In Longhorn, Routing and remote access server role supports IPv6 (in addition to IPv4). In this blog, I will give a quick summary on what are the scenarios that are supported and what changes are required to enable the same. This will also help you to decide a roll-out plan to enable you to migrate to IPv6.
Let us first look at what are the main scenarios for which customers deploy RRAS:
1) Enable remote access to their users - using dialup or VPN (i.e. over Internet) as the link-layer.
2) Enable site-to-site connectivity between their offices - using dialup or VPN (i.e. over Internet) as the link layer
Now let us look at what it means by IPv6 support in context with the above scenarios:
1) First look at your connectivity between end user PC to RRAS (i.e. remote access scenario ) or RRAS-RRAS (i.e. site-to-site connectivity):
a. If your connectivity is dial-up, then move to step 2).
b. If your connectivity is VPN i.e. a virtual tunnel over Internet, now look at whether you have IPv4 based ISP connectivity (which is most common today) or IPv6 based connectivity (which is gaining momentum and will become common soon).
i. If it is IPv4 connectivity, then you can use any form of VPN tunnel (PPTP, L2TP or SSTP) – just configure the hostname/IPv4 address of destination server inside your VPN client/originating router.
ii. If it is IPv6 connectivity, you can use L2TP/IPSec or SSTP based VPN tunnel to establish a tunnel between two ends and configure hostname/IPv6 address instead. Also ensure RRAS server public interface has the same IPv6 address which client connects to and the firewalls in-front of RRAS server are enabled to allow L2TP/SSTP packets destined to RRAS server IPv6 address.
2) Now let us look at your connectivity behind your RRAS server or networking connectivity within your Intranet
a. I am sure you will be having IPv4 connectivity there today. No changes required here (i.e. you can continue to support IPv4 as well as IPv6 in parallel).
b. Now if you are planning to migrate to IPv6 (i.e. your LAN machines will be having IPv6 address too), then you need to make the following changes.
i. Remote Access: Enable RRAS server as “IPv6 remote access server” and manually configure a /64 bit IPv6 prefix in it. This one prefix will be shared by all remote access clients. In addition, install and configure DHCPv6 Relay Agent present inside RRAS server. This will enable forwarding of DHCPv6 Inform packets coming from remote access clients onto DHCPv6 server running on Intranet side. This extra step is required to hand-out extra addressing parameters like DNS server IPv6 address, DNS suffix etc to the remote access clients.
ii. Site-to-site connectivity: Enable RRAS as “IPv6 Router” and then add a “demand-dial interface”. As a site-to-site server also acts as remote access server (to accept connections), follow the steps given above (except DHCPv6 relay agent).
The above steps will enable RRAS server to send IPv6 prefix to other end as well as forward IPv6 packets received on its dialup/VPN interface onto Intranet side and vice versa. The other end can be a remote access user or a site.
iii. Rest of your configuration – like authentication/authorization remain same as IPv4.
iv. Rest of your IPv6 deployment can continue to happen as planned. For example – if you want some servers (like your Radius server or Domain controller to be using IPv6), you can continue to enable them towards IPv6 at same or different times.
This really means RRAS server can be used to bridge IPv6 islands separated by IPv4.
References: Look at following blogs:
1) RAS IPv6 FAQ
2) How PPPv6 works
3) Cable guy article
Note: We will be soon adding link to step-by-step guide for IPv6 connectivity – stay tuned.
Feel free to share your comments
Lead Program Manager (Windows Enterprise Networking)
[This posting is provided "AS IS" with no warranties, and confers no rights.]
I am not a network guy, but I am an experienced software developer. I have been desperately googling to find how to configure Windows Vista as a secured VPN Server. I don't know how to configure IPSec to make my VPN Sever as secure as possible. And I don't know what firewall settings are required. I don't know anything about IPSec whatsoever. Are there any simple step-by-setp setup instructions to follow to do this? I am too busy to spend so much time on learning PPTP, L2TP/IPSec etc. I would appreciate it if you advised. Regards, Behrouz
The main disadvantage of using windows server 2003 as a router is it doesn't support any traffic prioritization method, a critical feature to transport voice over data lines.
Does windows 2008 offer any feature to better manage QoS?
In particular lack of traffic prioritization is preventing my organization from using windows as a banch offices vpn end-point.
Thanks for the info
s.tagliapietra [at] rubelli.com
Though RRAS doesn't support any extra QoS features in Windows server 2008, but the server in general supports lot of extra QoS features which you may want to have a look at here: http://www.microsoft.com/technet/community/columns/cableguy/cg0306.mspx
Also in next OS release, we are considering adding a feature that DSCP field from inner IP to outer IP header when forwarding packet from LAN to WAN. Your comments are welcome on this.
For further feedback send email to email@example.com
Can you give us more idea about what you mean by "securing RRAS by IPSec". Can you explain you requirements further.
Send email to firstname.lastname@example.org