Step-by-Step Guide for Setting Up a
PPTP-based Site-to-Site VPN Connection
in a Test Lab
Microsoft Corporation
Published: May 2005
Author: Microsoft Corporation
Abstract
This guide describes the configuration of a Point-to-Point Tunneling Protocol (PPTP)-
based site-to-site virtual private network (VPN) connection using five computers in a test
lab. The VPN connection described in this guide enables you to simulate and observe
Microsoft® Windows® Server™ 2003 site-to-site VPN functionality. The VPN connection
described in this guide is for testing purposes only, and cannot be used in a production
environment.
This guide assumes familiarity with Transmission Control Protocol/Internet Protocol
(TCP/IP), IP routing, and the capabilities of the Windows Server 2003 Routing and
Remote Access service.
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Step-by-Step Guide for Setting Up a PPTP-based Site-to-Site VPN Connection in a Test
  Lab.............................................................................................................................. ....1
    Abstract.................................................................................................... ...................1
Contents........................................................................................................................ .....4
Step-by-Step Guide for Setting Up a PPTP-based Site-to-Site VPN Connection in a Test
  Lab          ............................................................................................................. ........5
  Setting Up the Test Lab................................................................................................. ..5
    Configuration for CLIENT1...................................................................... ....................8
    Configuration for CLIENT2...................................................................... ....................8
    Configuration for the Answering and Calling Routers................................. .................9
      ROUTER1...................................................................................................... ..........9
      ROUTER2.................................................................................................... ..........10
    Configuration for the Internet Router................................................ .........................11
  Configuring a PPTP-based Site-to-Site VPN Connection.............................................14
  Summary.............................................................................................. ........................32
  See Also....................................................................................................................... .32
                                                                                           5
Step-by-Step Guide for Setting Up a
PPTP-based Site-to-Site VPN Connection
in a Test Lab
This guide provides an example with detailed information about how you can use five
computers in a test lab environment to configure and test a Point-to-Point Tunneling
Protocol (PPTP)-based site-to-site VPN connection using any 32-bit version of the
Microsoft® Windows® Server™ 2003 with Service Pack 1 (SP1) operating system as
well as the Microsoft Windows XP Professional with Service Pack 2 (SP2) operating
system.
You can use this example deployment to learn about Windows Server 2003 with SP1
site-to-site VPN functionality before you deploy a site-to-site VPN connection in a
production environment. This test lab configuration simulates a deployment of a PPTP-
based site-to-site VPN connection between the Seattle and New York offices of an
organization.
    Note:
    The following instructions are for configuring a test lab using a minimum number
    of computers. Individual computers are needed to separate the services provided
    on the network and to clearly show the functionality. This configuration is
    designed to reflect neither best practices nor a recommended configuration for a
    production network. The configuration, including IP addresses and all other
    configuration parameters, is designed to work only on a separate test lab
    network.
Setting Up the Test Lab
The infrastructure for a PPTP-based site-to-site VPN deployment test lab network
consists of five stand-alone computers performing the roles shown in Table 1. Each
computer is part of a workgroup. None of the computers are joined to a domain.
In this test lab scenario, Windows Firewall is installed and turned-on automatically on the
client computers running Windows XP Professional with SP2. You will configure a
Windows Firewall exception on CLIENT1, allowing communication between the two client
computers. On the three computers with Windows Server 2003 with SP1, Standard
Edition, Windows Firewall is automatically installed, but it is not turned-on by default. On
these computers, Windows Firewall will remain turned-off. In addition, the Windows
                                                                                         6
Firewall/Internet Connection Sharing (ICS) service should be disabled on each of these
computers.
Table 1 Test Lab Computer Setup
Computer                                        Role
CLIENT1 running Windows XP                               •   Client computer
Professional with SP2
ROUTER1 running Windows Server 2003                      •   VPN Server
with SP1, Standard Edition
                                                         •   Answering router
INTERNET running Windows Server 2003                     •   Internet router
with SP1, Standard Edition
ROUTER1 running Windows Server 2003                      •   VPN server
with SP1, Standard Edition
                                                         •   Calling router
CLIENT2 running Windows XP                               •   Client computer
Professional with SP2
In addition to these five computers, the test lab also contains four hubs (or Layer 2
switches):
        • A hub that connects the Seattle office (CLIENT1) to the answering router
        (ROUTER1).
        • A hub that connects the New York office (CLIENT2) to the calling router
        (ROUTER2).
        • A hub that connects the answering router (ROUTER1) to the Internet router
        (INTERNET).
        • A hub that connects the calling router (ROUTER2) to the Internet router
        (INTERNET).
    Note:
    Because there are only two computers on each subnet, the hubs can be replaced
    by Ethernet crossover cables.
The configuration of this test lab is shown in the following figure:
                                                                                   7
The IP addresses for the test lab configuration are shown in Tables 2, 3, and 4.
Table 2 IP Addresses for the Seattle Office Subnet
Computer/Interface                            IP Addresses
CLIENT1                                       172.16.4.3
ROUTER1 (to the Seattle intranet)             172.16.4.1
Table 3 IP Addresses for the Internet Subnets
Computer/Interface                            IP Addresses
ROUTER1 (to the Internet)                     10.1.0.2
INTERNET (to ROUTER1, the answering           10.1.0.1
router)
ROUTER2 (to the Internet)                     10.2.0.2
INTERNET (to ROUTER2, the calling             10.2.0.1
router)
Table 4 IP Addresses for the New York Office Subnet
Computer/Interface                            IP Addresses
ROUTER2 (To the New York intranet)            172.16.56.1
CLIENT2                                       172.16.56.3
Configure your test lab by performing the following tasks:
                                                                                         8
        1. Configure the client computers in the Seattle and New York offices.
        2. Configure the computers performing as the answering and calling routers.
        3. Configure the computer performing as the Internet router.
Configuration for CLIENT1
CLIENT1 is a client on the Seattle office subnet, running Windows XP Professional with
SP2.
    Configure TCP/IP properties
            1. Open Network Connections, right-click the network connection you
            want to configure, and then click Properties.
            2. On the General tab, click Internet Protocol (TCP/IP), and then click
            Properties.
            3. Click Use the following IP address, type 172.16.4.3 for the IP address,
            type 255.255.255.0 for the Subnet mask, and then type 172.16.4.1 for the
            Default gateway.
    Configure Windows Firewall on CLIENT1
            1. Click Start, point to Control Panel, and then click Security Center.
            2. Click Windows Firewall, and then in the Windows Firewall dialog box,
            click the Advanced tab.
            3. Click Settings for ICMP, and then click Allow incoming echo request.
            4. Click OK twice to close Windows Firewall.
Configuration for CLIENT2
CLIENT2 is a client on the New York office subnet, running Windows XP Professional
with SP2. Installing Windows XP Professional with SP2 turns on Windows Firewall by
default. However, because CLIENT2's only role is as a calling computer, Windows
Firewall does not need to be enabled with any exceptions. Leave the default Windows
Firewall settings on CLIENT2.
    Configure TCP/IP properties
            1. Open Network Connections, right-click the network connection you
                                                                                      9
           want to configure, and then click Properties.
           2. On the General tab, click Internet Protocol (TCP/IP), and then click
           Properties.
           3. Click Use the following IP address, and then type 172.16.56.3 for the
           IP address, type 255.255.255.0 for the Subnet mask, and then type
           172.16.56.1 for the Default gateway.
   Test Windows Firewall on CLIENT2
           • At the command prompt on CLIENT2, type ping 172.16.40.3. Using Ping
           on CLIENT2 tests whether you have successfully set up Windows Firewall on
           CLIENT1 to block all traffic except traffic from CLIENT2.
Configuration for the Answering and Calling Routers
This section describes the setup for the routers in the test lab. For information about
configuring routing and remote access for the answering router (ROUTER1) and the
calling router (ROUTER2), see “Configuring a PPTP-based Site-to-Site VPN Connection”
in this guide.
ROUTER1
ROUTER1 is a computer on the Seattle office subnet, running Windows Server 2003 with
SP1, Standard Edition. ROUTER1 is acting as the answering router.
   Configure TCP/IP properties
           1. Open Network Connections, right-click the network connection you
           want to configure, and then click Properties.
           2. On the General tab, click Internet Protocol (TCP/IP), and then click
           Properties.
           3. Configure the IP address and subnet mask with the following values:
                   a. On the To the Internet interface, type 10.1.0.2 for the IP
                   address, type 255.255.0.0 for the Subnet mask, and then type
                   10.1.0.1 for the Default gateway.
                   b. On the To the Seattle intranet interface, type 172.16.4.1 for the
                   IP address, type 255.255.255.0 for the Subnet mask. Leave the
                   Default gateway clear.
                                                                                     10
   Disable the Windows Firewall/Internet Connection Sharing (ICS) service
           1. Click Administrative Tools, and then click Services.
           2. In the Services details pane, right-click Windows Firewall/Internet
           Connection Sharing (ICS) service, and then click Properties.
           3. If the service Startup Type is either Automatic or Manual, change it to
           Disabled.
           4. Click OK to close the Windows Firewall/Internet Connection Sharing
           (ICS) dialog box, and then close the Services page.
ROUTER2
ROUTER2 is a computer on the New York office subnet, running Windows Server 2003
with SP1, Standard Edition. ROUTER2 is acting as the calling router.
   Configure TCP/IP properties
           1. Open Network Connections, right-click the network connection you
           want to configure, and then click Properties.
           2. On the General tab, click Internet Protocol (TCP/IP), and then click
           Properties.
           3. Configure the IP address and subnet mask with the following values:
                  a. On the To the Internet interface, type 10.2.0.2 for the IP
                  address, type 255.255.0.0 for the Subnet mask, and then type
                  10.2.0.1 for the Default gateway.
                  b. On the To the Seattle intranet interface, type 172.16.56.1 for
                  the IP address, type 255.255.255.0 for the Subnet mask. Leave the
                  Default gateway empty.
   Disable the Windows Firewall/Internet Connection Sharing (ICS) service
           1. Click Administrative Tools, and then click Services.
           2. In the Services details pane, right-click Windows Firewall/Internet
           Connection Sharing (ICS) service, and then click Properties.
           3. If the service Startup Type is either Automatic or Manual, change it to
           Disabled.
           4. Click OK to close the Windows Firewall/Internet Connection Sharing
                                                                                      11
           (ICS) dialog box, and then close the Services page.
Configuration for the Internet Router
INTERNET is a computer running Windows Server 2003 with SP1, Standard Edition.
   Configure TCP/IP properties
           1. Open Network Connections, right-click the network connection you
           want to configure, and then click Properties.
           2. On the General tab, click Internet Protocol (TCP/IP), and then click
           Properties.
           3. Configure the IP address and subnet mask with the following values:
                  a. On the To Router1 interface, type 10.1.0.2 for the IP address,
                  and then type 255.255.0.0 for the Subnet mask.
                  b. On the To Router2 interface, type 10.2.0.1 for the IP address,
                  and then type 255.255.0.0 for the Subnet mask.
           4. Open the Routing and Remote Access Microsoft Management Console
           (MMC) snap-in.
           5. In the Routing and Remote Access snap-in, right-click INTERNET in the
           console tree, and then click Configure and Enable Routing and Remote
           Access.
           6. The Routing and Remote Access Server Setup Wizard opens. Click
           Next.
           7. On the Configuration page, select Custom configuration, as shown in
           the following figure.
                                                                    12
8. Click Next. On the Custom Configuration page, select LAN routing, as
shown in the following figure.
                                                                                   13
       9. Click Next. On the Completing the Routing and Remote Access
       Server Setup page, click Finish.
       10. To verify the routing infrastructure, do the following:
               a. On ROUTER1, ping the IP address 10.2.0.2. This should be
               successful.
               b. On CLIENT2, ping the IP address 172.16.4.3. This should be
               unsuccessful because CLIENT1 cannot be reached by CLIENT2
               across the simulated Internet until the site-to-site VPN connection is
               created.
Disable the Windows Firewall/Internet Connection Sharing (ICS) service
       1. Click Administrative Tools, and then click Services.
       2. In the Services details pane, right-click Windows Firewall/Internet
       Connection Sharing (ICS) service, and then click Properties.
                                                                                    14
           3. If the service Startup Type is either Automatic or Manual, change it to
           Disabled.
           4. Click OK to close the Windows Firewall/Internet Connection Sharing
           (ICS) dialog box, and then close the Services page.
Configuring a PPTP-based Site-to-Site VPN
Connection
To create a PPTP-based VPN connection, perform the following tasks:
       1. Configure VPN on the answering router.
       2. Configure the demand-dial interface on the answering router.
       3. Configure VPN on the calling router.
       4. Configure the demand-dial interface on the calling router.
       5. Confirm remote access policy configuration on the answering and calling
       routers.
       6. Initiate the VPN connection.
       7. Test the VPN connection.
   Configure VPN on the answering router
           1. In the Routing and Remote Access snap-in, right-click ROUTER1 in the
           console tree, and then click Configure and Enable Routing and Remote
           Access.
           2. The Routing and Remote Access Server Setup Wizard appears. Click
           Next.
           3. On the Configuration page, select Remote access (dial-up or VPN), as
           shown in the following figure.
                                                                    15
4. Click Next. On the Remote Access page, select VPN, as shown in the
following figure.
                                                                         16
5. Click Next. On the VPN Connection page, select To the Internet, and then
verify that the Enable security on the selected interface by setting up static
packet filters check box is selected, as shown in the following figure.
                                                                    17
6. Click Next. On the IP Address Assignment page, select From a specified
range of addresses, as shown in the following figure.
                                                                  18
7. Click Next. On the Address Range Assignment page, click New, as shown
in the following figure.
                                                                     19
8. In the New Address Range dialog box, do the following:
       a. In the Start IP address box, type 172.16.100.1.
       b. In the End IP address box, type 172.16.100.2.
       c. In the Number of Addresses box, accept the displayed value of 2,
       as shown in the following figure.
                                                                 20
9. Click OK. On the Address Range Assignment page, click Next.
10. On the Managing Multiple Remote Access Servers page, select No, use
Routing and Remote Access to authenticate connection requests, as shown
in the following figure.
                                                                               21
       11. Click Next. On the Completing the Routing and Remote Access Server
       Setup page, click Finish.
       12. Click OK to close the message box prompting you to configure the DHCP
       Relay Agent. For this scenario the DHCP Relay Agent will not be configured.
Configure the demand-dial interface on the answering router
       1. In the Routing and Remote Access snap-in, expand ROUTER1, and then
       right-click Network Interfaces, as shown in the following figure.
       2. Click New Demand-dial Interface to open the Demand-Dial Interface
       Wizard, and then click Next.
       3. On the Interface Name page, type VPN_NewYork, as shown in the following
       figure. The interface name must match the user account name of the calling
       router.
                                                                     22
4. Click Next. On the Connection Type page, select Connect using virtual
private networking (VPN), as shown in the following figure.
                                                                       23
5. Click Next. On the VPN Type page, select Point-to-Point Tunneling
Protocol (PPTP), as shown in the following figure.
                                                                       24
6. Click Next. On the Destination Address page, type 10.2.0.2 in the Host
name or IP address box, as shown in the following figure.
                                                                       25
7. Click Next. On the Protocols and Security page, do the following:
       a. Select Route IP packets on this interface.
       b. Select Add a user account so a remote router can dial in, as
       shown in the following figure.
                                                                     26
8. Click Next. On the Static Routes for Remote Networks page, click Add, as
shown in the following figure.
                                                                         27
9. In the Static Route dialog box, do the following:
        a. In the Destination box, type 172.16.56.0.
        b. In the Network Mask box, type 255.255.255.0.
        c. In the Metric box, accept the displayed value 1, as shown in the
        following figure.
                                                                      28
10. Click OK. On the Static Routes for Remote Networks page, click Next.
11. On the Dial In Credentials page, type a password for the VPN_NewYork
user account, and then retype the password in the Confirm password box. The
User name box is automatically populated with the value VPN_NewYork.
12. Click Next. On the Dial Out Credentials page, do the following:
        a. In the User name box, type VPN_Seattle.
        b. In the Domain box, type ROUTER2.
        c. In the Password box, type a password for the VPN_Seattle user
        account.
        d. In the Confirm password box, retype the password for the
        VPN_Seattle user account, as shown in the following figure.
                                                                                29
       13. Click Next. On the last Demand-Dial Interface Wizard page, click Finish.
       14. Click OK to close the message box prompting you to configure the DHCP
       Relay Agent. For this scenario the DHCP Relay Agent will not be configured.
Configure VPN on the calling router
       1. In the Routing and Remote Access snap-in, right-click ROUTER2 in the
       console tree, and then click Configure and Enable Routing and Remote
       Access.
       2. The Routing and Remote Access Server Setup Wizard appears. Click
       Next.
       3. On the Configuration page, select Remote access (dial-up or VPN),
       and then click Next.
       4. On the Remote Access page, select VPN, and then click Next.
       5. On the VPN Connection page, select To the Internet, verify that the
       Enable security on the selected interface by setting up static packet
                                                                                 30
       filters check box is selected, and then click Next.
       6. On the IP Address Assignment page, select From a specified range
       of addresses, click Next, and then on the Address Range Assignment
       page, click New.
       7. In the New Address Range dialog box, do the following:
               a. In the Start IP address box: type 172.56.200.1.
               b. In the End IP address box, type 172.56.200.2.
               c. In the Number of Addresses box, accept the displayed value of
               2, and then click OK.
       8. On the Address Range Assignment page, click Next.
       9. On the Managing Multiple Remote Access Servers page, select No,
       useRouting and Remote Access to authenticate connection requests.
       Click Next.
       10. On the Completing the Routing and Remote Access Server Setup
       page, click Finish.
Configure the demand-dial interface on the calling router
       1. In the Routing and Remote Access snap-in, expand ROUTER2, and then
       right-click Network Interfaces.
       2. Click New Demand-dial Interface to open the Demand-dial Interface
       Wizard. To complete the Demand-Dial Interface Wizard, click Next.
       3. On the Interface Name page, type VPN_Seattle. The interface name
       must match the user account name of the answering router. Click Next.
       4. On the Connection Type page, select Connect using virtual private
       networking (VPN). Click Next.
       5. On the VPN Type page, select Point-to-Point Tunneling Protocol
       (PPTP). Click Next.
       6. On the Destination Address page, type 10.1.0.2, and then click Next.
       7. On the Protocols and Security page, do the following:
               a. Select Route IP packets on this interface.
               b. Select Add a user account so a remote router can dial in, and
               then click Next.
                                                                                    31
       8. On the Static Routes for Remote Networks page, click Add.
       9. In the Static Route dialog box, do the following:
               a. In the Destination box, type 172.16.4.0.
               b. In the Network Mask box, type 255.255.255.0.
               c. In the Metric box, accept the displayed value 1, and then click
               OK.
       10. On the Static Routes for Remote Networks page, click Next.
       11. On the Dial In Credentials page, type the password for the
       VPN_Seattle user account, and then retype the password in the Confirm
       password box. The User name box is pre-populated with the value
       VPN_Seattle. Click Next.
       12. On the Dial Out Credentials page, do the following:
               a. In the User name box, type VPN_NewYork.
               b. In the Domain box, type ROUTER1.
               c. In the Password box, type the password for the VPN_NewYork
               user account created on ROUTER1.
               d. In the Confirm password box, retype the password for the
               VPN_NewYork user account, and then click Next.
       13. On the last Demand-Dial Interface Wizard page, click Finish.
Confirm the remote access policy configuration on the answering and calling
routers
       1. In the Routing and Remote Access snap-in, click Remote Access
       Policies.
       2. In the details pane, right-click Connections to Microsoft Routing and
       Remote Access server, and then click Properties.
       3. On the Settings tab, select Grant remote access permission, and then
       click OK to save changes.
       4. Repeat steps 1 through 3 on ROUTER1.
Initiate the VPN connection
       1. Initiate the VPN connection by performing the following steps on
       ROUTER2.
                                                                                             32
            2. In the console tree of the Routing and Remote Access snap-in, click
            Network Interfaces.
            3. In the details pane, right-click VPN_Seattle, and then click Connect.
            4. Confirm that the connection state of VPN_Seattle is connected.
    Test the VPN connection
            1. At the command prompt, type ping 172.16.4.3.
        This is the IP address for CLIENT1. Pinging CLIENT1 from CLIENT2 will test
        whether the Seattle subnet is now reachable.
            2. To confirm that the packets crossed the VPN connection, at the
            command prompt, type tracert 172.16.4.3. Note that you must use the IP
            address of CLIENT1, rather than its computer name, because a DNS server
            is not configured in this test lab scenario.
        Results that are similar to the following indicate that the connection is working.
            Tracing route to 172.16.4.3 over a      maximum of 30 hops:
                 1    <1 ms    <1 ms    <1 ms       [172.16.56.1]
                 2     1 ms    <1 ms    <1 ms       [172.56.200.2]
                 3     1 ms     1 ms     1 ms       [172.16.4.3]
            Trace complete.
        Note:
        172.16.56.1 is the IP address of the ROUTER2 interface that connects to the
        New York intranet. 172.56.200.2 is the IP address that ROUTER2 assigned
        to ROUTER1. The presence of this IP address in the Tracert output indicates
        that packets are moving across the site-to-site VPN connection. 172.16.4.3 is
        the IP address of CLIENT1.
Summary
The preceding tasks describe how to configure a PPTP-based site-to-site VPN
connection in a test lab with five computers. These five computers simulate two remote
sites using VPN to connect over the Internet.
See Also
Virtual Private Networks for Windows Server 2003
Windows Server 2003 Deployment Guide
                               33
Windows Server 2003 Web site