Is is possible to restrict our VPN users so that when they dial-into our
LAN, they can only access allowed IP addresses?
I'm thinkig of some kind of IP filter restrictions only to IP selected
addresses. Is this possible to set on a VPN server or can this restrictions
be implemented in dial-in script using CMAK?
We're using RRAS on Win2003 Server for a L2TP/IPsec VPN
Are you running a Windows Server domain in "native" mode? Or are you
running a standalone server or a domain in "mixed" mode? Native mode lets
you assign IP addresses to user accounts, and lets you establish network
routes back to those users if your RRAS server also acts as a router.
First, change the mode using Active Directory Users and Computers.
Right-click on the domain name and select Properties. Here you can change
the mode. Only do this if you absolutely have no Windows NT 4 or earlier
domain controllers in the domain. I'm not as sure if this also applies to
trust relationships with other domains.
Second, with the same tool, bring up a user's Properties and select the
Dial-in tab. "Assign static IP address" will now be available to you.
Exclude this IP address from the DHCP pool if you use DHCP.
The last thing I do for the VPN user's computer, is I will turn off "Use
Default Gateway" on their VPN connection's TCP/IP Properties. This lets
them continue to use the Internet while connected to your VPN server, or at
least, it will avoid routing all of that Internet traffic through that VPN
connection. It will automatically route traffic based on class (the old
class A, B and C) depending on which IP addresses you choose. If the client
PC runs NT, 2K or XP (home or pro), you can add additional persistent routes
via your static IP to other networks if needed. Sabre for Windows, for
example, needs a persistent route to some /24 network added for it to work.