lan2lan vpn

We are in a need to connect two offices for apps purpose.  Each has a win2k server, about 15 users and each have a DSL link to the net (one DSL has a static IP).  Both offices utilize older versions of Linksys routers.
The information passed will be client sensitive thus need a decent level of security such as VPN.  My question is what options do we have with Windows server 2000?
In a matter of next several month a third office will have to be connected as well to the other two, same setup. Any suggestions or links would be appreciated.  Have a great day, or rather night here in San Fran.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

My first suggestion - don't use Windows server 2K.  Use a hardware-appliance VPN.

If you must go with a software-based VPN, then you will want to get a Win2K server (not Advanced server, don't waste the money) for each site, with that server dedicated to VPN usage.  You don't want to force you main Win2K server to also be your VPN server - that is asking for trouble.  

Since VPN servers are, necessarily, directly connected to the Internet, you have to take into consideration the risks involved in directly connecting a Windows device to the Internet.  You don't want to have your LAN subject to unnecessary risks in order to establish your VPN WAN.

All you need, besides a minimal Win2K server license for each site, is a workstation-class PC with a decent processor and memory configuration (it does NOT need a lot of disk!) and the PC's for your VPN servers must have 2 Network Interface Cards (NIC's)

When you set up your initial 2-site site-to-site RRAS VPN, one of the two servers will be your "home" or "master VPN" server (depending on what you want to call it.)  That is the server that will be "dialed to."  Yes, the oddball thing about RRAS VPN, is that is "dialup" oriented even though it works with always-on technologies like DSL.  

You can set it up so no matter which box has been booted, the one that has been booted tries to initiate the connection, but the easiest initial setup is to have what you consider to be your remote site be the one to initiate the connection.

When you add another site, that one also should be set toi nitiate the connection.  Ideally, the central-site VPN server should also be able to "dial out" in the case that it has to be restarted, so it can re-establish the tunnels with the other remote sites.  

What I have described is essentially a star configuration.

To ensure security, you will want to work with the L2TP/IPSec technologies available with RRAS on Win2K.  If that is too complex, or your company doesn't want to deal with certificates, then the other option is PPTP.  Either way, you end up with a "secure tunnel" between sites.

Whenever setting up Win2K Server as an RRAS point-to-point VPN server, you want to disable all services that the RRAS VPN service does not depend on, like FTP, IIS, etc.   You also want to have the port-blocking features enabled, and only allow the ports that are necessary to establish your site-to-site tunnels.  You DEFINITELY want to apply the most-current service pack, and all of the security hotfixes, before letting it go live, and establish a maintenance process to keep the patches as current as possible.  Remember, it is exposed to the Internet,  and it is a single-function server, so you want to harden it as much as possible and keep it up-to-date.

You could also consider other, non-Windows options for your VPN, like Novell BorderManaqer 3.8 VPN, which is more secure and more efficient than the RRAS VPN option.
Also, you will need to get a static IP for the 2nd site (and the 3rd when you add it) because the RRAS VPN is IP-address based.
To clarify - if you want to have the resilience of having a *true* site-to-site configuration with any site being able to initiate the tunnel, then you *have* to have fixed IP addresses.  It is possible to do a "pseudo" site-to-site VPN with DHCP-assigned addresses on the far end, but they would HAVE to be the initiator of the link, and it would actually be more of a client-to-site configuration since the remote-side IP won't be a known factor.  That could end up causing you routing issues if you are truly trying to establish a WAN over VPN as opposed to simply connecting a client via VPN.
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

klossieAuthor Commented:
Thanks ShineOn for the well written suggestion.  There is only one site with a static IP address, any heads up on this?  Also the third office wii also be DHCP.   Latly, are you aware of any detailed configuration guidelines including hardware/sonfig specs?   Thanks again for responding so quickly.   Klossie
There are a slew of documents on the Microsoft knowledgebase and on technet, describing in full detail how to use RRAS to establish a VPN.  It is very late here, and I am, unfortunately, too tired to go searching for links to point you to, so before I retire for the evening (actually morning) I will leave you with that.

You could try a search on for RRAS VPN or you could do a google search for RRAS VPN configuration to get "real-world" advice on how, step-by-step, to do what you want to do using Win2K technologies.

Sorry to be so short, but I am really beat, and can't stay up any longer.  Good luck.
ShineOn has given you an excellent and detailed solution using Windows 2000, but his first solution was the best: Don't use W2k - use a hardware appliance VPN solution. It is the simplest solution and you can simply replace the old version Linksys routers you have. Any number of  Small Office/Home Office VPN Gateway solutions are out there on the market today that would meet your needs: Netgear, Enterasys, SonicWall, Symantec, 3Com, etc. Just go to or or or the likes and look for Small Office/Home Office VPN Gateways or firewalls. All the ones I mentioned are from $150 to $300-- cheaper than buying Windows 2000 Server and hardware.

As for the static IP situation... It would certainly be preferable to have static IPs, but in theory you could get away with having one central location with an IP address only and have all locations call the one static location.

                                                                 |__ VPNTUNNEL<--Oakhurst[DSL]

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Oh, by the way, (microwarehouse,macwarehouse,etc.) has been bought by CDW.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.