We help IT Professionals succeed at work.

How can I do site-to-site VPN tunneling between 2 Win 2008 servers

I have 2 servers that I would like to connect to each other over the Internet. I would like the traffic between them encrypted and compressed. Both servers are running Windows 2008 Std SP2/64-bit.
Is it possible to do this with say IPSec/L2TP without the need for extra hardware and using stand-alone servers (no DCs)?
Comment
Watch Question

I think that "no DC" is fine.  Not really a topic here.  But, name service could be a related topic or could be purposefully avoided by using IP addresses for inter-site connections.

There are two ways to do site-to-site VPNs in my mind.  Perhaps there are more but....

1) You have boxes (VPN deives) at the periphery of each network.  Each has a public IP address.  Often this is the same device that is the gateway/firewall so only one public IP address is needed.

In this case, packets arrive on the local subnet addresses to whichever host they are destined for.
It's pretty straightforward.

2) You have firewalls with the VPN devices behind them.  This requires that IPSEC passthrough be implemented in the firewall.  If there are multiple layers of firewall/routers then you have to assure the passthrough is working in order for the VPNs to work.

In this case, packets arrive at some internal box.  If it's a router or a computer configured as router then presumably the packets get out onto the LAN wire.

Some configurations (such as with RV042) will only allow the VPN terminus boxes to be "inside" like this.  The other has to be on the periphery of the network with a public IP address.  Maybe this is universa for a good technical reasonl, I don't know.  Just something to be aware of if you're considering doing this sort of thing.

My strong bias would be to put something like RV042s at the periphery of the LANs if you have the public IP addresses available.  Then the packets would be unencrypted inside the LANs - is that an issue?  This assumes that the servers aren't on the periphery of the LAN.  

If the servers are also the firewall/router/gateway then they're on the periphery and you might implement VPN software on the two "ends".  Each server would have at least 2 NICs, one "outside" with a public address and one "inside" on the LAN.  Then the server acts to put VPN-borne packets out onto the local LAN post decryption - and to encrypt and send packets from the local LAN destined for the remote LAN and server.


Commented:
he VPN tunnel has to be initialized by one VPN endpoint (so called “Calling Server”) to another VPN endpoint (so called “Answering Server”).

Such manual is based on a fresh Windows 2003 where Routing and Remote Access Service is started.

Configuring Answering Server:
Start -> Settings -> Control Panel -> Administrative Tools -> Routing and Remote Access:
Right click on the server (eg ‘win12’ left panel) -> click Configure and Enable Routing and Remote Access
Welcome to the Routing and Remote Access Server Setup Wizard Menu: Click Next
Select Secure connection between Two private networks.

Do you want to use demand-dial connections to access remote networks? Select Yes -> click Next

How do you want IP address to be assigned to remote clients? Select From a specified range of address -> click Next

Enter the range of private IP address of Calling Server (eg. 192.168.200.0 – 192.168.200.255) -> Click OK

Completing the Routing and Remote Access Server Setup Wizard:  Click Finish.

Welcome to the Demand Dial Interface Wizard: Click Next.

Create Interface Name (eg. HK_VPNEndpoint, preferable in one word and same as Dial Out username which used to connect with remote server later on) -> click Next

Connection Type: Select Connect using virtual private networking (VPN) -> click Next

VPN type: Select Point to Point Tunneling Protocol (PPTP) -> click Next

Destination Address: Enter Calling Server’s IP address -> click Next

Protocols and Security: Select both Route IP packets on This Interface and Add a user account so a remote router can dial in. -> click Next

Static Routers for Remote Networks: Click Add -> Enter the remote server private IP range
eg.     Destination:         192.168.0.0
Network Mask:    255.255.255.0
Metric:            1
Click OK -> Click Next

Dial In Credentials:
Username is grey out, same as the Interface Name -> Create Password -> Confirm Password -> Click Next
(This username and password are to be used while the calling server dial in)

Dial Out Credentials:
Create UserName, Domain (optional, leave it blank for non-Active Directory environment), Password.
(This username and password are to be used to dial out for 2-way initialized connection, just enter the username for 1-way initialized connection)

Completing the Demand-Dial Interface Wizard -> Click Finish

Configuring Calling Server:
Start -> Settings -> Control Panel -> Administrative Tools -> Routing and Remote Access:
Right click on the server -> click Configure and Enable Routing and Remote Access
Welcome to the Routing and Remote Access Server Setup Wizard Menu: Click Next
Select Secure connection between Two private networks.

Do you want to use demand-dial connections to access remote networks? Select Yes

How do you want IP address to be assigned to remote clients? Select From a specified range of address

Enter the range of private IP address of Calling Server (eg. 10.0.2.0 – 10.0.2.255) -> OK

Completing the Routing and Remote Access Server Setup Wizard -> Click Finish.

Welcome to the Demand Dial Interface Wizard: Click Next.

Create Interface Name (eg. MY_VPNEndpoint, preferable in one word and same as Dial Out username which used to connect with remote server later on) -> click Next

Connection Type: Select Connect using virtual private networking (VPN) -> click Next

VPN type: Select Point to Point Tunneling Protocol (PPTP) -> click Next

Destination Address: Enter Calling Server’s IP address -> click Next

Protocols and Security: Select both Route IP packets on This Interface and Add a user account so a remote router can dial in. -> click Next

Static Routers for Remote Networks: Click Add ¿ Enter the remote private IP range
eg.     Destination:         192.168.200.0
Network Mask:    255.255.255.0
Metric:            1
Click OK -> Click Next

Dial In Credentials:
Username is grey out, same as the Interface Name -> Create Password -> Confirm Password -> Click Next
(This username and password are to be used while the calling server dial in)

Dial Out Credentials:
Create UserName, Domain (optional, leave it blank for non-Active Directory environment), Password.
(This username and password are to be used to dial out for 2-way initialized connection, just enter the username for 1-way initialized connection)

Completing the Demand-Dial Interface Wizard: Click Finish

Establishing connection

Start -> Settings -> Control Panel -> Administrative Tools -> Routing and Remote Access -> Server -> Network Interfaces (left panel): (Right panel) Right click the Demand Dial Interface (eg. HK_VPNEndpoint) -> Click Connect

Static Route setting on other server (both side’s private network)
No Active Directory = No automatic deployment.
Add static route for remote private network to be passed to PPTP server:
route add [remote private IP address] mask [remote network mask] [local VPN server private IP address]
eg: route add 192.168.0.0 mask 255.255.255.0 192.168.200.250 (on answering server’s site)

Author

Commented:
not the solution I'm looking for, maybe sstp would have been better