Site-to-Site VPN using Windows 2003

[super old post, reposted]
A few weeks ago, I asked in an IT forum if it was possible to have a “perma-VPN” connection with Windows XP.

After searching for awhile, I found that Microsoft calls perma-VPNs “Demand-Dial Interfaces” and these can only be found in the Windows Server family, not Windows XP.

The best way toget as close to a perma-vpn as possible in XP is to Use Dial Up Networking to login. It initiates the connection for you and you can go about your day. The blinkie icon and actual having to dial in reminded me that this was not a transparent solution..and I really wanted one. So I decided to look into a better solution.

You can use a Windows 2003 server on your network to do WAN dialing using RRAS and Demand Dial Connections. Its incredible easy to setup.

For kicks, I even installed Win2k3 on my laptop (lots of unused licenses at work) and just do a Demand Dial connection to each of the two outside servers. Outlook works like a charm where ever I go.

Here is a quickie view of the topology of my network: (the name of my domain is windomain.com)

Function of Server Physical Location Internal IP (behind firewall) External Hostname
Main Downtown LA 10.0.0.100 dtown.windomain.net
Backup Santa Monica LA 10.0.1.100 sm.windomain.net
Laptop West Hollywood 10.0.2.100 weho.windomain.net

As stated previously, each of the three machines are Windows 2003 servers. I will explain more about the “External Hostnames” in a bit.

The “firewall” is a regular broadband router with VPN Pass-through enabled and port 1723 forwarding to the internal RRAS server.

Because I pay for bandwidth on the Main server, I decided to try to route as little traffic through it as possible. Thus, Laptop maintains two Demand-Dial Interfaces even though I could have actually reached Backup via the WAN link through Main.

Why did I list “External Hostname?” Well, only one server has a truly static hostname and in order for this WAN to work smoothly, hostnames for dial-ins are important. Backup and Laptop are on SoHo DSL lines sotheir IPs change every now and again so I use my internal DNS server to give the external IPs a DNS entry. When their IP changes due to a power outage or firewall reboot, I simply go update the DNS for windomain.net to point to the new IP. Each ofthe servers use my internal DNS server so they don’t look for “real” entries of windomain.net, which of course, would not have the sm, weho and dtown entries.

I won’t go into extreme detail on how to setup the RRAS but here’s a quick idea of what I did to connect Main and Backup

  1. On all three servers, I setup RRAS to support Demand-Dial Interfaces
  2. On Main, I opened the RRAS interface and right clicked on Interfaces then selected “Create new Demand-Dial Interface”
  3. I named the Interface Main2Backup
  4. On the next few prompts, I selected VPN and PPTP
  5. When prompted to enter a hostname for the router to which I am connecting, I typed in sm.windomain.net
  6. I selected Route packets on this interface and create new user account for remote router to dial [back]in
  7. Destination -> Add -> Destination (recall the IP address for Backup/sm above) is 10.0.1.0. Subnet is 255.255.255.0. Metric is left at 1.
  8. NextIwasprompted to create a new user. The username is created from the name of the Interface. In this instance, my username is Main2Backup
  9. Now, I am prompted for the dial-out credentials. Immediately after I am finished with this setup, I will go setup a Demand-Dial Interface on Backup. I know that I will follow the same pattern so the username I will create on Backup/sm will be Backup2Main. I enter this information now.
  10. Finish. Repeat the above steps with slightly different hostname, interface name and dial-in account name on Backup. Eventually, the same will be done on Laptop.

In conclusion, Windows 2003 RRAS provides an awesome and easy solution for setting up WANs without physical router hardware. The process can take as little as a few minutes once appropriate DNS entries have been made.

Good resources for this topic can be found at http://www.microsoft.com/vpn.The whitepaper I used for my setup is found here.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Networking, Security, Windows
5 comments on “Site-to-Site VPN using Windows 2003
  1. Fab says:

    Hello,

    Just found your site and was searching for directions to setup a site-to-site vpn using windows 2003. I am not sure if you still monitor this post but I am also a IT Consultant. Been in the industry for 10 years but only recently done consulting. Its been a challenge but a worthwhile endeavor. Regarding this howto article, do you need to anything with Domains Sites and Services snapin. Such as creating sites with different subnets for the AD to replicate across these WAN links. I have two branch offices each with one server acting as a DC. I’d like to setup a site-to-site to replicate AD changes. Any thoughts?

  2. James says:

    Awesome step by step. I read a 107 page white paper from Microsoft and fell asleep drooling at my keyboard. Thank the stars I found this article. I was about to setup a whole Linux box VPN (which I know how to do, and is free :~). After I read your step by step, I did it in a half hour.

    Stellar, just stellar.

  3. Chrissy says:

    Excellent! Glad I could help, James =)

  4. Joe says:

    Could not have done it without your guide. The credentials are the most confusing part, but once you get it, it all makes perfect sense.

    Thank you for this guide. It helped me help my small, and expanding business.

  5. buy paper says:

    Windows XP has no support from Microsoft and you shouldn't use ut i think

Leave a Reply

Your email address will not be published. Required fields are marked *

*