Solved

Windows 2003 VPN connection

Posted on 2004-09-10
10
2,993 Views
Last Modified: 2010-05-18
I have two windows 2003 server systems that I would like to connect with a vpn.  I have configured RRAS on the first system to accept incoming VPN connections and I have setup a user with permission to connect.  Then on the second system I opened the networking control panel and followed the wizard to create a new vpn connection.  I can connect any eveything works great.  The problem is that the VPN acts like a dialup connection I must press the connect button  the establish it, then if I log off the computer the connection is terminated.  Is it possible to create an always on VPN connection?   If so, how would I do this?

Thanks

Steve

0
Comment
Question by:potsy
10 Comments
 
LVL 3

Expert Comment

by:frieked
Comment Utility
Have you tried the cisco vpn client?
I use version 4.0.2 of it and if you go to: Options->Windows logon properties
There is a checkbox for "Disconnect VPN connection when logging off"
0
 
LVL 5

Expert Comment

by:OverSeer
Comment Utility
If it's treating like a dialup connection, maybe you could use the rasdial command from the command prompt.  

rasdial "name of connection" (without the quotes obviously)...

Give that a try...
0
 
LVL 1

Expert Comment

by:vrobison
Comment Utility
There is a very detailed description on how to set up a site to site tunnel between 2 Win2003 servers.  It is a bit heavy handed, but it should do the trick.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx

Regards,

vrobison
0
 
LVL 2

Expert Comment

by:jose_ramirez
Comment Utility
It is a very good answer, vrobiso, but I think it´s not usefull, or, as long as I read in that paper, the document is talking about two servers with a persistent or on-demand VPN connection, but persistent connection is the same problem, dialing, is disabled until you´re logged on.
So potsy, i suggest to get two routers with VPN function, I´ve worked with Sonicwall, and it´s easy to install, to deploy VPN and cheap. but always exist the posiblity to get CISCO, check point, etc. But for your question I think no, you cannot get permanent connection with 2 win2k3.
The exact part of the MS article is:

On-demand vs. Persistent Connections

A site-to-site VPN connection can be on-demand or persistent:
•      

An on-demand site-to-site connection is a connection that is made when traffic must be forwarded across the connection. The connection is made, the traffic is forwarded, and the connection is terminated after a configured amount of idle time. You can configure idle disconnect behavior for the answering router by setting an idle disconnect on the Dial-in Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection. You can configure idle disconnect behavior for the calling router on the Options tab on the properties of the demand-dial interface in the Routing and Remote Access snap-in.
•      

A persistent site-to-site connection is always connected. If the connection is dropped, it is immediately retried. To configure the answering router for connection persistence, clear the Minutes server can remain idle before it is connected and Minutes client can be connected check boxes on the DIAL-IN Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection (these settings are disabled by default). To configure the calling router for connection persistence, select Persistent connection on the Options tab from the properties of the DEMAND-DIAL interface.

If the calling router connects to the Internet by using a dial-up link such as an analog phone line or ISDN, then you need to configure a dial-up on-demand site-to-site VPN connection consisting of a single demand-dial interface at the answering router and two demand-dial interfaces at the calling router: one to connect to a local Internet service provider (ISP) and one for the site-to-site VPN connection. Dial-up on-demand site-to-site VPN connections also require an additional host route in the IP routing table of the calling router. For more information, see the topic titled "A dial-up router-to-router VPN connection" in Windows Server 2003 Help and Support.

For either on-demand or persistent site-to-site VPN connections, the answering router is permanently connected to the Internet.

Hope this helps
Jose
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Although I suspect this is possible given some complex boot-time scripting and registry modification (so the VPN is established as the Administrator at boot-time and then persists across all logins (or no logins) - maybe set to run as a service?), I agree that the correct solution is to terminate VPN connections on firewalls, not workstations or servers.

Cheers,
-Jon

P.S.  I don't like Sonicwall at all
0
 
LVL 1

Accepted Solution

by:
vrobison earned 500 total points
Comment Utility
Jose,

I think either you or I are mis-interpreting the statement :
"To configure the answering router for connection persistence, clear the Minutes server can remain idle before it is connected and Minutes client can be connected check boxes on the DIAL-IN Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection (these settings are disabled by default). To configure the calling router for connection persistence, select Persistent connection on the Options tab from the properties of the DEMAND-DIAL interface."

The way I read this, Microsoft is telling you how to ensure that the connection is persistant, first on the answering side, then the calling side.

I recommended the article because it was a good step by step walk through.  There is another way to configure a vpn, and that is to add a security policy on both servers that forces traffic to be encrypted when the network on the other end is accessed.   This policy will work at boot, without regard to who is logged in.  It is a bit trickier to configure, but once you do get it working, you will gain an understanding of how IP security is handled by the OS.  If you want to avoid buying additional hadware (router,vpn box, etc), I can look for more info that will walk you through IP security.

Regards,

vrobison
0
 
LVL 2

Expert Comment

by:jose_ramirez
Comment Utility
yes vrobinson,
good answer, i think what potzy is expecting is something like that config you´ve metioned.
"There is another way to configure a vpn, and that is to add a security policy on both servers that forces traffic to be encrypted when the network on the other end is accessed."
that´s what i think, cause as my no-fluent and no-native english, (i´m from mexico), but what i can read from that document, is that you need to establish a dial-up connection, and as long as i know, you need to be logged in, or as The-Captain said, if you find the way to add a dial-in profile as a service, or something that you don´t need to be logged in, then you´ll get a Permanent VPN Connection, and if you know a trick, please let US know!!
Jose
0
 
LVL 1

Author Comment

by:potsy
Comment Utility
vrobison,

The IP security sounds like the solution I am looking for any documentation you have on this subject would be appreciated.

Thanks

Steve
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
not output on the show arp command 5 42
Cisco iWAN 8 45
Sonicwall routing between VPNs 5 23
ipsec tunnel comme not up 10 17
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now