on the list, share routing update information between the routers and keep the routing table full of current information. OSPF is best used when exchanging information with exceptionally big networks. While it is more difficult to set up and maintain than RIP, it is also more efficient than its compatriot and generally requires less overhead. A third setting to consider before finalizing your VPN gateway is deciding which VPN tunnel protocol to utilize. Two to consider are point-to-point tunneling protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). PPTP uses a TCP connection to both build and maintain the VPN tunnel for the purpose of moving the tunneled data. The contained tunnel data can be both encrypted and compressed. In the L2TP model, the contained data is sent over IP, ATM, frame relay, and X.25 networks. It can be used with IPSec to offer the ultimate in security.
Troubleshooting VPN Gateways
No connection is foolproof and there are always glitches along the way. However, here are a few checklist items to look after if your VPN gateway is not functioning correctly:
Each remote access server must be configured to handle the right number of connections. This can be verified by checking the number of ports specified in the Routing and Remote Access’s ports node. Each remote access server has to have its ‘Enable IP Routing’ option clicked. This can be verified by checking the setting on the IP tab, Server Properties dialog box. Ensure the VPN connection has the proper permissions on each user account’s dial-in properties as well as remote access policies.