Window server 2003 site to site vpn

Hi all expert...

I want to setup site to site vpn in Window Server 2003 Std Edition. Both side have an external IP address and 2 NIC card.

1. Do i need 2 router for each side? Or just use window server 2003 RRAS as router?
2. Any recomended site for more information.

Regards
Kevin
kevin203Asked:
Who is Participating?
 
Rob WilliamsCommented:
>>"The vpn is connected but no more access to the server anymore.
"
Do you mean no access to the server locally?
If so try putting the LAN adapter at the top of the list in the binding order. To do so go to: control panel | network connections | on the menu bar - advanced | advanced settings | adapters and bindings
Sometimes you cannot apply this change. If so see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;311218
0
 
Rob WilliamsCommented:
It is not easy to configure but you may find the following site helpful:
http://technet2.microsoft.com/windowsserver/en/library/74f65f37-9482-4316-a2e9-4e1e295457d71033.mspx?mfr=true
You do not need to add routers to connect 2 2003 server sites by VPN.

Installing VPN routers at each site and creating a VPN hardware solution, is much easier and has definite advantages. This can be done for as little as $125 US/site using Linksys BEFVP41 routers, though I would recommend the RV042 Linksys about 50% more, or if within the budget, Cisco ASA5500's.
0
 
NickGT20Commented:
Yes two Windows 2003 Servers can do a site to site via RRAS they have to have a world addressable IP.  IPSEC site to site VPNS do not support NAT.  Even though this is possible I would HIGHLY recomend considering two routers that are VPN capable on either end and put the servers behind them for protection.  Unless you feel like running ISA Server or something that is semi-built for this I would stear clear of putting a windows box in the wild with sensitive data.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
sparkofgeniusCommented:
I would recommend getting two hardware VPN routers and run your VPNs through that using RRAS. If you do not want to use hardware VPNs then get two licenses for ISA and set them up using ISA and RRAS.

It is not as secure to use ISA than to use hardware VPNs. Information sent over a VPN secured using ISA is unencrypted and viewable in plain text if someone were to sit and grab packets. Hardware VPNs can encrypt the data and make it much harder for outside influences to view.

As both of the previous comments have stated use hardware VPNs -its the safest and securest way of doing it - and by far the easiest!

0
 
kevin203Author Commented:
okie... the only problem i face now is both side router also by pass by the ISP IP addresses direct to the NIC. Which means both side NIC ip address shown is from ISP and not the router ip address.
0
 
Rob WilliamsCommented:
Sorry, could you clarify that last statement?
0
 
kevin203Author Commented:
i mean the NIC ip address is using the ISP ip address instead using the ip address given by the router itself.
0
 
kevin203Author Commented:
Dear all expert...

Pls tell me if its work in this environment... like below:

Place A:
OS: Window Server 2003 (2 servers)
Interface: 2 NIC (no router dhcp ip's is assign) for each server.
Server 1: DNS, DHCP, RRAS, Exchange and AD
Server 2: RRAS

Place B:
OS: Window Server 2003
Interface: 2 NIC (same as above setting)
Service: DNS, DHCP, RRAS, Exchange & AD

Can i connect both site-to-site vpn? Or anyting i need to create or modify?
0
 
Rob WilliamsCommented:
>>"Can i connect both site-to-site vpn?"
Yes as mentioned above you can, but there are many steps to configure it. The better option for site-to-site is to purchase 2 routers. This is easier, more secure, and will give you better performance.
0
 
sparkofgeniusCommented:
like RobWill said above. buy two routers! we use netgear vpn concentrators in each location and we have never had a problem.
0
 
kevin203Author Commented:
but its all depends on budget. I will try to configure using RRAS between 2 server and site.
0
 
Rob WilliamsCommented:
It will work, but it takes quite a while to get familiar with all the required options, certificate creation, policies, and routing, such that if you consider the cost of your time, it will probably be cheaper to buy a couple of basic VPN routers. Once they are installed, you have better security and performance, and much easier to troubleshoot when you have a problem. I do understand though, budgets can be a problem.
Let us know how you make out.
0
 
kevin203Author Commented:
alright... if worst come to worst can i just a create vpn connection from a server to the other site of the server and share the vpn connection with all the internal client. What i mean is a one site vpn connection.
0
 
Rob WilliamsCommented:
That should work, but it's not a great solution. If you do so, make sure the VPN client has "use remote default gateway" disabled or your users will loose access to the server while the VPN is connected. It is located:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
0
 
kevin203Author Commented:
Yeah... i understand that as i set before many type of vpn software and hardware before.
0
 
kevin203Author Commented:
I manage to create a vpn connection between 2 site and the connection is so strong that can share with all other client within the network.
0
 
Rob WilliamsCommented:
Excellent. Sounds great.
0
 
kevin203Author Commented:
But this vpn connection is meant for client to talk to remote server only and not for client to remote client. Which means one of the client pc can ping and share file with th other site client pc.
0
 
Rob WilliamsCommented:
Not sure what if you are asking, but it sounds like you have created a site to site VPN. Doing so effectively puts all PC's on the same network allowing any PC to connect to any other PC.

If you don't want that you can enable the Windows firewall, and under scope options for the various exceptions, set the scope to only allow connections from the local subnet.
0
 
Rob WilliamsCommented:
Also I suspect in your VPN configuration you have specified the remote site connection information as a subnet such as 192.168.123.0  25.255.255.0  You may be able to specify just an IP, that of the server using  192.168.123.123  255.255.255.255
0
 
kevin203Author Commented:
Do you mean the static routing? Set the routing to a single pc IP instead of all?
0
 
Rob WilliamsCommented:
No, in the VPN configuration itself.
I haven't done a site to site with 2 Windows servers since early Win2000 days so I don't know where you set it, but in most VPN configurations you define the remote network to which you are connecting. With site to site as a rule you would specify the remote subnet. If you can change that to a single IP it should resolve your problem.
0
 
kevin203Author Commented:
Dear Robwill

AFter i follow your lead to change the static router to fix IP of the server instead of putting '0'. The reply getting well but can i put in 2 static route for a single site-to-site vpn?

I get this message "TTL expired in transit" when i try to ping the other site server? What does this mean anyway.


Regards
Kevin
0
 
Rob WilliamsCommented:
>>"AFter i follow your lead to change the static router to fix IP of the server instead of putting '0'"
Sorry, I meant in the VPN configuration. Not on the router.
I am assuming you have not changed and purchase VPN routers to create the tunnel.
0
 
kevin203Author Commented:
Yeah, absolutely. i set it in the vpn server.
0
 
Rob WilliamsCommented:
Yes you can add multiple static routes.
Not sure why you would be getting the "TTL expired in transit" error. It usually indicates too many hops, i.e taking too long to reach the destination.
0
 
kevin203Author Commented:
Yeah... i am new to this environment cause i have setup many vpn server using the watchguard and fortinet firewall. So is this problem only liase in window RRAS?
0
 
Rob WilliamsCommented:
Windows site-to-site using RRAS is really designed for open site to site. It can be configured but I am not familiar with doing so. ISA server gives you more control but for less money you could set up 2 WatchGuard SOHO's, which would be my recommended method.
0
 
kevin203Author Commented:
Which modal you refer to?
0
 
Rob WilliamsCommented:
I haven't used Watchguard for a while but if you do not have too many users, the SOHO 6 with appropriate licenses, might be suitable.
0
 
kevin203Author Commented:
there is so many problem with the site-to-site vpn though. I tried so many things out but for example put in the fix IP for both side, register A host on both DNS records and static routes. After i rebooted the server, everything seems to be working but just after a few minutes the connection to the other side server is down although the vpn link is still stated connected in the RRAS. Any idea what happen?
0
 
Rob WilliamsCommented:
As I mentioned earlier I haven't configured one in years, and it is a nuisance to do so. For the amount of time spent, as myself and others suggested earlier, it is better to install 2 VPN routers, even Linksys BEFVP41's. A hardware solution is easy to configure, more secure, and better performance.
0
 
kevin203Author Commented:
Yeah... this is the best solution but also need it as secondary vpn server for my customer as they got heavy vpn user and ftp server.
0
 
kevin203Author Commented:
Create another Site-to-site vpn again lately to test out MAC user. At first the MAC user manage to connect to exchange and access share folder to the other site server. So happy with that but this is only a temp solution. The link fail after a while. The vpn is connected but no more access to the server anymore.

Is this a Microsoft issue or myself?
0
 
kevin203Author Commented:
What you locally is internal network?
0
 
Rob WilliamsCommented:
Yes.
0
 
Rob WilliamsCommented:
Thanks Kevin.
Cheers !
--Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.