SITE-To-SITE VPN using Windows Server 2003 Standard

Discussion in 'Server Networking' started by S H A R I Q U E, Jan 1, 2009.

  1. Is it possible to create SITE-To-SITE VPN using Windows Server 2003 Standard
    Edition without the use of ISA or any other firewall.?
    Is there any article to create such VPN on technet.
     
    S H A R I Q U E, Jan 1, 2009
    #1
    1. Advertisements

  2. Meinolf Weber [MVP-DS], Jan 1, 2009
    #2
    1. Advertisements

  3. Well....Great...last thing i wana know that IS IT POSSIBLE THAT BOTH SERVERS
    BE IN WORKGROUP MODEL TO CONFIGURE SITE-TO-SITE VPN?
     
    S H A R I Q U E, Jan 1, 2009
    #3
  4. Hello S H A R I Q U E,

    Should work, but without a domain you have centralized authentication options.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jan 1, 2009
    #4
  5. ok....i have read the document...but issue is that Both SITES are using
    Private IP addresses or they are behind ISP Firewall ...in this scenarion is
    it possible to create SITE-To-SITE or RemoteAccess VPN using private ip
    addresses...
     
    S H A R I Q U E, Jan 1, 2009
    #5
  6. S H A R I Q U E

    Bill Grant Guest

    Both sites must be using private IP addresses or the site to site won't
    work. What the link does in tunnel the private IP addresses through the
    public connection between the sites.

    The setup documents usually assume that the RRAS routers are connected to
    the Internet and are the default geteway routers for the site. Other configs
    are possible but you then have to sort out the routing for yourself. If the
    RRAS servers are the default gateway routers for the site, routing between
    sites is automatic. RRAS looks after the site to site routing an the traffic
    which needs to go through the tunnel gets to the VPN router by default.

    Without a domain the routing will work but name resolution and file
    sharing are a headache.
     
    Bill Grant, Jan 2, 2009
    #6
  7. Its quite surprising to read that SITE-To-SITE VPN will work only when both
    SITES are using RFC1918 addresses, that is, private ip addresses.
    During VPN configuration wizard, it ask which interface is associated with
    PUBLIC ADDRESS, we select that and leave private interface intact. In this
    case, how can a calling router detect answering when both are using PRIVATE
    IP ADDRESSES, since both are behind ISP firewall. Do i need to involve ISP to
    allow me define static route across public ip address to private ip address.
    BOth Servers are default gateway in my scenario.First one is member
    server(calling router) and second one(answering router) is in workgroup.

    regards
     
    S H A R I Q U E, Jan 2, 2009
    #7
  8. S H A R I Q U E

    Bill Grant Guest

    Why are you surprised that VPN expects that you use private IPs? That is
    the whole point of VPN. As its name suggests, VPN is Virtual Private
    Networking. The client appears to be on your private LAN when in fact it is
    connecting through the Internet. VPN creates a private address tunnel
    through the public network. It does this by encrypting the privately
    addressed packets and encapsulating these within a publicly addressed
    wrapper.

    For site to site VPN to work there must be a connection between the two
    sites to carry the encrypted and encapsulated data. If both sites have an
    Internet connection, that will do the trick. Whether they are behind an ISP
    firewall or not should not affect your connection unless the firewall blocks
    a port of protocol which VPN needs. {One such is that you cannot use PPTP if
    your ISP blocks GRE (IP protocol 47)}. The firewall does not affect normal
    file sharing because the packets are encrypted and encapsulated when they
    pass through the firewall.

    Site to site VPN is designed to allow two privately addressed sites to
    route through a VPN connection across another network (such as the
    Internet). Only the routers have public IP addresses. Both LANs use private
    IP addresses and they must be in different IP subnets. When you configure
    the routers you assign static routes for the private LANs to the demand-dial
    interfaces used in the connection. When the connection is made, these routes
    are added to the routing table. Each router now has a static route to the
    "other" site through the VPN link.

    When the link is up it behaves like a (slow) IP router. All traffic
    addressed to the other IP subnet is sent through the tunnel to the other
    site. It is then delivered on the LAN at the second site.

    If you want to securely connect machines which have public IPs you
    would normally use IPSec tunnels, not VPN.
     
    Bill Grant, Jan 2, 2009
    #8
  9. Adding to that,...the public IP#s on the LAN (assuming on both LANs) would
    make the VPN pointless since everything could be directly routed without the
    VPN as long as the Firewall's ACLs would allow it. In such situations with
    Publically addressed LANs firewalls typically do not use NAT, and just run
    ACLs.

    If it was one Public LAN and one Private LAN,..I'm not sure,...might be
    screwed there. Might need a different VPN solution what wasn't limited to
    Private addresses like that.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jan 3, 2009
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.