TARJr
asked on
How can I do site-to-site VPN tunneling between 2 Win 2008 servers
I have 2 servers that I would like to connect to each other over the Internet. I would like the traffic between them encrypted and compressed. Both servers are running Windows 2008 Std SP2/64-bit.
Is it possible to do this with say IPSec/L2TP without the need for extra hardware and using stand-alone servers (no DCs)?
Is it possible to do this with say IPSec/L2TP without the need for extra hardware and using stand-alone servers (no DCs)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
not the solution I'm looking for, maybe sstp would have been better
There are two ways to do site-to-site VPNs in my mind. Perhaps there are more but....
1) You have boxes (VPN deives) at the periphery of each network. Each has a public IP address. Often this is the same device that is the gateway/firewall so only one public IP address is needed.
In this case, packets arrive on the local subnet addresses to whichever host they are destined for.
It's pretty straightforward.
2) You have firewalls with the VPN devices behind them. This requires that IPSEC passthrough be implemented in the firewall. If there are multiple layers of firewall/routers then you have to assure the passthrough is working in order for the VPNs to work.
In this case, packets arrive at some internal box. If it's a router or a computer configured as router then presumably the packets get out onto the LAN wire.
Some configurations (such as with RV042) will only allow the VPN terminus boxes to be "inside" like this. The other has to be on the periphery of the network with a public IP address. Maybe this is universa for a good technical reasonl, I don't know. Just something to be aware of if you're considering doing this sort of thing.
My strong bias would be to put something like RV042s at the periphery of the LANs if you have the public IP addresses available. Then the packets would be unencrypted inside the LANs - is that an issue? This assumes that the servers aren't on the periphery of the LAN.
If the servers are also the firewall/router/gateway then they're on the periphery and you might implement VPN software on the two "ends". Each server would have at least 2 NICs, one "outside" with a public address and one "inside" on the LAN. Then the server acts to put VPN-borne packets out onto the local LAN post decryption - and to encrypt and send packets from the local LAN destined for the remote LAN and server.