Site to Site VPN - WIN2k Server

Can someone provide some detail on configuring a site to site VPN between 2 Windows 2000 servers
andreacadiaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikeleebrlaCommented:
There is no one guide that works for all networks as all networks are different.  There are also different types of VPNs and they are set up differently.  Windows 2000 server can do PPTP and L2TP VPNs.  PPTP are much easier to set up but are less secure, and depending what router/firewall you have, your firewall/router may not allow the GRE (protocol 47, not port 47) to pass through it.  In a server to server setup like you are talking about,, actually one machine will act as the server and the other is just a client as far as the VPN is concerned.  You will need to install Routing and Remote access (RRAS) on the server computer. Then just go into RRAS and set up the VPN, by default PPTP and L2TP connections are enabled. Do both the servers have 2 NICs? They dont have to but changes the way you set it up. Are you trying to connect 2 networks together, or just allow access for the server on one end to be able to VPN to the other server?  Again, there is no one canned answer, it all depends on your setup and what you want to do with the VPN.
0
Debsyl99Commented:
Hi
Mike's correct in what he said, there are so many different ways that you could go about this. For what it's worth though, I'd always go with IPSEC as it's more secure (and believe me, if there is a way in, the script kiddies will find it) and a hardware firewall/router if at all possible and encapsulate all traffic within IPSEC 3DES encryption.

The following links contain a lot of sub-links and information/how-to's and step by steps,

Virtual Private Networks for Windows 2000
http://www.microsoft.com/windows2000/technologies/communications/vpn/default.asp
White Paper IPSec Executive Summary
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.htm
IPSec Overview Part Three: Cryptographic Technologies
http://www.ciscopress.com/articles/article.asp?p=25473
Step-by-Step Guide to Internet Protocol Security (IPSec)
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

It really depends on how your budget is, and how much time you have available to research, test and practise the setup. We use Cisco pix based firewalls and they have proved (so far) extremely secure and reliable.

Deb :))
0
andreacadiaAuthor Commented:
Thanks for the comments...i understand what you guys are saying and i realize that there are many ways to implement a VPN.  What I am asking is how i can connect my 2 networks using a windows 2000 server in each location.  

Essentially simulating a hardware based site to site VPN.  Clients on each network should be able to communicate with clients on the opposite network.

Is there a way to accomplish this with a windows 2000 server in each location?
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

andreacadiaAuthor Commented:
eleventy5,

does this require windows 2000 ADVANCED Server?
0
mikeleebrlaCommented:
it shouldn't,, the main difference between standard and adv. server is that adv has clustering options, can handle more memory and more processors
0
andreacadiaAuthor Commented:
would this require each server having 2 NICs?
0
eleventy5Commented:
the scenario listed on the link I gave requires 2 nics in the servers.
0
andreacadiaAuthor Commented:
i am a little confused as far as where the vpn servers would sit in the network.  Does this mean that each VPN server would have to be the default gateway to the Internet for the networks.  

Take for example one of my LANs, i will refer to as LAN A:

LAN A ---- > Router ------> Internet <------- Router <-------- LAN B

LAN A consists of a single private subnet (192.168.1.0 /24) with one default gateway to the Internet (.1 - a router performing NAT).  Where would the VPN server sit on the network in order to tunnel certain traffic to LAN B?  Also, how would we set up the 2 interfaces on the VPM server?
0
eleventy5Commented:
The method listed in the link I gave required one network card with a live IP address ( directly connected to the internet) and one on the local subnet. Traffic on the LAN A subnet destined for the LAN B network would be routed to the server. The default gateway could still be set to the router.

I am guessing you don't have an available live IP address for the server, or would rather not open the server to the internet in this fashion. I am unsure if 2 nics are required to make the routing and remote access VPN connection route correctly, as I have never personally set a VPN up in this way. You could try setting up the VPN connection between the 2 servers. one side being the server and the other side being the client as listed in the the earlier link. Make sure ports are forwarded on the routers and you are able to connect the vpn and pass traffic back and forth between the two servers. Set a static route on the workstations on LAN A to point all traffic for LAN B to the the LAN A server, and a static route on all of the LAN B workstations to point LAN A traffic to the LAN B Server. If this were to work, it would only require 1 nic in each server, but I am thinking there is a reason the microsoft recommended configuration requires 2 nics. I would bet that the two servers will have no problem talking to each other, but that the server will not know how to route traffic recieved from the network across the VPN connection. I could be wrong, so this might be worth a shot.

Good Luck!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.