VPN Client Setup
To test your new VPN server implementation, you'll want to set up a wireless workstation or laptop and test each part of your connectivity—from the wireless AP to the VPN server on the untrusted side to your organization's trusted network.
If you boot your test station with the wireless NIC connected, you should associate with your AP. You can check your wireless manufacturer's drivers to see which AP you've associated with. Or, if you're using Windows XP, the OS should tell you which wireless AP you're connected to. Verify that your test workstation is receiving an untrusted TCP/IP address from either the DHCP service in your AP (if you've configured it to do so) or from your VPN server (if you installed DHCP).
If your test workstation has successfully obtained an untrusted IP address, you can ping the VPN server's untrusted interface by using the Ping command at a command prompt. Doing so verifies proper wireless connectivity from the workstation, through the wireless AP, and to the VPN server's untrusted interface. If you get a successful ping response, everything is working properly so far. If you don't get a ping response, troubleshoot the problem before going any further.
Now is the time to establish a VPN connection into your internal network. From the XP or Windows 2000 desktop, select Start, Settings, Network and Dial-up Connections, then double-click Add New Connection. Doing so launches the Network Connection Wizard, which prompts you for information about the connection you want to make. On the Network Connection Type screen, which Figure 9 shows, you specify a VPN connection by selecting Connect to a private network through the Internet. Click Next.
The next wizard screen prompts you for the DNS name or IP address of the VPN server you want to connect to. You probably won't have DNS name resolution available to a wireless user who hasn't been properly authenticated yet, so use the IP address of your VPN server's untrusted interface—172.16.30.10, in my example—and click Next.
The final two wizard screens are simple, asking whether you want to make this connection available only for yourself or for all users, and whether you want to share the connection with other users. Answer the questions appropriately for your situation.
Now, the fun begins. Start the DUN connection and provide an appropriate set of username and password credentials in the logon box. (The VPN server needs to verify that your user account has been granted dial-in access.) Your system establishes the VPN tunnel to your VPN server, which in turn authenticates you against the AD database or against the local accounts database. After you're properly authenticated, the VPN server allocates your test workstation a trusted IP address and starts routing your traffic to the internal network. You can verify this routing by running Ipconfig on your test workstation and checking the IP addresses that have been assigned. You should see one untrusted address and one trusted address.
Congratulations! You now have a fully functional VPN-protected wireless network that you can start rolling out to your end-user community.
Mobile Madness
You might wonder what happens to laptop users who move around the office and move from one AP to another. Because each AP gives out a specific scope of untrusted addresses, the untrusted IP address of a user who changes APs will also change. RRAS attempts to set up a secure VPN tunnel for communication with your user's device, so it won't be too keen on a device that suddenly changes its IP address. Therefore, the VPN tunnel will break. However, if you select the Redial if line is dropped option when you define your client VPN connection profile, you can be sure that Windows will try to reestablish the connection whenever it's lost.
Don't Just Plug It In
Wireless networks require particularly careful implementation. Because they're so easy to set up, the temptation is to simply plug them in and walk away. However, you should never connect a wireless AP to your network and leave it in its default configuration. If you do so, you might as well run some Ethernet cables out your office windows into the street, because you're effectively opening up your network to anyone within a few hundred feet of your office who has a wireless NIC.
Can you rest assured that your wireless data is secure within the type of implementation this article has described? I've spoken with some extremely security-conscious organizations—you know, the kind with armed guards who carry real guns and are trained to use them—and those organizations are using a VPN to protect their wireless networks. Of course, every situation is different, but if companies like that trust a VPN to secure their wireless communication, that's good enough for me.