Win2k Secure TCP/IP

Posted on 2009-07-01
Last Modified: 2012-05-07
I have a couple of win2k machines that are on separate networks and separate domains.  I need a persistent and secure TCP/IP tunnel between the two.

What is the quickest, cheapest, and most reliable way to get that going.

I can not use hardware based VPN since one of the servers is not owned by us and can we can not place additional hardware there.

The connection needs to be established at boot up and needs to stay connected so that our TCP/IP application can communicate securely.

Our app is a simple socket to socket TCP/IP over a single port that is persistent.


Question by:wskorski
  • 2
LVL 28

Accepted Solution

Bill Bach earned 250 total points
ID: 24759251
Quick, Cheap, and Reliable: Pick any two!

A few possibilities to consider:
1) You mention that hardware VPN is not possible, as one server is not under your control from the network perspective.  However, what about a software VPN (installed on the remote server) connecting back to your own hardware-based firewall?  I am thinking that a SonicWall Firewall/VPN solution (e.g. TZ190 on the small end, or any of the larger units) would provide high-speed VPN capabilities, and would be able to work with a small VPN client on the server that you cannot access for hardware.  (This assumes that you can install software there, of course.) (Quick and Reliable)

2) It sounds like the app is your own application.  Why not encrypt the data at the app level, and allow the system to use normal unencrypted TCP connections for data transfer?  This might be a bit slower and add some CPU overhead, but you can use an open-source encryption module (e.g. Blowfish) to implement the encryption (or just do some simple data mangling, even).  (Quick and Cheap)

3) Using a repeater might be a viable option, if you don't want to mess with any of this.  The PC-HelpWare tool (a free component similar to VNC) has a "repeater" component which provides source code as well.  It would be possible to implement the repeater on a public server (owned by you, of course), and then have the remote server connect to the repeater, and your own system connect to the repeater on the other end, and it can funnel traffic through to you.  As PCHelpware is also open source, you'll have the source code to build your own, using whatever posts and security you want to.  (Cheap and Reliable)


Assisted Solution

PWeerakoon earned 250 total points
ID: 24759442
You can use IPSec Transport mode to establish an encrypted connection between the two servers.

IPSec software in built into Windows 2000 and above.

Here's a configuration guide...

You can use a pre-shared key to establish the connection because the remote server is not under your control for AD integrated Kerberos and I assume you don't have certificates.

Basically, the idea is to setup a IPSec policy that would encrypt IP packets going from your server IP address to the remote server IP address. The IPSec policy engine loads at boot-time and sits above the network layer, so anything that is sent from the operating system to the network is inspected and encrypted if it matched the policy.

The downside is the encryption is done by the server cpu unlike a dedicated VPN hardware device. However, you can get a Network card that has an 'IPSEC offload' chip so that the processing is done on the NIC (if performance is a problem).

Also, starting with Windows XP SP2 and I believe Server 2003 SP2, you have to manually configure a registry key to get IPSEC to work over a NAT. Research IPsec NAT-t for this.


Author Comment

ID: 24759607
Thanks BillBach :
1) Sorry I forgot to mention.  My server is already running a Cisco VPN client on it, and you can't have to soft VPN clients running on the same server, as far as I know.

2) Our TCP listener is our own, by the remote TCP sender is not.

3) PCHelpware?  WHere does the encryption take place?

Author Comment

ID: 24806265
Ok, IPSec was easy enough to set up except IPSec does not play well with NAT.  It even does worse if you have NAT on both ends.

I ended up using Zebedee to create a VPN Tunnel.    It's free and works very well.


Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Squid Connection Pools 3 68
Can a Mac connect to an Azure file share? 3 285
Nexus OS - OSPF Command 3 55
Link issue 11 61
I know for anybody starting from Beginner to Expert in Networking knows what OSI model. But this tutorial is for freshers or those who are new to networking world. Why I am putting OSI in such simple and compact manner is because it enables you to k…
SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question