server to server pptp (1 nic per server) (server is dc)

[scott]

Hi,

Im researching the setup of a 2003 server to 2003 server pptp connection
between 2 sites. At present both sites use the 2003 server as their DC and
each has a single NIC. In the case where both networks are configured like
so:

--------------------------------
2003 server
..
..
switch . . .clients
..
..
net
..
..
switch . . .clients
..
..
2003 server
--------------------------------

1. can a site to site pptp connection be configured on a network like this ?

2. how does the server deal with the routing in this case ?
- i.e client looks for remote share via local 2003
- client does not use pptp direct as all pptp traffic routed via server ?

3. Do I need 2 NICs on each server for this to work ? (i.e need a 24/7
connection).

Thanks for your time.
Scott.

 

[Robert L [MS-MVP]]

you do need two NICs to setup a site to site vpn. quoted from
http://www.ChicagoTech.net
How to Setup A Site-to-Site VPN Connection

To setup a Site-to-Site VPN Connection , you may need to configure two
windows servers for the Answering and Calling Routers. Here are the steps:

1. Run RRAS, on Configuration page, select LAN routing.
2. Configure VPN on the Answering Router.
3. Configure the Demand-dial Interface on the Answering Router.
4. Configure VPN on the Calling Router.
5. Configure the Demand-dial Interface on the Calling Router.
6. Confirm the Remote Access Policy Configuration on the Answering and
Calling Routers.


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

 

[Bill Grant]

The server to server link will establish a path between the two RRAS
routers. It will also set up subnet routing between them.

If the RRAS server is not the default gateway of the LAN (eg if the
client machines have their default gateway set to the router), you will need
to add extra routes to get the VPN traffic to the RRAS router. The easiest
way is to add a static route to the gateway router to "bounce" the traffic
for the "other" private LAN to the RRAS router.

The RRAS router will then encrypt and encapsulate the VPN data before
sending it on to the router. Without this extra routing, the
private-addressed packets try to go directly through the Internet, and are
lost.

 

[scott]

Hi,

Thanks for the reply.

Just to clarify, can I do this with one NIC on each of the 2003 servers and
if the server was setup as the LAN gateway for the clinets ?

This link is helpful but only suggests using 2 x NICs

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx

Specifically I need documentation regarding the "Single-Adapter VPN Router"
setup i.e step by setp process.

Thanks again
Scott.

 

[scott]

RE: adding static route to gateway router

how would the server deal with the request i.e it would have to be enabled
as a router ?

 

[scott]

Would it not be easier change the default gateway on all the clients to the
VPN server IP once the server is configured as a router. Thay way you would
not need to "bounce" of the router ?

 

[Bill Grant]

True, but your LAN clients wouldn't be able to get to the Internet via
the router!

You can have only one default route on the client machine. This must be
to the Internet router. You need a specific route to get VPN traffic to the
RRAS server. You can either put it on the Internet router, or add it
individually to every client.

 

[scott]

Hi,

Sorry for more questions. Assuming my network is setup like this:

---------------------------------------
net
v
gateway router (192.168.0.1)
v
switch > 2003 server (192.168.0.2)
v
clients (192.168.0.#)
----------------------------------------

You say add a static route to the gateway router to bounce traffic back to
2003 server. So all traffic from the clients (i.e http, ftp, pptp etc) is
bounced back to the 2003 server. (I assume this is the case as STATIC ROUTES
don't give me the ability to filter traffic by protocol/ports).

Also, STATIC ROUTES only allow a single IP address per router. Surly that
would mean a STATIC ROUTE per cline to the server. The server would be the
only IP without a STATIC ROUTE and would therefore all traffic from it would
pass through the gateway router.

(Hence i thought if the server was a router/gateway for all client it would
work as all traffic on the Lan ultimately ends up there anyway).

I guess I have failed to grasp the concept 100%.

A static route only gives me the ability to enter:
-Route Name
-Active (y/n)
-Destination IP Address
-IP Subnet Mask
-Gateway IP Address
-Metric
-Private (y/n)

Thanks again for your time.
Scott.