3. Right-click your server’s icon and choose Configure and Enable Routing and Remote Access to start the Setup Wizard. Click Next to continue. 4. Select the Remote Access (dial-up or VPN) option, as shown in Figure 22.15, and then click the Next button. 5. Check the VPN check box, and then click the Next button. 6. In the VPN Connection window, shown in Figure 22.16, select the network interface that is connected to the Internet, and then click the Next button. 7. In the IP Address Assignment window, you have two choices: ■ Automatically Choose this option if you have a DHCP server you can use to auto- matically assign IP addresses to the remote clients.This setup will be easier to administer than assigning addresses manually. (However, if you do not have a DHCP server, you must specify a range of static addresses.) Click Next to continue. 786 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy Figure 22.15 Choose Remote Access Figure 22.16 Choose the Interface Connected to the Internet 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 786 ■ From a specified range of addresses Choose the option if the remote clients can only be given an address from a specified pool of addresses. Click Next to continue. In the Address Range Assignment window, click the New button. In the Start IP address box, type the first IP address in the range of addresses you want to use.Then type in the last IP address in the range you’ve chosen. Windows Server 2003 will automatically calculate the number of addresses for you. Click the OK button to return to the Address Range Assignment window, and then click the Next button to continue. 8. In the next window, accept the default value of No, use Routing and Remote Access to authenticate connection requests, and click the Next button to continue. 9. Click Finish to turn on RRAS and to configure the server as a remote-access server. Once you have your server set up to provide VPN service, you can allow client machines to connect to it over the Internet. Using your new VPN connection is simple: click Start | Connect To and choose your new connection. If you don’t already have a current connection to the Internet, you’ll be offered the opportunity to connect. When the connection is made, the VPN server will prompt you for your name and password. Enter the necessary information and click the Connect button.All of the same resources available when you are directly connected to the network are available now. When you’re ready to disconnect, simply right-click the connection and choose Disconnect. Now that you know how to create and use a client VPN connection, what are the differences in setting up a router-to-router VPN? There are actually not very many differences.The following steps will walk you through the process of setting up a router-to-router VPN server. Set Up Windows Server 2003 As Router-to-Router VPN Server 1. Select Start | Administrative Tools | Routing and Remote Access. 2. Right-click your server’s icon and choose Configure and Enable Routing and Remote Access to start the Setup Wizard. Click Next to continue. 3. Select the Secure connection between two private networks option, as shown in Figure 22.17, and then click the Next button. Planning, Implementing, and Maintaining a Routing Strategy • Chapter 22 787 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 787 4. Choose the No option when you are asked if you want to use demand-dial connections, unless you need to use them, and then click the Next button again. If you choose Ye s to use demand-dial connections, you’ll have the opportunity to set up the demand-dial con- nections when this Wizard is finished. If you are using a full-time connection, you don’t need the demand-dial connection. 5. Click Finish to turn on RRAS and to configure the server as a router-to-router VPN server. Make sure you have addresses assigned to all the installed interfaces and that you’ve installed and set up your routing protocols on each interface.Then you should be able to use this router. Packet Filtering and Firewalls One of the best features available in RRAS is the ability to filter TCP/IP packets traveling in either direction. For all practical purposes, enabling packet filtering creates a firewall on your server.You can build filters that can either allow or deny packet traffic into or out of your network.You do this by specifying rules that designate source and destination addresses and ports. Normally, you set up these filters to block information that the machines in your network should not receive.The filters are set up on a specific interface.This means that the filters on one interface are completely independent of the filters on another. Incoming and outgoing filters are independent of one another also. Simply put, you have two choices with input filters: accept all traffic over the interface except the traffic you specify, or drop all traffic except the traffic you specify. Output filters are configured in the same manner. Which choice you should make most often depends on the context and pur- pose of the filter.The second option is the most secure. If you are attempting to keep all but very specific traffic out of your network, this would be the correct choice.The first choice is appropriate if you are just trying to stop specific traffic. For instance, say you have a Web server and the only traffic you want to allow on this server is traffic traveling to and from the Web server service. All you need to do is configure an input filter 788 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy Figure 22.17 Choose Secure Connection between Two Private Networks 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 788 for the destination IP address of the Web server and the TCP destination port 80. At the same time, you will want to configure an output filter for the source IP address of the Web server and the TCP source port 80. If these two filters are the only two filters operational on this server, the only traffic that will be allowed across the interface is TCP traffic to and from the Web server service on your Windows Server 2003 machine. You need to be careful about how you implement these filters, so that you don’t make them too restrictive, which would impair the functionality of the other protocols operating on the server. For instance, given our example of a Web server, we can’t use PING or any other basic IP trou- bleshooting tool on that computer now, because we’ve restricted it to only Web traffic on port 80. We’ll talk more about troubleshooting shortly. It’s a good idea to use packet filtering to block unwanted traffic from your VPN servers.There are two basic sets of rules for this process: PPTP packet filters and L2TP packet filters. For PPTP, there are at least two filters that are required to block non-PPTP traffic.You need to allow Generic Routing Encapsulation (GRE) packets to pass.You also need to allow inbound traffic on TCP port 1723. If the PPTP server is also acting as a PPTP client, you can add a third filter to allow outbound traffic on TCP port 1723 also.After these packets are established, choose the Drop All Packets Except Those That Meet The Criteria Below radio button.Then close the dialog box. Repeat the process on the output side. For L2TP packet filters, you will need four filters: two for input and two for output, as follows: ■ A filter with the VPN interface address and a network mask of 255.255.255.255, filtering the User Datagram Protocol (UDP) with a source and destination port of 500 ■ An input filter with a destination of the VPN address and a network mask of 255.255.255.255, filtering UDP traffic with a source and destination port of 1701 ■ An output filter with a source of the VPN interface address and a network mask of 255.255.255.255, filtering UDP traffic with a source destination of 500 ■ An output filter with a source of the VPN interface address and a network mask of 255.255.255.255 filtering UDP with a source and destination port of 1701 Logging Level Coming up with a good logging strategy is important to the proper maintenance of your network and the devices that are used on it. What to log is probably one of the most important questions you will consider. If you have too much logging, the performance of your server and the network will decline sharply. If you have too little logging, when you have a problem, you won’t have the information you need to determine the source and cause.The best choice is to log only those options you really need, and when you don’t need a particular type of log data anymore, stop recording it. In order to set the logging levels, open the RRAS module, right-click the server you wish to administer, choose Properties, and then click the Logging tab.As shown in Figure 22.18, the Logging tab contains several options for the various types of events that you can log.The default is to log all errors and warnings.You can also check the Log additional Routing and Remote Planning, Implementing, and Maintaining a Routing Strategy • Chapter 22 789 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 789 Access information (used for debugging) check box, which, as its name implies, will assist you in debugging. Troubleshooting IP Routing Here, we will look at the two main tools you might use in troubleshooting IP routing and the common problems that occur with IP routing, which is critical to maintaining a network. Identifying Troubleshooting Tools Your best troubleshooting tools are those tools you should be using on a daily basis for network man- agement and monitoring. Windows Server 2003 ships with the Network Monitor tool (NETMON.exe), which is an excellent protocol analyzer you can use to monitor your network.This tool captures and displays information about the IP packets moving in your network and can tell you about the traffic patterns, the broadcast rates, how the network is being used, what kinds of errors you might be experiencing, and many other aspects concerning the behavior of your network. The Routing and Remote Access console is another excellent troubleshooting tool. Using this tool, you can show your network’s TCP/IP information, your IP routing table, the router’s RIP neighbors, its OSPF area, the LSDB, the router’s OSPF neighbors, and the OSPF virtual interface. Other familiar tools that you can use for troubleshooting include PING, pathping,Tracert, mrinfo, and Netsh. Let’s take a look at how you can these tools to verify and troubleshoot your connections. Another useful troubleshooting tool is the pathping command.This command combines aspects of PING and Tracert, and adds in some additional features that make it an excellent troubleshooting tool.This tool works by measuring the packet loss across each router between the source machine and the destination.This information can help you determine where your network reliability prob- lems may be coming from.The syntax for the pathping command is as follows: pathping [-n] [-h maximum_hops value] [-g host-list] [-p value] [-q value] [-w value] final_destination 790 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy Figure 22.18 Set the Logging Level 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 790 Where: ■ -n Tells pathping not to resolve addresses to host names. ■ -h maximum_hops value Sets the maximum number of hops you want the command to search for the target.The default is 30 hops. ■ -g host-list Provides a loose source route along the host list. ■ -p period Sets the wait period in milliseconds between pings.The default is 250 millisec- onds. ■ -q num_queries Sets the number of queries per hop.The default is 100 queries. ■ -w timeout Sets the time length in milliseconds for each reply before the command times out on that hop.The default is 3000 milliseconds. ■ -T Tests the connectivity to each hop with Layer-2 priority tags. ■ -R Tests to see if each hop is RSVP-aware. ■ final_destination The host name or IP address of the network, domain, or machine that you are testing the route to. The tool will first trace the route to the destination, and then analyze the traffic running through each hop. Keep in mind that one test is not sufficient to give you a good idea about what is going on.There is no specific number of lost packets that signify that a link is causing you problems. If the number is in double digits, though, you should probably examine that route carefully.To get a realistic picture of what is going on in your network, test a router over time and test in both peak and off-peak usage. If you’re using multicast routing, another useful troubleshooting command is mrinfo.This com- mand displays multicast router configuration information.The syntax is as follows: mrinfo [-n] [-?] [-i address] [-t secs] [-r retries] destination Where: ■ -n Displays the IP addresses in numeric format. ■ -? Prints usage information. ■ -i Specifies the IP address of the local interface from which the query was sent. ■ -r Specifies how many times an SNMP query is to be resent.The default value is 0. ■ -t Specifies how long to wait for an IGMP neighbor query reply.The default is three sec- onds. The mrinfo command displays the interfaces for both the multicast router and its neighbors on each interface. It also provides the names of the neighboring domains, the multicast routing metric, and the TTL. Planning, Implementing, and Maintaining a Routing Strategy • Chapter 22 791 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 791 Also, the Netsh utility, discussed in the “Using Netsh Commands” section earlier in this chapter, can display the configurations of protocols, filters, and routes. It also allows you to reconfigure inter- faces. Don’t overlook this valuable tool as an option for troubleshooting IP routing. Common Routing Problems If you suspect that your RRAS server isn’t functioning properly, start by making sure the RRAS server is running.You might be surprised how many times the problem turns out to be the RRAS not being turned on. Most TCP/IP administrators spend much of their time troubleshooting the hardware. Connectors go bad, NICs die, and cables break or are cut.You need to troubleshoot and repair these elements before you start looking at the software. Consider these potential trouble spots first: ■ Check for basic communication between systems first. Broken cables, loose connections, and so on can cause what might look like much more complex problems. ■ Make sure that your systems are in compliance with the standards you’ve chosen.This means you need to verify all devices on your Ethernet are broadcasting Ethernet and not something else. Make sure you have the correct types of cables. An example of this is the common mistake beginners sometimes make using RG59A/U cable instead of RG58A/U.The former cable type is used in broadcasting specifically with video; the latter is used with IEEE 802.3 10Base2 networks. ■ Carefully isolate your problem to a single LAN, MAN, or WAN segment by going through each individually. Keep in mind it is extremely rare for two segments to go down at the same time. Interface Configuration Problems Make sure that the RRAS server is configured to perform as an IP router. Open the RRAS Microsoft Management Console (MMC) and verify all your settings. Make sure that you have enabled RRAS on the Windows Server 2003 machine you are expecting to perform as a router. It could be that you have the wrong server configured.Also, keep in mind that the system must first make the physical connection to the network.After that, it must make the logical connections. The router also might not be receiving routed data from other routers.Take a look at the routing table to see that the router is receiving routes from the other routers. If there is anything there other than Local in the Protocol column, the router is receiving routes via the routing pro- tocols. If not, double-click the rest of the settings in this section and pay particular attention to the appropriate protocol. RRAS Configuration Problems Routing for the correct LAN protocol may not be enabled. If you’re using IP routing, make sure that IP routing is enabled on the IP tab of the server’s property sheet. Also, make sure that you have IP routing protocols attached to each of the interfaces where they are needed. 792 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 792 The wrong protocol could be installed, or the right protocol could have been installed on the wrong interface.The correct protocol must be installed on the appropriate interface for this to work correctly. Routing Protocol Problems One of the most common problems you’ll face with RIP for IP is incorrect routing table entries. If you’re seeing wrong or inconsistent routes in the routing tables, or if routes are totally missing, you should look at the following possibilities: ■ The wrong version of RIP could be in use. ■ Silent RIP hosts might not be receiving hosts. ■ The subnetting scheme on your network could be incompatible with your routing infras- tructure. ■ A router might be using the wrong password. ■ Routing filters might be too restrictive. ■ Packet filters might be too restrictive. ■ Neighbors might be incorrectly configured. ■ Default routes might not be being propagated. If your router is using OSPF, make sure that the Enable OSPF on this interface check box is selected.This option is in the interface’s OSPF Properties dialog box. Also make sure that your router is receiving routing information from the other routers on the network. Do this by opening the routing table and looking at the Protocol column. One of the following might be the problem with OSPF: ■ OSPF might not be enabled on the desired interface. ■ The neighboring router might be unreachable. ■ The OSPF settings may not match on each of the neighboring routers. ■ The stub area configuration or area ID on neighboring routers may not match. ■ Interfaces may not be configured with OSPF neighbor IP addresses. ■ There may not be a designated router (DR) for the network. ■ Packet filtering may be too restrictive. ■ Summarized routes may be configured improperly. ■ ASBR source or route filtering may be too restrictive. ■ Virtual links may be incorrectly configured. Planning, Implementing, and Maintaining a Routing Strategy • Chapter 22 793 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 793 If a routing table entry is marked as being either OSPF or RIP, then information from some of the other routers on your network is getting through. If you do not see any OSPF or RIP entries in the table, you have a problem. TCP/IP Configuration Problems Verifying that the router’s TCP/IP configuration is correct first may save you a lot of time.You must use the correct IP address and subnet mask. Routing Table Configuration Problems You’ll need to have a static default route defined and enabled so that your router will forward any packets when there is no specific route designated for them. If the default route is incorrect or missing, you will have problems. If you’re using default routing, the default route must be learned through the routing protocols or statically configured on the router over the correct interface. 794 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 794 Planning, Implementing, and Maintaining Internet Protocol Security In this chapter:  Understanding IP Security (IPSec)  Deploying IPSec  Managing IPSec  Addressing IPSec Security Considerations  Using RSoP for IPSec Planning Introduction Securing sensitive or mission-critical data is an important part of the network adminis- trator’s job. Data is especially vulnerable to interception as it travels across the network. Windows Server 2003 includes Microsoft’s implementation of the Internet standard IP Security (IPSec) protocol, for the purpose of protecting data in transit.This chapter deals with how to work with Windows Server 2003’s IPSec. We start by introducing IPSec terminology and concepts and explaining how IPSec works “under the hood” to secure data in transit over the network. We discuss the purposes of IPSec encryption: authenti- cation, integrity, and confidentiality.You’ll learn about how IPSec operates in either of two modes: tunnel or transport. Although we refer to IPSec as a protocol, it is actually a framework, or a collection of protocols and standards designed to protect IP data in transit. In this chapter, you’ll learn about the protocols used by IPSec.These include the two primary protocols: the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol. We’ll also discuss the roles of additional protocols used by IPSec, including the Internet Security and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE), and the Oakley key-determination protocol, and the Diffie-Hellman key-agree- ment protocol.You’ll learn about Windows Server 2003’s IPSec components—the IPSec Chapter 23 795 301_BD_W2k3_23.qxd 5/14/04 9:49 AM Page 795 . from the other routers. If there is anything there other than Local in the Protocol column, the router is receiving routes via the routing pro- tocols. If not, double-click the rest of the settings. 788 for the destination IP address of the Web server and the TCP destination port 80. At the same time, you will want to configure an output filter for the source IP address of the Web server and the. If these two filters are the only two filters operational on this server, the only traffic that will be allowed across the interface is TCP traffic to and from the Web server service on your Windows