Creating the Local and Remote Gateways

Once we have determined our network infrastructure considerations and we have determined a VPN protocol to carry our traffic, it's time to look at the configuration.

The configuration of local and remote VPN gateways is not so different than the configuration for a voluntary tunnel mode VPN server. We start from a basic VPN configuration for each of the servers. It is a good idea to test connectivity between your VPN gateways to ensure that the tunnel can be formed. A simple ping between servers should be sufficient to guarantee connectivity. Now, we need to add a couple of configuration settings to either server, or both servers depending on our design requirement here and the presence of persistent Internet connections at each end.

We can configure our demand-dial interface on the VPN Gateway that we intend to use to call the other gateway. If we are going to set up both VPN gateways as calling routers, we will have to configure both VPN gateways with demand-dial interfaces.We also have the option to create a persistent connection from the demand-dial interface, if our design calls for continuous connectivity between our remote LANs.

If we are using demand-dial interfaces to handle our tunnel connectivity, we can set our credentials and specify dial-out hours for the calling VPN gateway.We need to make sure we are using the same authentication protocols, encryption strength, and VPN protocols between our VPN gateways.As a rule of thumb, the majority of the settings configured on our local VPN gateway will be the same as the remote VPN gateway settings.We will need a route from each VPN gateway to its counterpart.This can be added as a static route or we can use a dynamic routing protocol here to advertise the routes. If we want to configure our routers to use a demand-dial circuit, we can add one last step here—demand-dial filters.

The demand-dial filter is the trigger used to initiate a demand-dial circuit. Here, we use rules to specify the type of traffic used to initiate a demand circuit.We can specify source address or network, destination address or network, TCP source and destination port number, UDP source and destination port number, ICMP, or protocol number to initiate the circuit.

For example, if we are using an ISDN connection to connect to the Internet we do not want to use a persistent connection.We could configure our demand-dial circuit to come up whenever traffic from our source network (LAN subnet) is headed to the destination network (remote LAN subnet). Maybe we only want certain traffic types to initiate the circuit.We might specify a packet filter based on the port number of the service being requested.

Exam Warning_

Since the exam is liable to ask questions about filtering certain types of traffic, make sure you know the basic port numbers and protocols involved there. It is a good idea to know on which ports some of your more common services reside. Domain Name Service (DNS), Simple Mail Transport Protocol (SMTP), Post Office Protocol version 3 (POP3), World Wide Web (WWW), Terminal Services, L2TP, and PPTP are all fair game, just to name a few. If it is a fairly common service, it could be on the exam as part of one of your questions.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment