Thom, these instructions were copied from
http://www.oucs.ox.ac.uk/windows/winnt/vpn/win2k.html
Installing and Configuring Routing and Remote Access
1. If the Windows 2000 Configure Your Server screen is open, click on
Networking, then on Remote Access and finally on Open Routing and Remote
Access. Alternatively, you can start it from Start -> Programs ->
Administrative Tools -> Routing and Remote Access.
2. Select your server in the left-hand window (you may need to expand
Routing and Remote Access to see it) and select Configure and Enable routing
and Remote Access from the Action menu.
3. The Routing and Remote Access Server Setup Wizard will start. Click on
Next and then choose Virutual private network (VPN) server and click on
Next.
4. In the Remote Client Protocols dialogue box, the only protocol that is
required is TCP/IP. Click on Next.
5 In the Internet Connection dialogue box, accept the default (with <No
internet connection> selected) and click on Next.
6. In the IP Address Assignment box, decide whether you are going to use
DHCP or a specified range of addresses for VPN clients and then click on
Next.
7. If you opted to specify a range of addresses, click on New and add in an
address range that will be used for VPN clients. You can add several address
ranges as required. When you have finished, click on Next.
8. If you opted to use DHCP and your server has a static IP address, you
may see a warning; click on OK.
9. On the Managing Multiple Remote Access Servers page, accept the default
No, I don't want to set up this server to use RADIUS now and click on Next.
Click on Finish.
10. If you opted to use DHCP you may see a message about configuring DHCP
relaying. This has not been tested so you are on your own here.
11. The Routing and Remote Access Service will now be started. In the
Routing and Remote Access management console, make sure that your server is
still selected and select Properties from Action menu.
12. Click on the Security tab and then on the Authentication Methods
button. Disable Microsoft encrypted authentication (MS-CHAP). This should
leave only Microsoft encrypted authentication version 2 (MS-CHAP v2)
enabled. Click on OK.
13. If you had protocols such as IPX or NetBEUI installed on your server
when you set up Routing and Remote Access, you will have a tab for each
protocol. You should disable these protocols - in general you only need to
allow IP access. For example, to disable IPX, click on the IPX tab, and turn
off the Allow IPX-based remote access and demand-dial connections option.
14. If you need to change IP address information; for example, the range of
IP addresses available, or to switch to using DHCP, this is done via the IP
tab. Information can also be logged to the event log; use the Event Logging
tab to control the amount of information that gets logged. When you have
finished, click on OK.
15. Look in the right-hand window. There are several other items that may
be useful Firstly, you can enable Remote Access Logging. Open up the Remote
Access Logging folder and then double-click on the Local File to change
settings. You can view connected clients (Remote Access Clients) and you can
set up Remote Access Policies.
16. Check in the right-hand window under your server name for the Ports
entry. If you select it and choose Properties from the Action menu you can
configure the number of ports (i.e. VPN connections) that are available.
According to Microsoft, the default is 5; however in my experience you get
128 L2TP ports and 128 PPTP ports! Currently there is limited support for
L2TP (most clients will use PPTP) so you could probably drop this number to
0. Adjust the number of PPTP ports as required. You can probably turn off
the Demand-dial routing connections option as well.
