Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


lan2lan vpn

Posted on 2003-12-07
Medium Priority
Last Modified: 2010-03-19
We are in a need to connect two offices for apps purpose.  Each has a win2k server, about 15 users and each have a DSL link to the net (one DSL has a static IP).  Both offices utilize older versions of Linksys routers.
The information passed will be client sensitive thus need a decent level of security such as VPN.  My question is what options do we have with Windows server 2000?
In a matter of next several month a third office will have to be connected as well to the other two, same setup. Any suggestions or links would be appreciated.  Have a great day, or rather night here in San Fran.

Question by:klossie
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
LVL 35

Assisted Solution

ShineOn earned 360 total points
ID: 9891430
My first suggestion - don't use Windows server 2K.  Use a hardware-appliance VPN.

If you must go with a software-based VPN, then you will want to get a Win2K server (not Advanced server, don't waste the money) for each site, with that server dedicated to VPN usage.  You don't want to force you main Win2K server to also be your VPN server - that is asking for trouble.  

Since VPN servers are, necessarily, directly connected to the Internet, you have to take into consideration the risks involved in directly connecting a Windows device to the Internet.  You don't want to have your LAN subject to unnecessary risks in order to establish your VPN WAN.

All you need, besides a minimal Win2K server license for each site, is a workstation-class PC with a decent processor and memory configuration (it does NOT need a lot of disk!) and the PC's for your VPN servers must have 2 Network Interface Cards (NIC's)

When you set up your initial 2-site site-to-site RRAS VPN, one of the two servers will be your "home" or "master VPN" server (depending on what you want to call it.)  That is the server that will be "dialed to."  Yes, the oddball thing about RRAS VPN, is that is "dialup" oriented even though it works with always-on technologies like DSL.  

You can set it up so no matter which box has been booted, the one that has been booted tries to initiate the connection, but the easiest initial setup is to have what you consider to be your remote site be the one to initiate the connection.

When you add another site, that one also should be set toi nitiate the connection.  Ideally, the central-site VPN server should also be able to "dial out" in the case that it has to be restarted, so it can re-establish the tunnels with the other remote sites.  

What I have described is essentially a star configuration.

To ensure security, you will want to work with the L2TP/IPSec technologies available with RRAS on Win2K.  If that is too complex, or your company doesn't want to deal with certificates, then the other option is PPTP.  Either way, you end up with a "secure tunnel" between sites.

Whenever setting up Win2K Server as an RRAS point-to-point VPN server, you want to disable all services that the RRAS VPN service does not depend on, like FTP, IIS, etc.   You also want to have the port-blocking features enabled, and only allow the ports that are necessary to establish your site-to-site tunnels.  You DEFINITELY want to apply the most-current service pack, and all of the security hotfixes, before letting it go live, and establish a maintenance process to keep the patches as current as possible.  Remember, it is exposed to the Internet,  and it is a single-function server, so you want to harden it as much as possible and keep it up-to-date.

You could also consider other, non-Windows options for your VPN, like Novell BorderManaqer 3.8 VPN, which is more secure and more efficient than the RRAS VPN option.
LVL 35

Expert Comment

ID: 9891434
Also, you will need to get a static IP for the 2nd site (and the 3rd when you add it) because the RRAS VPN is IP-address based.
LVL 35

Expert Comment

ID: 9891439
To clarify - if you want to have the resilience of having a *true* site-to-site configuration with any site being able to initiate the tunnel, then you *have* to have fixed IP addresses.  It is possible to do a "pseudo" site-to-site VPN with DHCP-assigned addresses on the far end, but they would HAVE to be the initiator of the link, and it would actually be more of a client-to-site configuration since the remote-side IP won't be a known factor.  That could end up causing you routing issues if you are truly trying to establish a WAN over VPN as opposed to simply connecting a client via VPN.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!


Author Comment

ID: 9891492
Thanks ShineOn for the well written suggestion.  There is only one site with a static IP address, any heads up on this?  Also the third office wii also be DHCP.   Latly, are you aware of any detailed configuration guidelines including hardware/sonfig specs?   Thanks again for responding so quickly.   Klossie
LVL 35

Expert Comment

ID: 9891518
There are a slew of documents on the Microsoft knowledgebase and on technet, describing in full detail how to use RRAS to establish a VPN.  It is very late here, and I am, unfortunately, too tired to go searching for links to point you to, so before I retire for the evening (actually morning) I will leave you with that.

You could try a search on for RRAS VPN or you could do a google search for RRAS VPN configuration to get "real-world" advice on how, step-by-step, to do what you want to do using Win2K technologies.

Sorry to be so short, but I am really beat, and can't stay up any longer.  Good luck.
LVL 10

Accepted Solution

KingHollis earned 140 total points
ID: 9891542
ShineOn has given you an excellent and detailed solution using Windows 2000, but his first solution was the best: Don't use W2k - use a hardware appliance VPN solution. It is the simplest solution and you can simply replace the old version Linksys routers you have. Any number of  Small Office/Home Office VPN Gateway solutions are out there on the market today that would meet your needs: Netgear, Enterasys, SonicWall, Symantec, 3Com, etc. Just go to or or or the likes and look for Small Office/Home Office VPN Gateways or firewalls. All the ones I mentioned are from $150 to $300-- cheaper than buying Windows 2000 Server and hardware.

As for the static IP situation... It would certainly be preferable to have static IPs, but in theory you could get away with having one central location with an IP address only and have all locations call the one static location.

                                                                 |__ VPNTUNNEL<--Oakhurst[DSL]
LVL 35

Expert Comment

ID: 9893804
Oh, by the way, (microwarehouse,macwarehouse,etc.) has been bought by CDW.

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question