Solved

Windows 2003 VPN connection

Posted on 2004-09-10
10
3,019 Views
Last Modified: 2010-05-18
I have two windows 2003 server systems that I would like to connect with a vpn.  I have configured RRAS on the first system to accept incoming VPN connections and I have setup a user with permission to connect.  Then on the second system I opened the networking control panel and followed the wizard to create a new vpn connection.  I can connect any eveything works great.  The problem is that the VPN acts like a dialup connection I must press the connect button  the establish it, then if I log off the computer the connection is terminated.  Is it possible to create an always on VPN connection?   If so, how would I do this?

Thanks

Steve

0
Comment
Question by:potsy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 3

Expert Comment

by:frieked
ID: 12029960
Have you tried the cisco vpn client?
I use version 4.0.2 of it and if you go to: Options->Windows logon properties
There is a checkbox for "Disconnect VPN connection when logging off"
0
 
LVL 5

Expert Comment

by:OverSeer
ID: 12030040
If it's treating like a dialup connection, maybe you could use the rasdial command from the command prompt.  

rasdial "name of connection" (without the quotes obviously)...

Give that a try...
0
 
LVL 1

Expert Comment

by:vrobison
ID: 12030933
There is a very detailed description on how to set up a site to site tunnel between 2 Win2003 servers.  It is a bit heavy handed, but it should do the trick.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx

Regards,

vrobison
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:jose_ramirez
ID: 12031591
It is a very good answer, vrobiso, but I think it´s not usefull, or, as long as I read in that paper, the document is talking about two servers with a persistent or on-demand VPN connection, but persistent connection is the same problem, dialing, is disabled until you´re logged on.
So potsy, i suggest to get two routers with VPN function, I´ve worked with Sonicwall, and it´s easy to install, to deploy VPN and cheap. but always exist the posiblity to get CISCO, check point, etc. But for your question I think no, you cannot get permanent connection with 2 win2k3.
The exact part of the MS article is:

On-demand vs. Persistent Connections

A site-to-site VPN connection can be on-demand or persistent:
•      

An on-demand site-to-site connection is a connection that is made when traffic must be forwarded across the connection. The connection is made, the traffic is forwarded, and the connection is terminated after a configured amount of idle time. You can configure idle disconnect behavior for the answering router by setting an idle disconnect on the Dial-in Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection. You can configure idle disconnect behavior for the calling router on the Options tab on the properties of the demand-dial interface in the Routing and Remote Access snap-in.
•      

A persistent site-to-site connection is always connected. If the connection is dropped, it is immediately retried. To configure the answering router for connection persistence, clear the Minutes server can remain idle before it is connected and Minutes client can be connected check boxes on the DIAL-IN Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection (these settings are disabled by default). To configure the calling router for connection persistence, select Persistent connection on the Options tab from the properties of the DEMAND-DIAL interface.

If the calling router connects to the Internet by using a dial-up link such as an analog phone line or ISDN, then you need to configure a dial-up on-demand site-to-site VPN connection consisting of a single demand-dial interface at the answering router and two demand-dial interfaces at the calling router: one to connect to a local Internet service provider (ISP) and one for the site-to-site VPN connection. Dial-up on-demand site-to-site VPN connections also require an additional host route in the IP routing table of the calling router. For more information, see the topic titled "A dial-up router-to-router VPN connection" in Windows Server 2003 Help and Support.

For either on-demand or persistent site-to-site VPN connections, the answering router is permanently connected to the Internet.

Hope this helps
Jose
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12033507
Although I suspect this is possible given some complex boot-time scripting and registry modification (so the VPN is established as the Administrator at boot-time and then persists across all logins (or no logins) - maybe set to run as a service?), I agree that the correct solution is to terminate VPN connections on firewalls, not workstations or servers.

Cheers,
-Jon

P.S.  I don't like Sonicwall at all
0
 
LVL 1

Accepted Solution

by:
vrobison earned 500 total points
ID: 12039921
Jose,

I think either you or I are mis-interpreting the statement :
"To configure the answering router for connection persistence, clear the Minutes server can remain idle before it is connected and Minutes client can be connected check boxes on the DIAL-IN Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection (these settings are disabled by default). To configure the calling router for connection persistence, select Persistent connection on the Options tab from the properties of the DEMAND-DIAL interface."

The way I read this, Microsoft is telling you how to ensure that the connection is persistant, first on the answering side, then the calling side.

I recommended the article because it was a good step by step walk through.  There is another way to configure a vpn, and that is to add a security policy on both servers that forces traffic to be encrypted when the network on the other end is accessed.   This policy will work at boot, without regard to who is logged in.  It is a bit trickier to configure, but once you do get it working, you will gain an understanding of how IP security is handled by the OS.  If you want to avoid buying additional hadware (router,vpn box, etc), I can look for more info that will walk you through IP security.

Regards,

vrobison
0
 
LVL 2

Expert Comment

by:jose_ramirez
ID: 12047818
yes vrobinson,
good answer, i think what potzy is expecting is something like that config you´ve metioned.
"There is another way to configure a vpn, and that is to add a security policy on both servers that forces traffic to be encrypted when the network on the other end is accessed."
that´s what i think, cause as my no-fluent and no-native english, (i´m from mexico), but what i can read from that document, is that you need to establish a dial-up connection, and as long as i know, you need to be logged in, or as The-Captain said, if you find the way to add a dial-in profile as a service, or something that you don´t need to be logged in, then you´ll get a Permanent VPN Connection, and if you know a trick, please let US know!!
Jose
0
 
LVL 1

Author Comment

by:potsy
ID: 12049070
vrobison,

The IP security sounds like the solution I am looking for any documentation you have on this subject would be appreciated.

Thanks

Steve
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question