lan2lan vpn

Posted on 2003-12-07
Last Modified: 2010-03-19
We are in a need to connect two offices for apps purpose.  Each has a win2k server, about 15 users and each have a DSL link to the net (one DSL has a static IP).  Both offices utilize older versions of Linksys routers.
The information passed will be client sensitive thus need a decent level of security such as VPN.  My question is what options do we have with Windows server 2000?
In a matter of next several month a third office will have to be connected as well to the other two, same setup. Any suggestions or links would be appreciated.  Have a great day, or rather night here in San Fran.

Question by:klossie
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
LVL 35

Assisted Solution

ShineOn earned 90 total points
ID: 9891430
My first suggestion - don't use Windows server 2K.  Use a hardware-appliance VPN.

If you must go with a software-based VPN, then you will want to get a Win2K server (not Advanced server, don't waste the money) for each site, with that server dedicated to VPN usage.  You don't want to force you main Win2K server to also be your VPN server - that is asking for trouble.  

Since VPN servers are, necessarily, directly connected to the Internet, you have to take into consideration the risks involved in directly connecting a Windows device to the Internet.  You don't want to have your LAN subject to unnecessary risks in order to establish your VPN WAN.

All you need, besides a minimal Win2K server license for each site, is a workstation-class PC with a decent processor and memory configuration (it does NOT need a lot of disk!) and the PC's for your VPN servers must have 2 Network Interface Cards (NIC's)

When you set up your initial 2-site site-to-site RRAS VPN, one of the two servers will be your "home" or "master VPN" server (depending on what you want to call it.)  That is the server that will be "dialed to."  Yes, the oddball thing about RRAS VPN, is that is "dialup" oriented even though it works with always-on technologies like DSL.  

You can set it up so no matter which box has been booted, the one that has been booted tries to initiate the connection, but the easiest initial setup is to have what you consider to be your remote site be the one to initiate the connection.

When you add another site, that one also should be set toi nitiate the connection.  Ideally, the central-site VPN server should also be able to "dial out" in the case that it has to be restarted, so it can re-establish the tunnels with the other remote sites.  

What I have described is essentially a star configuration.

To ensure security, you will want to work with the L2TP/IPSec technologies available with RRAS on Win2K.  If that is too complex, or your company doesn't want to deal with certificates, then the other option is PPTP.  Either way, you end up with a "secure tunnel" between sites.

Whenever setting up Win2K Server as an RRAS point-to-point VPN server, you want to disable all services that the RRAS VPN service does not depend on, like FTP, IIS, etc.   You also want to have the port-blocking features enabled, and only allow the ports that are necessary to establish your site-to-site tunnels.  You DEFINITELY want to apply the most-current service pack, and all of the security hotfixes, before letting it go live, and establish a maintenance process to keep the patches as current as possible.  Remember, it is exposed to the Internet,  and it is a single-function server, so you want to harden it as much as possible and keep it up-to-date.

You could also consider other, non-Windows options for your VPN, like Novell BorderManaqer 3.8 VPN, which is more secure and more efficient than the RRAS VPN option.
LVL 35

Expert Comment

ID: 9891434
Also, you will need to get a static IP for the 2nd site (and the 3rd when you add it) because the RRAS VPN is IP-address based.
LVL 35

Expert Comment

ID: 9891439
To clarify - if you want to have the resilience of having a *true* site-to-site configuration with any site being able to initiate the tunnel, then you *have* to have fixed IP addresses.  It is possible to do a "pseudo" site-to-site VPN with DHCP-assigned addresses on the far end, but they would HAVE to be the initiator of the link, and it would actually be more of a client-to-site configuration since the remote-side IP won't be a known factor.  That could end up causing you routing issues if you are truly trying to establish a WAN over VPN as opposed to simply connecting a client via VPN.
WordPress Tutorial 1: Installation & Setup

WordPress is a very popular option for running your web site and can be used to get your content online quickly for the world to see. This guide will walk you through installing the WordPress server software and the initial setup process.


Author Comment

ID: 9891492
Thanks ShineOn for the well written suggestion.  There is only one site with a static IP address, any heads up on this?  Also the third office wii also be DHCP.   Latly, are you aware of any detailed configuration guidelines including hardware/sonfig specs?   Thanks again for responding so quickly.   Klossie
LVL 35

Expert Comment

ID: 9891518
There are a slew of documents on the Microsoft knowledgebase and on technet, describing in full detail how to use RRAS to establish a VPN.  It is very late here, and I am, unfortunately, too tired to go searching for links to point you to, so before I retire for the evening (actually morning) I will leave you with that.

You could try a search on for RRAS VPN or you could do a google search for RRAS VPN configuration to get "real-world" advice on how, step-by-step, to do what you want to do using Win2K technologies.

Sorry to be so short, but I am really beat, and can't stay up any longer.  Good luck.
LVL 10

Accepted Solution

KingHollis earned 35 total points
ID: 9891542
ShineOn has given you an excellent and detailed solution using Windows 2000, but his first solution was the best: Don't use W2k - use a hardware appliance VPN solution. It is the simplest solution and you can simply replace the old version Linksys routers you have. Any number of  Small Office/Home Office VPN Gateway solutions are out there on the market today that would meet your needs: Netgear, Enterasys, SonicWall, Symantec, 3Com, etc. Just go to or or or the likes and look for Small Office/Home Office VPN Gateways or firewalls. All the ones I mentioned are from $150 to $300-- cheaper than buying Windows 2000 Server and hardware.

As for the static IP situation... It would certainly be preferable to have static IPs, but in theory you could get away with having one central location with an IP address only and have all locations call the one static location.

                                                                 |__ VPNTUNNEL<--Oakhurst[DSL]
LVL 35

Expert Comment

ID: 9893804
Oh, by the way, (microwarehouse,macwarehouse,etc.) has been bought by CDW.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question