Windows 2000 RRAS Virtual Private Networking

If you are not receiving the "Connection-specific DNS Suffix" on the VPN
PPP interface from the DHCP server of the LAN you are connecting to, go to
the VPN server and add the "DHCP Relay Agent" and then add the RRAS server's
"Local Area Connection" to the list.

Caller-id RRAS (ANI/CLI). When using this auth method, username and password
are not used and you must allow unauthenticated access in policy's profile
authentication tab.

CHAP authentication must use reversible password encryption. You must reset
all existing passwords not using reversible encryption. You can set a GPO
to configure reversible encryption in user settings or password policy.

You can create a virtual private network with a tunnel and not encrypt
the data, but this is not "by definition" a virtual private network.
With VPNs, encapsulation and encryption always go together.

PPTP uses TCP with a modified Generic Routing Encapsulation (GRE) protocol,
and L2TP uses UDP. Some ISPs filter the GRE protocol used by PPTP.

PPTP is an extension of PPP that encapsulates PPP frames into IP datagrams.

L2TP is a combination of PPTP and Layer 2 forwarding.

IPSec uses OSI layer 3 encryption technology
End-to-End security = transport mode
Router-to-Router = tunnel mode
Transport mode is more appropriate for fixed endpoints used inside internal
networks. Tunneling mode is more appropriate for external network traversal.
With tunneling, you must specify the destination endpoint of the tunnel.
With NAT, you cannot use transport mode, you can use tunnel mode.

The highest security level is:
	SHA/3DES/Diffie Hellman group 2

In Network Monitor, ESP packets are labeled ESP packets, the AH packets are
NOT labeled AH packets.

A "transit internetwork" refers to the shared IP network (public or private)
used by VPNs encapsulated data. It most often refers to the internet.

On a routed VPN connection, PPTP is only encrypted from client to server,
L2TP is encrypted from client to the final destination.

RAS account lockout is set up on the computer that is authenticating the
user (depending on configuration) either the RRAS server or the IAS
(RADIUS) server. This is done in the Registry:
	HKLM\SYSTEM\CurrentControlSet\
	Services\RemoteAccess\Parameters\AccountLockout\
		MaxDenials:	# of failed attempts.
		ResetTime:	(mins) automatic release time.

	To manually unlock an account, you must delete the username from
	the AccountLockout\ registry path. It is in the syntax of:
	

MS-CHAP does NOT support "mutual authentication", MS-CHAPv2 does.

In RRAS, you can have 0 or more ports for L2TP, with PPTP, you must have
1 or more (you cannot specify 0), If you want to restrict PPTP connections,
you must modify the properties of the default remote access policy.