potsy
asked on
Windows 2003 VPN connection
I have two windows 2003 server systems that I would like to connect with a vpn. I have configured RRAS on the first system to accept incoming VPN connections and I have setup a user with permission to connect. Then on the second system I opened the networking control panel and followed the wizard to create a new vpn connection. I can connect any eveything works great. The problem is that the VPN acts like a dialup connection I must press the connect button the establish it, then if I log off the computer the connection is terminated. Is it possible to create an always on VPN connection? If so, how would I do this?
Thanks
Steve
Thanks
Steve
If it's treating like a dialup connection, maybe you could use the rasdial command from the command prompt.
rasdial "name of connection" (without the quotes obviously)...
Give that a try...
rasdial "name of connection" (without the quotes obviously)...
Give that a try...
There is a very detailed description on how to set up a site to site tunnel between 2 Win2003 servers. It is a bit heavy handed, but it should do the trick.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx
Regards,
vrobison
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx
Regards,
vrobison
It is a very good answer, vrobiso, but I think it´s not usefull, or, as long as I read in that paper, the document is talking about two servers with a persistent or on-demand VPN connection, but persistent connection is the same problem, dialing, is disabled until you´re logged on.
So potsy, i suggest to get two routers with VPN function, I´ve worked with Sonicwall, and it´s easy to install, to deploy VPN and cheap. but always exist the posiblity to get CISCO, check point, etc. But for your question I think no, you cannot get permanent connection with 2 win2k3.
The exact part of the MS article is:
On-demand vs. Persistent Connections
A site-to-site VPN connection can be on-demand or persistent:
•
An on-demand site-to-site connection is a connection that is made when traffic must be forwarded across the connection. The connection is made, the traffic is forwarded, and the connection is terminated after a configured amount of idle time. You can configure idle disconnect behavior for the answering router by setting an idle disconnect on the Dial-in Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection. You can configure idle disconnect behavior for the calling router on the Options tab on the properties of the demand-dial interface in the Routing and Remote Access snap-in.
•
A persistent site-to-site connection is always connected. If the connection is dropped, it is immediately retried. To configure the answering router for connection persistence, clear the Minutes server can remain idle before it is connected and Minutes client can be connected check boxes on the DIAL-IN Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection (these settings are disabled by default). To configure the calling router for connection persistence, select Persistent connection on the Options tab from the properties of the DEMAND-DIAL interface.
If the calling router connects to the Internet by using a dial-up link such as an analog phone line or ISDN, then you need to configure a dial-up on-demand site-to-site VPN connection consisting of a single demand-dial interface at the answering router and two demand-dial interfaces at the calling router: one to connect to a local Internet service provider (ISP) and one for the site-to-site VPN connection. Dial-up on-demand site-to-site VPN connections also require an additional host route in the IP routing table of the calling router. For more information, see the topic titled "A dial-up router-to-router VPN connection" in Windows Server 2003 Help and Support.
For either on-demand or persistent site-to-site VPN connections, the answering router is permanently connected to the Internet.
Hope this helps
Jose
So potsy, i suggest to get two routers with VPN function, I´ve worked with Sonicwall, and it´s easy to install, to deploy VPN and cheap. but always exist the posiblity to get CISCO, check point, etc. But for your question I think no, you cannot get permanent connection with 2 win2k3.
The exact part of the MS article is:
On-demand vs. Persistent Connections
A site-to-site VPN connection can be on-demand or persistent:
•
An on-demand site-to-site connection is a connection that is made when traffic must be forwarded across the connection. The connection is made, the traffic is forwarded, and the connection is terminated after a configured amount of idle time. You can configure idle disconnect behavior for the answering router by setting an idle disconnect on the Dial-in Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection. You can configure idle disconnect behavior for the calling router on the Options tab on the properties of the demand-dial interface in the Routing and Remote Access snap-in.
•
A persistent site-to-site connection is always connected. If the connection is dropped, it is immediately retried. To configure the answering router for connection persistence, clear the Minutes server can remain idle before it is connected and Minutes client can be connected check boxes on the DIAL-IN Constraints tab on the profile properties of the remote access policy that is used for the site-to-site VPN connection (these settings are disabled by default). To configure the calling router for connection persistence, select Persistent connection on the Options tab from the properties of the DEMAND-DIAL interface.
If the calling router connects to the Internet by using a dial-up link such as an analog phone line or ISDN, then you need to configure a dial-up on-demand site-to-site VPN connection consisting of a single demand-dial interface at the answering router and two demand-dial interfaces at the calling router: one to connect to a local Internet service provider (ISP) and one for the site-to-site VPN connection. Dial-up on-demand site-to-site VPN connections also require an additional host route in the IP routing table of the calling router. For more information, see the topic titled "A dial-up router-to-router VPN connection" in Windows Server 2003 Help and Support.
For either on-demand or persistent site-to-site VPN connections, the answering router is permanently connected to the Internet.
Hope this helps
Jose
Although I suspect this is possible given some complex boot-time scripting and registry modification (so the VPN is established as the Administrator at boot-time and then persists across all logins (or no logins) - maybe set to run as a service?), I agree that the correct solution is to terminate VPN connections on firewalls, not workstations or servers.
Cheers,
-Jon
P.S. I don't like Sonicwall at all
Cheers,
-Jon
P.S. I don't like Sonicwall at all
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yes vrobinson,
good answer, i think what potzy is expecting is something like that config you´ve metioned.
"There is another way to configure a vpn, and that is to add a security policy on both servers that forces traffic to be encrypted when the network on the other end is accessed."
that´s what i think, cause as my no-fluent and no-native english, (i´m from mexico), but what i can read from that document, is that you need to establish a dial-up connection, and as long as i know, you need to be logged in, or as The-Captain said, if you find the way to add a dial-in profile as a service, or something that you don´t need to be logged in, then you´ll get a Permanent VPN Connection, and if you know a trick, please let US know!!
Jose
good answer, i think what potzy is expecting is something like that config you´ve metioned.
"There is another way to configure a vpn, and that is to add a security policy on both servers that forces traffic to be encrypted when the network on the other end is accessed."
that´s what i think, cause as my no-fluent and no-native english, (i´m from mexico), but what i can read from that document, is that you need to establish a dial-up connection, and as long as i know, you need to be logged in, or as The-Captain said, if you find the way to add a dial-in profile as a service, or something that you don´t need to be logged in, then you´ll get a Permanent VPN Connection, and if you know a trick, please let US know!!
Jose
ASKER
vrobison,
The IP security sounds like the solution I am looking for any documentation you have on this subject would be appreciated.
Thanks
Steve
The IP security sounds like the solution I am looking for any documentation you have on this subject would be appreciated.
Thanks
Steve
I use version 4.0.2 of it and if you go to: Options->Windows logon properties
There is a checkbox for "Disconnect VPN connection when logging off"