1 The remote access VPN Overview review

（1） The remote access VPN：Remote Access VPN
（2） Applicability ： Commonly used in personal Secure connection to Inside the enterprise .
（3） usage ： General business employees / Work at home , Use... When connecting to the intranet safely .
（4） Generally need The company deployed VPN The server , Employees dial up outside VPN that will do .
（5） common RA-VPN agreement ：PPTPVPN、L2TP VPN、SSTP VPN、EZVPN/easyVPN（ Cisco private ）、SSL VPN（ The most commonly used ）.
（6） commonly windows Bring their own PPTPVPN and L2TP VPN Server and dialing software .
（7） Why? SSL VPN Most used ：SSL VPN The server not only provides VPN Out of service , It also provides Web access . When employees are on business trips , Just look for a computer , Visit the web page to dial , Then follow the prompts .

2 The remote access VPN Workflow

2.1 What if ：

（1） Assume that the company is in the total routing configuration VPN The server , The intranet interface is private IP Address 172.16.1.1, The Internet interface is public IP Address 100.1.1.1.
（2） The company server is private IP Address 172.18.1.1.
（3） staff B small office , home office , The computer is private IP Address 192.168.1.1, The computer is installed VPN Software , The external network interface of the home router is public IP Address 200.1.1.1, The intranet interface is private IP Address 192.168.1.254.

2.2 Manage the connection process

（1） Employees to VPN The server （ Public network address 100.1.1.1） dial , Request to connect to the intranet .
（2）VPN Server feedback , requirement VPN Client authentication .（ You can use server local user authentication or domain user authentication ）
（3） The employee enters the account and password .
（4） You will know through the server 200.1.1.1 And yourself to build VPN passageway , Form a mapping table .
（5） then VPN Server pair VPN The client sends ：（1） Access right ;（2） From the original built-in range , Give a private IP Address , Such as 172.17.1.1.（VPN The server needs to have a built-in private IP Address range , Such as 172.17.1.1~200, When an employee needs remote access VPN Provide employees with .）

2.3 Data connection process ：

（1） Being an employee B To access the company server , Generate to 172.17.1.1 As source IP Address 、 With 172.18.1.1 For the destination address IP package , after VPN Encryption encapsulation （ Client software ）、 Router NAT After the transformation , The data frame changes as follows .

（2） Data frames arrive through the Internet VPN On the server interface ,VPN The server already knows... During the above management connection phase IP200.1.1.1 Is to 172.17.1.1 Access intranet resources as , Decrypt and unpack data frames , obtain IP package , And send to VPN Inside the server ,VPN According to the routing table, the server will IP Packet routing to intranet interface .
（3） Intranet interface pair IP Package progress NAT transformation , The source IP Address 172.17.1.1（ host B In use ） Replace with VPN The server's own 172.16.1.1, And send it to employees after sealing A. The conversion process will record the conversion table .

（4） The company server receives the data frame , Thought it was VPN The server is accessing itself , Will be right VPN Server repackaging .
（5）VPN The server receives the data frame from the company server , After unpacking , Follow the steps 3 Of NAT Address translation table , take IP The destination address of the package is translated , And re encrypt and encapsulate .

（6） Data frames arrive at users through the Internet B host ,VPN Software decryption and unpacking .
（7） Be careful ： The above data transmission process , as long as VPN Resources that the server can access , Employees on business trips generally have access to . For intranet hosts or other servers , They all think it is VPN The server is communicating with it , The firewall has been bypassed to the external network data frame source IP The filter .

3 Remote access remote access virtual private network Mo simulation experiment demonstration

3.1 Network topology

（1） stay vmware Open three virtual machines in , Respectively winxp、win2003 and win2008, among win2003 Upper Department VPN The server .
（2） Network topology and IP The address layout is shown in the figure below .
（3） because win2003 Need to bridge to two VMnet On , Therefore win2003 Add a new network card , You need to figure out which network card is connected to the left and which is on the right .


（4） The following figure will winXP And win2003 Bridge received VMnet1 The Internet 、 take win2003 And win7 Bridge received VMnet8 The Internet .

3.2 To configure IP Address

（1） by winXP And win7 Manually configure IP Address .

（2） because win2003 There are two IP, For manual configuration of two network cards IP, Note that you need to understand the of each network card IP.

（3） Results test ：

• 1） Try to use win2003 ping winXP, It belongs to the internal communication of the same network segment , can ping through . vice versa .
• 2） Try to use win2003 ping win7, It belongs to the internal communication of the same network segment , can ping through . vice versa .
• 3） Try to use winXP ping win7, Communication that does not belong to the same network segment , unable ping through . vice versa .
• 
  

3.3 Deploy VPN The server

（1）Windows Self contained PPTP and L2TP agreement , Built in server software , The port number is TCP1723.
（2）cmd Enter the command netstat -an Check whether the port you are starting now contains this item .→ No, .

（3） Get into win2003 System , Click Start → Management tools → Routing and remote administrative access → Right click on the server → Click Configure and enable routing and remote access → next step .


（4） Multiple functions need to be configured , Check custom → next step .

（5） Check the following → next step → complete → yes .

（6） see VPN Status of the server port number .cmd Enter the command netstat -an Check whether the port you are starting now contains this item .→ Yes .

（7） Right click on the server → attribute → Security →windows Authentication →IP→ Private deployed to remote hosts IP Address set .


（8） Configure the address translation required NAT surface . Right click NAT→ New interface → Choice and win7 Connected network card → determine . Attention should be paid to NAT Is configured on which interface .


（9） Be careful ,VPN Which servers need to be configured according to the workflow of the server .

3.4 New local user , to VPN client

（1） Right click on my computer → management → Expand local users and groups → Right click blank → New users .

（2） The new user name and password are set to aa 123.

（3）aa The account is subsequently used to dial VPN Authentication of services . But he doesn't have the ability to dial in . Right click the user → attribute → Dial in → Check allow access .

3.5 winXP towards VPN Server dialing

（1）Windows Bring their own PPTP and L2TP Agreement is Windows, No additional installation is required VPN Client software , But you need to start the connection , Different systems have different dialing methods .
（2） dial . Right click on the Internet neighbor → attribute → Create a new connection → next step → Connect to the network segment workplace .


（3） The dialing method is VPN→ next step .

（4） In the process of building the connection , The company name is for you , Write casually , In the input IP The address should be filled in according to the actual needs .

（5） Check generate shortcut → complete .
（6） Start giving VPN Server dialing , And authentication . Adopt the authentication method of local users , Belong to VPN The account and password set during server deployment .

（7） View client information . Show VPN Connected , Double click to view details .

3.6 winXP visit win2008

test result ： Successful use of winxp ping through win2008.

4 expand

problem ： When the host gives VPN After the server dials successfully , What flow goes through the tunnel ？
（1）PC Will judge when the target host is in the same network segment as itself , Find the target directly IP; When the target host is not in the same network segment , Find gateway . That's because the computer actually has a routing table ： One is the direct network segment , Find the gateway in the non directly connected network segment .
（2） to winxp Set the gateway to 100.1.1.254.
（3） View when not dialing winXP The routing table for ： One is the direct network segment , Find the gateway in the non directly connected network segment .

（4） Check after dialing winXP The routing table for . There are two default routes , One is its own gateway , One is the gateway of the tunnel . The management distance of the gateway of the tunnel is smaller , Higher priority . So under normal circumstances , Dial VPN after , Just access to other network segments PC, We all go through tunnels , It's all about VPN Accessed as a server .

5 inductive

（1） Focus on understanding remote access VPN workflow .
（2） Understand and master according to the principle VPN The process of server deployment （ Deployment server 、 Choose the authentication method 、 Reserve private IP Address pool 、 Configuration and Application NAT surface ）.
（3） Understand that when dialing , As long as you access a network other than this network segment PC, We all go through tunnels , It's all about VPN Accessed as a server .

Reference article

[1] 《 Principle and deployment experiment of remote access virtual private line network 》
[2] Video gate