Link to home
Start Free TrialLog in
Avatar of TARJr
TARJr

asked on

How can I do site-to-site VPN tunneling between 2 Win 2008 servers

I have 2 servers that I would like to connect to each other over the Internet. I would like the traffic between them encrypted and compressed. Both servers are running Windows 2008 Std SP2/64-bit.
Is it possible to do this with say IPSec/L2TP without the need for extra hardware and using stand-alone servers (no DCs)?
Avatar of hypercube
hypercube
Flag of United States of America image
I think that "no DC" is fine.  Not really a topic here.  But, name service could be a related topic or could be purposefully avoided by using IP addresses for inter-site connections.

There are two ways to do site-to-site VPNs in my mind.  Perhaps there are more but....

1) You have boxes (VPN deives) at the periphery of each network.  Each has a public IP address.  Often this is the same device that is the gateway/firewall so only one public IP address is needed.

In this case, packets arrive on the local subnet addresses to whichever host they are destined for.
It's pretty straightforward.

2) You have firewalls with the VPN devices behind them.  This requires that IPSEC passthrough be implemented in the firewall.  If there are multiple layers of firewall/routers then you have to assure the passthrough is working in order for the VPNs to work.

In this case, packets arrive at some internal box.  If it's a router or a computer configured as router then presumably the packets get out onto the LAN wire.

Some configurations (such as with RV042) will only allow the VPN terminus boxes to be "inside" like this.  The other has to be on the periphery of the network with a public IP address.  Maybe this is universa for a good technical reasonl, I don't know.  Just something to be aware of if you're considering doing this sort of thing.

My strong bias would be to put something like RV042s at the periphery of the LANs if you have the public IP addresses available.  Then the packets would be unencrypted inside the LANs - is that an issue?  This assumes that the servers aren't on the periphery of the LAN.  

If the servers are also the firewall/router/gateway then they're on the periphery and you might implement VPN software on the two "ends".  Each server would have at least 2 NICs, one "outside" with a public address and one "inside" on the LAN.  Then the server acts to put VPN-borne packets out onto the local LAN post decryption - and to encrypt and send packets from the local LAN destined for the remote LAN and server.


ASKER CERTIFIED SOLUTION
Avatar of tjdabomb
tjdabomb
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of TARJr
TARJr

ASKER

not the solution I'm looking for, maybe sstp would have been better