This chapter describes how to configure the Remote Access Service (RAS) to enable remote users to connect to a central site in a virtual private network (VPN).
This section describes the remote access configurations supported by NETBuilder bridge/routers.
In a distributed remote access configuration, Windows 95/Windows NT client A dials into an Internet Service Provider (ISP) Point-of-Presence (POP) that can act like a Point-to-Point Protocol (PPTP) or Layer 2 Tunnelling Protocol (L2TP) Line Server (LS). The LS at the ISP site sets up a PPTP/L2TP tunnel using the NETBuilder bridge/router as a tunnel terminator or packet processor (PP) and forwards all PPP packets from the Windows 95/Windows NT client A to the NETBuilder bridge/router using the PPTP/L2TP encapsulation. The PPTP/L2TP tunnel is transparent to the remote client.
A PPP session is set up directly between the remote client and the NETBuilder RAS server, and the client can run IP protocol to access the enterprise network. In this configuration, the client also makes a MLP connection with the ISP, and both PPP connections are bundled together at the NETBuilder RAS server.
The host network can be either an Ethernet network as shown in Figure 46 or a network running NetWare.
Figure 46 Distributed Remote Access
The configuration of the WAN port in NETBuilder II bridge/router A is not relevant to the RAS setup.
Before beginning these procedures, complete the following tasks:
When the host network is running NetWare, first follow the steps in the procedure "Configuring Distributed Remote Access for a NetWare Network" on page 160, and then return to step 4 of this procedure.
To configure distributed remote access, follow these steps:
1 . Configure NETBuilder A LAN ports by entering:
SETDefault !1 -IP NETaddr = 130.1.1.1 255.255.255.0
2 . Configure RAS IP.
SETDefault -RAS IPNETwork = 130.1.1.0
Specify only the IP network. A network mask is not required.
SETDefault -RAS IPAddrPool = LocalDhcpServer
ADD !<portlist> -DHCP AddressPool <IPaddr1> - <IPaddr2> [!<profileid>]
SETDefault !<profileid> -DHCP DNS
SETDefault !<profileid> -DHCP NetBios
3 . Enable IP routing for RAS by entering:
SETDefault -IP CONTrol = Enable
4 . Configure the user database.
ADD !<vport> -POrt VirtualPort RAS
ADD !<vport> -PPP AuthRemoteUser ("username", "password")
SETDefault !<vport> -PPP AuthProTocol = None | Pap | Chap | MS-Chap
SETDefault !<vport> -POrt CONTrol = Enable
Each user requires a unique virtual port number, username and password.
Further, you may configure the idle timer value for each remote user, using:
SETDefault !<vport> - POrt DialIdleTimer = <seconds>
SETDefault -RAS SecurityType = radius
SETDefault -RAS PrimACcntSrvr = [<IP Address>]
SETDefault -RAS PrimAUthSrvr = [<IP Address>]
The RADIUS server is external to the NETBuilder bridge/router. When you set the RAS security type to radius, at a minimum you must configure the IP addresses for the primary authentication and accounting servers. For specific configuration details for your RADIUS server, consult the manufacturers documentation.
SETDefault -RAS SecACcntSrvr = [<IP Address>]
SETDefault -RAS SecAUthSrvr = [<IP Address>]
SETDefault -RAS AuthUdpport = <UDP port number>
SETDefault - RAS ACcntUdpport = <UDP port number>
When using an external user database such as a RADIUS server, ports are configured dynamically as they are needed. You do not need to configure any ports.
5 . Optionally, configure a port use limit, using:
ADD -PO PortLimit RAS <minimum> <maximum>
6 . Optionally, add RAS traps to the list of traps sent to the SNMP Network Manager, using:
ADD -SNMP TrapProfile "<TrapProfileName>" REMote
7 . Enable RAS by entering:
SETDefault -RAS CONTrol = Enable
8 . Configure the PPTP/L2TP tunnel by following these steps:
SETDefault -L2T CONTrol = Enable Protocol = PPTP
or
SETDefault -L2T CONTrol = Enable Protocol = L2TP
Add -L2Tunnel AccessList <IPaddress> [<Network Mask>] [Protocol = PPTP] [FlowControl=<Enabled | Disabled>]
Flow control applies to PPTP tunnels only. The IP address and the network mask are set to that of a PPTP/L2TP tunnel terminator. In this configuration, this IP address is the remote ISPs IP address. For more information about configuring PPTP/L2TP tunnels, see Chapter 12.
9 . If the L2TP is used as the tunneling protocol, you need to set the system name of the NETBuilder bridge/router using:
SETDefault -SYS SysName = "name"
When the host network is running NetWare, enable distributed remote access by following these steps:
1 . Configure NETBuilder A LAN ports by entering:
SETDefault !1 -IPX NETnumber = &12345678 Ethernet
2 . Configure RAS IPX.
SETDefault -RAS IPXNETwork = &mynet00
3 . Enable IPX routing for RAS by entering:
SETDefault -IPX CONTrol = Enable
You should now continue to configure the NETBuilder bridge/router by following the steps in the previous procedure starting at step 4, "Configure the user database."
In the configuration shown in Figure 47, the Windows 95 client B has the Dialup Networking 1.2 upgrade, or Windows 98, or Windows NT 4.0. Client B first makes a dial-up connection to the ISP site to gain Internet access. Since the client is using an IP address assigned by the ISP site, it is generally denied access to the enterprise network. To gain the access to the enterprise network, a PPTP/L2TP tunnel is established between the client and the NETBuilder RAS server. In this configuration, the PPP connection is initiated by the remote client software. IP protocol can then be used over the PPTP/L2TP tunnel.
Figure 47 Using Windows95 Dialup Networking 1.2, Windows98, or Windows NT 4.0
When using this type of client, you do not need to enable the MLP service for the remote clients. The other steps for setting up this configuration are the same as those in the procedure. except you do not need to configure the L2Tunnel AccessList parameter.
The configuration shown in Figure 48 is similar to the one shown in Figure 47, except that client C has a direct Internet connection using an OfficeConnect NETBuilder bridge/router. To gain the enterprise access, a PPTP tunnel is created between client C and the NETBuilder RAS server.
The OfficeConnect bridge/router is directly connected to the Internet via an ISP connection where the bridge/router acts as the default gateway for the remote client. In this configuration, you do not need to enable the MLP service for the remote clients. The other steps for setting up this configuration are the same as those in the procedure. Remember, the OfficeConnect bridge/router must be configured in the L2Tunnel AccessList.
Figure 48 Internet Based Remote Access
In the configuration shown in Figure 49, an OfficeConnect NETBuilder bridge/router is configured using the QuickStep VPN application and is connected to the Internet via an ISP connection. Once connected, the OfficeConnect bridge/router establishes a PPTP tunnel to the enterprise NETBuilder bridge/router A. All remote stations attached to the OfficeConnect bridge/router have access to the enterprise network. The PPTP connection is transparent to the remote stations. For more information about configuring the PPTP tunnel, see Chapter 12.
Figure 49 OfficeConnect NETBuilder with NAT
The OfficeConnect NETBuilder bridge/router at the remote site is configured to run Network Address Translation (NAT). The central site NETBuilder II bridge/routers view the OfficeConnect NETBuilder bridge/router is a RAS client. However, the OfficeConnect bridge/router is the default router for the remote Windows clients and performs NAT for all the remote stations using a private IP network at the remote site.
Router-to-Router over L2TP is not supported yet. That is, the configuration described in Figure 49 is not currently supported for L2TP tunnels.
![[previous]](../../../graphics/prev.gif)
![[next]](../../../graphics/next.gif)