Article ID: 255784
Article Last Modified on 3/1/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q255784
SUMMARY
A Windows 2000 virtual private network (VPN) server that is configured by using the Routing and Remote Access Services (RRAS) Setup Wizard is installed with a default set of Input and Output filters. These filters support Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IP Security Protocol (IPSec) connectivity. The filters are generic and can be modified to tighten security on a VPN server. This article describes modifications that you can make to these filters to increase security. All filter configurations mentioned in this article should be tested prior to being deployed in a production environment.
MORE INFORMATION
The RRAS Setup Wizard creates a set of default Input and Output Filters on the external adapter on the VPN server. To display and edit these filters:
- Start the Routing and Remote Access snap-in in Microsoft Management Console (MMC).
- Expand the IP Routing node in the left pane.
- Click General in the left pane.
- Right-click the external adapter listed in the right pane, and then click Properties.
- You can view and edit the Inbound and Outbound filters on the General tab.
These are the default filters that are configured.
| Src addr | Src mask | Dest addr | Dest mask | Protocol | Src port | Dest port | Description |
|---|---|---|---|---|---|---|---|
| Any | Any | Any | Any | 47 | Any | Any | GRE |
| Any | Any | Any | Any | TCP | 1723 | Any | PPTP Inbound |
| Any | Any | Any | Any | TCP | Any | 1723 | PPTP Outbound |
| Any | Any | Any | Any | UDP | 500 | 500 | ISAKMP |
| Any | Any | Any | Any | UDP | 1701 | 1701 | L2TP |
Greater security can be provided by editing each of these filters (with the exception of the PROTOCOL 47 GRE filter) and further restricting the flow of PPTP and/or L2TP/IPSec packets. You must edit the Input and Output filters. The result is that inbound PPTP, L2TP/IPSec traffic will be restricted to the IP address of the external adapter and only PPTP, L2TP/IPSec traffic will be allowed to pass out through the external adapter from the internal network or the VPN server itself.
Input and Output filters are edited individually by selecting the filter and then clicking Edit button. The Edit IP Filter dialog box allows you to modify each filter setting. As an example, assume that the external adapter has an IP address of 192.0.0.40 with a subnet mask of 255.255.255.0. After modifying the Input filters, the displayed matrix would look like:
| Src addr | Src mask | Dest addr | Dest mask | Protocol | Src port | Dest port | Description |
|---|---|---|---|---|---|---|---|
| Any | Any | Any | Any | 47 | Any | Any | GRE |
| Any | Any | 192.0.0.40 | 255.255.255.255 | TCP | 1723 | Any | PPTP Inbound |
| Any | Any | 192.0.0.40 | 255.255.255.255 | TCP | Any | 1723 | PPTP Outbound |
| Any | Any | 192.0.0.40 | 255.255.255.255 | UDP | 500 | 500 | ISAKMP |
| Any | Any | 192.0.0.40 | 255.255.255.255 | UDP | 1701 | 1701 | L2TP |
After modifying the Output filters, the displayed matrix would look like:
| Src addr | Src mask | Dest addr | Dest mask | Protocol | Src port | Dest port | Description |
|---|---|---|---|---|---|---|---|
| Any | Any | Any | Any | 47 | Any | Any | GRE |
| 192.0.0.40 | 255.255.255.255 | Any | Any | TCP | 1723 | Any | PPTP Inbound |
| 192.0.0.40 | 255.255.255.255 | Any | Any | TCP | Any | 1723 | PPTP Outbound |
| 192.0.0.40 | 255.255.255.255 | Any | Any | UDP | 500 | 500 | ISAKMP |
| 192.0.0.40 | 255.255.255.255 | Any | Any | UDP | 1701 | 1701 | L2TP |
These filter settings also accommodate a VPN server that can support a requirement for initiating a demand-dial connection to another VPN server, for example.
The default filter settings that installed by using the RRAS Setup Wizard allow for VPN connections only. The information in this article is provided for those who want increased security.
Keywords: kbhowto kbipsec kbtunneling KB255784
