Site-to-Site VPN using single NIC

Goal: Connect our local server with a new remote server via site-to-site VPN.

Local server set-up: Windows Server 2003 R2 Standard Edition SP2 and ISA
Server 2004 SP3; 2 NICs, one connected to our LAN (with a static private IP)
and one connected to the Internet (with a static public IP).

Remote server set-up: Windows Server 2003 R2 Datacenter Edition SP1, without
ISA Server; only one NIC, connected to the Internet (with a static public IP).

Problem: I've tried several configurations, using RRAS on both servers, and
ISA on the local one, to achieve the site-to-site connectivity, but without
success. I suspect that the problem lies on defining the Static Route on RRAS
on the local server to the remote server, because all examples I've seen used
the remote server internal IP there, but I don't have it, only the public IP
on the remote server.

Some facts:
- At the remote server I can create a VPN DUN connection (Dial-Up
Netowrking, via Control Panel > Network Connections) to the local server, and
it works fine;
- At the remote server I can create on RRAS an one-way VPN connection to
the local server, and it works fine;

But those two facts are only true if I DON'T config the ISA Server to
site-to-site VPN-ing on local server. If I config ISA, I still can connect
from remote server, but I cannot ping local server internal IP, cannot access
our intranet (hosted on local server) and cannot access the local server
shared folders via Windows Explorer, using \\local_computer_name.

On the other hand, if I config the local ISA for site-to-site:
- At the local server I can create a VPN DUN connection to the remote server;
- At the local server I can create on RRAS an one-way VPN connection to the
remote server.

In both cases I can connect, but cannot access remote server shared folders
via Windows Explorer, for example. If I create the VPN DUN connection to the
remote server on a local client machine, instead of at the local server, I
can connect AND access the remote server shared folders. But if ISA IS NOT
configured for site-to-site, I cannot even connect in any of the three
options.

Any ideas?

Regards,
Pedro.

That doesn't make a lot of sense. A site to site VPN links two private
LANs and allows you to route between them. If the Datecenter server only has
a public IP there is no "site" to route to!

What exactly do you want to do? Do you want all machines on your LAN to
be able to access the remote server? If so have you considered using IPSec?

To set up a site to site VPN you really need similar routers at both
ends. For Windows that means ISA at both ends or RRAS at both ends. The ISA
setup is not compatible with the RRAS setup, so ISA at one end and RRAS at
the other doesn't really work. ISA automates the setup of interface names to
link the routes to, RRAS requires that you do it manually.

"LoboFX" <LoboFX@discussions.microsoft.com> wrote in message
news:4BF9DBE2-E66F-43B3-9BCD-5033FCB84140@microsoft.com...
> Goal: Connect our local server with a new remote server via site-to-site
> VPN.
>
> Local server set-up: Windows Server 2003 R2 Standard Edition SP2 and ISA
> Server 2004 SP3; 2 NICs, one connected to our LAN (with a static private
> IP)
> and one connected to the Internet (with a static public IP).
>
> Remote server set-up: Windows Server 2003 R2 Datacenter Edition SP1,
> without
> ISA Server; only one NIC, connected to the Internet (with a static public
> IP).
>
> Problem: I've tried several configurations, using RRAS on both servers,
> and
> ISA on the local one, to achieve the site-to-site connectivity, but
> without
> success. I suspect that the problem lies on defining the Static Route on
> RRAS
> on the local server to the remote server, because all examples I've seen
> used
> the remote server internal IP there, but I don't have it, only the public
> IP
> on the remote server.
>
> Some facts:
> - At the remote server I can create a VPN DUN connection (Dial-Up
> Netowrking, via Control Panel > Network Connections) to the local server,
> and
> it works fine;
> - At the remote server I can create on RRAS an one-way VPN connection to
> the local server, and it works fine;
>
> But those two facts are only true if I DON'T config the ISA Server to
> site-to-site VPN-ing on local server. If I config ISA, I still can connect
> from remote server, but I cannot ping local server internal IP, cannot
> access
> our intranet (hosted on local server) and cannot access the local server
> shared folders via Windows Explorer, using \\local_computer_name.
>
> On the other hand, if I config the local ISA for site-to-site:
> - At the local server I can create a VPN DUN connection to the remote
> server;
> - At the local server I can create on RRAS an one-way VPN connection to
> the
> remote server.
>
> In both cases I can connect, but cannot access remote server shared
> folders
> via Windows Explorer, for example. If I create the VPN DUN connection to
> the
> remote server on a local client machine, instead of at the local server, I
> can connect AND access the remote server shared folders. But if ISA IS NOT
> configured for site-to-site, I cannot even connect in any of the three
> options.
>
> Any ideas?
>
> Regards,
> Pedro.

Hi Bill.

We want to move some of the stuff we have on our local server today to the
new remote server, for the sake of security and continuity of our business
(if something goes wrong here) and speed for the remote users (since the
internet link of the datacenter is a lot faster than ours).

Some of this stuff can be configured to be acessed via the public IP (like
our website and our exchange server), but some of the stuff need to be
acessed like a LAN, so that's why I thought about the site-to-site VPN
connection.

Someone told about creating a "virtual IP address" on the remote server NIC,
with an internal IP address, but I don't know how to do it and found nothing
about it.

I don't know how IPSec works also. I'm going to search for the subject to
see if this can help, thanks.


Regards,
Pedro.


"Bill Grant" wrote:

> That doesn't make a lot of sense. A site to site VPN links two private
> LANs and allows you to route between them. If the Datecenter server only has
> a public IP there is no "site" to route to!
>
> What exactly do you want to do? Do you want all machines on your LAN to
> be able to access the remote server? If so have you considered using IPSec?
>
> To set up a site to site VPN you really need similar routers at both
> ends. For Windows that means ISA at both ends or RRAS at both ends. The ISA
> setup is not compatible with the RRAS setup, so ISA at one end and RRAS at
> the other doesn't really work. ISA automates the setup of interface names to
> link the routes to, RRAS requires that you do it manually.
>
> "LoboFX" <LoboFX@discussions.microsoft.com> wrote in message
> news:4BF9DBE2-E66F-43B3-9BCD-5033FCB84140@microsoft.com...
> > Goal: Connect our local server with a new remote server via site-to-site
> > VPN.
> >
> > Local server set-up: Windows Server 2003 R2 Standard Edition SP2 and ISA
> > Server 2004 SP3; 2 NICs, one connected to our LAN (with a static private
> > IP)
> > and one connected to the Internet (with a static public IP).
> >
> > Remote server set-up: Windows Server 2003 R2 Datacenter Edition SP1,
> > without
> > ISA Server; only one NIC, connected to the Internet (with a static public
> > IP).
> >
> > Problem: I've tried several configurations, using RRAS on both servers,
> > and
> > ISA on the local one, to achieve the site-to-site connectivity, but
> > without
> > success. I suspect that the problem lies on defining the Static Route on
> > RRAS
> > on the local server to the remote server, because all examples I've seen
> > used
> > the remote server internal IP there, but I don't have it, only the public
> > IP
> > on the remote server.
> >
> > Some facts:
> > - At the remote server I can create a VPN DUN connection (Dial-Up
> > Netowrking, via Control Panel > Network Connections) to the local server,
> > and
> > it works fine;
> > - At the remote server I can create on RRAS an one-way VPN connection to
> > the local server, and it works fine;
> >
> > But those two facts are only true if I DON'T config the ISA Server to
> > site-to-site VPN-ing on local server. If I config ISA, I still can connect
> > from remote server, but I cannot ping local server internal IP, cannot
> > access
> > our intranet (hosted on local server) and cannot access the local server
> > shared folders via Windows Explorer, using \\local_computer_name.
> >
> > On the other hand, if I config the local ISA for site-to-site:
> > - At the local server I can create a VPN DUN connection to the remote
> > server;
> > - At the local server I can create on RRAS an one-way VPN connection to
> > the
> > remote server.
> >
> > In both cases I can connect, but cannot access remote server shared
> > folders
> > via Windows Explorer, for example. If I create the VPN DUN connection to
> > the
> > remote server on a local client machine, instead of at the local server, I
> > can connect AND access the remote server shared folders. But if ISA IS NOT
> > configured for site-to-site, I cannot even connect in any of the three
> > options.
> >
> > Any ideas?
> >
> > Regards,
> > Pedro.

"Bill Grant" <not.available@online> wrote in message
news:OYERPGKYJHA.2280@TK2MSFTNGP06.phx.gbl...

> ends. For Windows that means ISA at both ends or RRAS at both ends. The
> ISA setup is not compatible with the RRAS setup, so ISA at one end and
> RRAS at the other doesn't really work.

ISA <--> RRAS works fine. But I haven't done it in a long time. ISA
actually incorporates RRAS into a lot of what it does (the degree varies
between ISA versions),...so they are using a lot of the same structure
"under the hood". In fact RRAS would be more compatible with ISA than any
other product other than itself.

Anyway, I couldn't follow the OP's description of the situation, so if you
can you are doing better than me :-)

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

The Local Site setup (the one with the ISA) seem logical and straight
forward.

The Remote Site setup with these "servers" make no sense to me at all. I
can not "envision" wht you have there in any way.

Side note:
You cannot mix the VPN Types,...you cannot use Remote Access VPN and
Site-to-Site VPN at the same time. They are two entirely different types of
the VPN.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------