Windows 2003 VPN connection

I have two windows 2003 server systems that I would like to connect with a vpn.  I have configured RRAS on the first system to accept incoming VPN connections and I have setup a user with permission to connect.  Then on the second system I opened the networking control panel and followed the wizard to create a new vpn connection.  I can connect any eveything works great.  The problem is that the VPN acts like a dialup connection I must press the connect button  the establish it, then if I log off the computer the connection is terminated.  Is it possible to create an always on VPN connection?   If so, how would I do this?

Thanks

Steve

LVL 1
potsyAsked:
Who is Participating?
 
vrobisonConnect With a Mentor Commented:
Jose,

I think either you or I are mis-interpreting the statement :
"To configure the answering router for connection persistence, clear the Minutes server can remain idle before it is connected and Minutes client can be connected check boxes on the DIAL-IN Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection (these settings are disabled by default). To configure the calling router for connection persistence, select Persistent connection on the Options tab from the properties of the DEMAND-DIAL interface."

The way I read this, Microsoft is telling you how to ensure that the connection is persistant, first on the answering side, then the calling side.

I recommended the article because it was a good step by step walk through.  There is another way to configure a vpn, and that is to add a security policy on both servers that forces traffic to be encrypted when the network on the other end is accessed.   This policy will work at boot, without regard to who is logged in.  It is a bit trickier to configure, but once you do get it working, you will gain an understanding of how IP security is handled by the OS.  If you want to avoid buying additional hadware (router,vpn box, etc), I can look for more info that will walk you through IP security.

Regards,

vrobison
0
 
friekedCommented:
Have you tried the cisco vpn client?
I use version 4.0.2 of it and if you go to: Options->Windows logon properties
There is a checkbox for "Disconnect VPN connection when logging off"
0
 
OverSeerCommented:
If it's treating like a dialup connection, maybe you could use the rasdial command from the command prompt.  

rasdial "name of connection" (without the quotes obviously)...

Give that a try...
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
vrobisonCommented:
There is a very detailed description on how to set up a site to site tunnel between 2 Win2003 servers.  It is a bit heavy handed, but it should do the trick.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx

Regards,

vrobison
0
 
jose_ramirezCommented:
It is a very good answer, vrobiso, but I think it´s not usefull, or, as long as I read in that paper, the document is talking about two servers with a persistent or on-demand VPN connection, but persistent connection is the same problem, dialing, is disabled until you´re logged on.
So potsy, i suggest to get two routers with VPN function, I´ve worked with Sonicwall, and it´s easy to install, to deploy VPN and cheap. but always exist the posiblity to get CISCO, check point, etc. But for your question I think no, you cannot get permanent connection with 2 win2k3.
The exact part of the MS article is:

On-demand vs. Persistent Connections

A site-to-site VPN connection can be on-demand or persistent:
•      

An on-demand site-to-site connection is a connection that is made when traffic must be forwarded across the connection. The connection is made, the traffic is forwarded, and the connection is terminated after a configured amount of idle time. You can configure idle disconnect behavior for the answering router by setting an idle disconnect on the Dial-in Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection. You can configure idle disconnect behavior for the calling router on the Options tab on the properties of the demand-dial interface in the Routing and Remote Access snap-in.
•      

A persistent site-to-site connection is always connected. If the connection is dropped, it is immediately retried. To configure the answering router for connection persistence, clear the Minutes server can remain idle before it is connected and Minutes client can be connected check boxes on the DIAL-IN Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection (these settings are disabled by default). To configure the calling router for connection persistence, select Persistent connection on the Options tab from the properties of the DEMAND-DIAL interface.

If the calling router connects to the Internet by using a dial-up link such as an analog phone line or ISDN, then you need to configure a dial-up on-demand site-to-site VPN connection consisting of a single demand-dial interface at the answering router and two demand-dial interfaces at the calling router: one to connect to a local Internet service provider (ISP) and one for the site-to-site VPN connection. Dial-up on-demand site-to-site VPN connections also require an additional host route in the IP routing table of the calling router. For more information, see the topic titled "A dial-up router-to-router VPN connection" in Windows Server 2003 Help and Support.

For either on-demand or persistent site-to-site VPN connections, the answering router is permanently connected to the Internet.

Hope this helps
Jose
0
 
The--CaptainCommented:
Although I suspect this is possible given some complex boot-time scripting and registry modification (so the VPN is established as the Administrator at boot-time and then persists across all logins (or no logins) - maybe set to run as a service?), I agree that the correct solution is to terminate VPN connections on firewalls, not workstations or servers.

Cheers,
-Jon

P.S.  I don't like Sonicwall at all
0
 
jose_ramirezCommented:
yes vrobinson,
good answer, i think what potzy is expecting is something like that config you´ve metioned.
"There is another way to configure a vpn, and that is to add a security policy on both servers that forces traffic to be encrypted when the network on the other end is accessed."
that´s what i think, cause as my no-fluent and no-native english, (i´m from mexico), but what i can read from that document, is that you need to establish a dial-up connection, and as long as i know, you need to be logged in, or as The-Captain said, if you find the way to add a dial-in profile as a service, or something that you don´t need to be logged in, then you´ll get a Permanent VPN Connection, and if you know a trick, please let US know!!
Jose
0
 
potsyAuthor Commented:
vrobison,

The IP security sounds like the solution I am looking for any documentation you have on this subject would be appreciated.

Thanks

Steve
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.