SITE-To-SITE VPN using Windows Server 2003 Standard

Sponsored Links

Is it possible to create SITE-To-SITE VPN using Windows Server 2003 Standard
Edition without the use of ISA or any other firewall.?
Is there any article to create such VPN on technet.

Hello S H A R I Q U E,

See here for starting:
http://technet.microsoft.com/en-us/l.../cc758232.aspx

http://technet.microsoft.com/en-us/n.../bb545442.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Is it possible to create SITE-To-SITE VPN using Windows Server 2003
> Standard
> Edition without the use of ISA or any other firewall.?
> Is there any article to create such VPN on technet.

Well....Great...last thing i wana know that IS IT POSSIBLE THAT BOTH SERVERS
BE IN WORKGROUP MODEL TO CONFIGURE SITE-TO-SITE VPN?


"Meinolf Weber [MVP-DS]" wrote:

> Hello S H A R I Q U E,
>
> See here for starting:
> http://technet.microsoft.com/en-us/l.../cc758232.aspx
>
> http://technet.microsoft.com/en-us/n.../bb545442.aspx
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Is it possible to create SITE-To-SITE VPN using Windows Server 2003
> > Standard
> > Edition without the use of ISA or any other firewall.?
> > Is there any article to create such VPN on technet.
>
>
>

Hello S H A R I Q U E,

Should work, but without a domain you have centralized authentication options.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Well....Great...last thing i wana know that IS IT POSSIBLE THAT BOTH
> SERVERS BE IN WORKGROUP MODEL TO CONFIGURE SITE-TO-SITE VPN?
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello S H A R I Q U E,
>>
>> See here for starting:
>> http://technet.microsoft.com/en-us/l.../cc758232.aspx
>> http://technet.microsoft.com/en-us/n.../bb545442.aspx
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Is it possible to create SITE-To-SITE VPN using Windows Server 2003
>>> Standard
>>> Edition without the use of ISA or any other firewall.?
>>> Is there any article to create such VPN on technet.

ok....i have read the document...but issue is that Both SITES are using
Private IP addresses or they are behind ISP Firewall ...in this scenarion is
it possible to create SITE-To-SITE or RemoteAccess VPN using private ip
addresses...


"Meinolf Weber [MVP-DS]" wrote:

> Hello S H A R I Q U E,
>
> Should work, but without a domain you have centralized authentication options.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Well....Great...last thing i wana know that IS IT POSSIBLE THAT BOTH
> > SERVERS BE IN WORKGROUP MODEL TO CONFIGURE SITE-TO-SITE VPN?
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello S H A R I Q U E,
> >>
> >> See here for starting:
> >> http://technet.microsoft.com/en-us/l.../cc758232.aspx
> >> http://technet.microsoft.com/en-us/n.../bb545442.aspx
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Is it possible to create SITE-To-SITE VPN using Windows Server 2003
> >>> Standard
> >>> Edition without the use of ISA or any other firewall.?
> >>> Is there any article to create such VPN on technet.
>
>
>

Both sites must be using private IP addresses or the site to site won't
work. What the link does in tunnel the private IP addresses through the
public connection between the sites.

The setup documents usually assume that the RRAS routers are connected to
the Internet and are the default geteway routers for the site. Other configs
are possible but you then have to sort out the routing for yourself. If the
RRAS servers are the default gateway routers for the site, routing between
sites is automatic. RRAS looks after the site to site routing an the traffic
which needs to go through the tunnel gets to the VPN router by default.

Without a domain the routing will work but name resolution and file
sharing are a headache.


"S H A R I Q U E" <SHARIQUE@discussions.microsoft.com> wrote in message
news:BC8DF69C-F41E-4458-A7C3-2344BF003B0C@microsoft.com...
> ok....i have read the document...but issue is that Both SITES are using
> Private IP addresses or they are behind ISP Firewall ...in this scenarion
> is
> it possible to create SITE-To-SITE or RemoteAccess VPN using private ip
> addresses...
>
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello S H A R I Q U E,
>>
>> Should work, but without a domain you have centralized authentication
>> options.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>
>> > Well....Great...last thing i wana know that IS IT POSSIBLE THAT BOTH
>> > SERVERS BE IN WORKGROUP MODEL TO CONFIGURE SITE-TO-SITE VPN?
>> >
>> > "Meinolf Weber [MVP-DS]" wrote:
>> >
>> >> Hello S H A R I Q U E,
>> >>
>> >> See here for starting:
>> >> http://technet.microsoft.com/en-us/l.../cc758232.aspx
>> >> http://technet.microsoft.com/en-us/n.../bb545442.aspx
>> >>
>> >> Best regards
>> >>
>> >> Meinolf Weber
>> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> >> confers
>> >> no rights.
>> >> ** Please do NOT email, only reply to Newsgroups
>> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >>> Is it possible to create SITE-To-SITE VPN using Windows Server 2003
>> >>> Standard
>> >>> Edition without the use of ISA or any other firewall.?
>> >>> Is there any article to create such VPN on technet.
>>
>>
>>

Its quite surprising to read that SITE-To-SITE VPN will work only when both
SITES are using RFC1918 addresses, that is, private ip addresses.
During VPN configuration wizard, it ask which interface is associated with
PUBLIC ADDRESS, we select that and leave private interface intact. In this
case, how can a calling router detect answering when both are using PRIVATE
IP ADDRESSES, since both are behind ISP firewall. Do i need to involve ISP to
allow me define static route across public ip address to private ip address.
BOth Servers are default gateway in my scenario.First one is member
server(calling router) and second one(answering router) is in workgroup.

regards


"Bill Grant" wrote:

> Both sites must be using private IP addresses or the site to site won't
> work. What the link does in tunnel the private IP addresses through the
> public connection between the sites.
>
> The setup documents usually assume that the RRAS routers are connected to
> the Internet and are the default geteway routers for the site. Other configs
> are possible but you then have to sort out the routing for yourself. If the
> RRAS servers are the default gateway routers for the site, routing between
> sites is automatic. RRAS looks after the site to site routing an the traffic
> which needs to go through the tunnel gets to the VPN router by default.
>
> Without a domain the routing will work but name resolution and file
> sharing are a headache.
>
>
> "S H A R I Q U E" <SHARIQUE@discussions.microsoft.com> wrote in message
> news:BC8DF69C-F41E-4458-A7C3-2344BF003B0C@microsoft.com...
> > ok....i have read the document...but issue is that Both SITES are using
> > Private IP addresses or they are behind ISP Firewall ...in this scenarion
> > is
> > it possible to create SITE-To-SITE or RemoteAccess VPN using private ip
> > addresses...
> >
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello S H A R I Q U E,
> >>
> >> Should work, but without a domain you have centralized authentication
> >> options.
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>
> >>
> >> > Well....Great...last thing i wana know that IS IT POSSIBLE THAT BOTH
> >> > SERVERS BE IN WORKGROUP MODEL TO CONFIGURE SITE-TO-SITE VPN?
> >> >
> >> > "Meinolf Weber [MVP-DS]" wrote:
> >> >
> >> >> Hello S H A R I Q U E,
> >> >>
> >> >> See here for starting:
> >> >> http://technet.microsoft.com/en-us/l.../cc758232.aspx
> >> >> http://technet.microsoft.com/en-us/n.../bb545442.aspx
> >> >>
> >> >> Best regards
> >> >>
> >> >> Meinolf Weber
> >> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> >> confers
> >> >> no rights.
> >> >> ** Please do NOT email, only reply to Newsgroups
> >> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >> >>> Is it possible to create SITE-To-SITE VPN using Windows Server 2003
> >> >>> Standard
> >> >>> Edition without the use of ISA or any other firewall.?
> >> >>> Is there any article to create such VPN on technet.
> >>
> >>
> >>
>

Why are you surprised that VPN expects that you use private IPs? That is
the whole point of VPN. As its name suggests, VPN is Virtual Private
Networking. The client appears to be on your private LAN when in fact it is
connecting through the Internet. VPN creates a private address tunnel
through the public network. It does this by encrypting the privately
addressed packets and encapsulating these within a publicly addressed
wrapper.

For site to site VPN to work there must be a connection between the two
sites to carry the encrypted and encapsulated data. If both sites have an
Internet connection, that will do the trick. Whether they are behind an ISP
firewall or not should not affect your connection unless the firewall blocks
a port of protocol which VPN needs. {One such is that you cannot use PPTP if
your ISP blocks GRE (IP protocol 47)}. The firewall does not affect normal
file sharing because the packets are encrypted and encapsulated when they
pass through the firewall.

Site to site VPN is designed to allow two privately addressed sites to
route through a VPN connection across another network (such as the
Internet). Only the routers have public IP addresses. Both LANs use private
IP addresses and they must be in different IP subnets. When you configure
the routers you assign static routes for the private LANs to the demand-dial
interfaces used in the connection. When the connection is made, these routes
are added to the routing table. Each router now has a static route to the
"other" site through the VPN link.

When the link is up it behaves like a (slow) IP router. All traffic
addressed to the other IP subnet is sent through the tunnel to the other
site. It is then delivered on the LAN at the second site.

If you want to securely connect machines which have public IPs you
would normally use IPSec tunnels, not VPN.

"S H A R I Q U E" <SHARIQUE@discussions.microsoft.com> wrote in message
news:1B57AF30-8BEF-4296-9285-BB4DE9DA3F99@microsoft.com...
> Its quite surprising to read that SITE-To-SITE VPN will work only when
> both
> SITES are using RFC1918 addresses, that is, private ip addresses.
> During VPN configuration wizard, it ask which interface is associated with
> PUBLIC ADDRESS, we select that and leave private interface intact. In this
> case, how can a calling router detect answering when both are using
> PRIVATE
> IP ADDRESSES, since both are behind ISP firewall. Do i need to involve ISP
> to
> allow me define static route across public ip address to private ip
> address.
> BOth Servers are default gateway in my scenario.First one is member
> server(calling router) and second one(answering router) is in workgroup.
>
> regards
>
>
> "Bill Grant" wrote:
>
>> Both sites must be using private IP addresses or the site to site won't
>> work. What the link does in tunnel the private IP addresses through the
>> public connection between the sites.
>>
>> The setup documents usually assume that the RRAS routers are connected
>> to
>> the Internet and are the default geteway routers for the site. Other
>> configs
>> are possible but you then have to sort out the routing for yourself. If
>> the
>> RRAS servers are the default gateway routers for the site, routing
>> between
>> sites is automatic. RRAS looks after the site to site routing an the
>> traffic
>> which needs to go through the tunnel gets to the VPN router by default.
>>
>> Without a domain the routing will work but name resolution and file
>> sharing are a headache.
>>
>>
>> "S H A R I Q U E" <SHARIQUE@discussions.microsoft.com> wrote in message
>> news:BC8DF69C-F41E-4458-A7C3-2344BF003B0C@microsoft.com...
>> > ok....i have read the document...but issue is that Both SITES are using
>> > Private IP addresses or they are behind ISP Firewall ...in this
>> > scenarion
>> > is
>> > it possible to create SITE-To-SITE or RemoteAccess VPN using private ip
>> > addresses...
>> >
>> >
>> > "Meinolf Weber [MVP-DS]" wrote:
>> >
>> >> Hello S H A R I Q U E,
>> >>
>> >> Should work, but without a domain you have centralized authentication
>> >> options.
>> >>
>> >> Best regards
>> >>
>> >> Meinolf Weber
>> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> >> confers
>> >> no rights.
>> >> ** Please do NOT email, only reply to Newsgroups
>> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >>
>> >>
>> >> > Well....Great...last thing i wana know that IS IT POSSIBLE THAT BOTH
>> >> > SERVERS BE IN WORKGROUP MODEL TO CONFIGURE SITE-TO-SITE VPN?
>> >> >
>> >> > "Meinolf Weber [MVP-DS]" wrote:
>> >> >
>> >> >> Hello S H A R I Q U E,
>> >> >>
>> >> >> See here for starting:
>> >> >> http://technet.microsoft.com/en-us/l.../cc758232.aspx
>> >> >> http://technet.microsoft.com/en-us/n.../bb545442.aspx
>> >> >>
>> >> >> Best regards
>> >> >>
>> >> >> Meinolf Weber
>> >> >> Disclaimer: This posting is provided "AS IS" with no warranties,
>> >> >> and
>> >> >> confers
>> >> >> no rights.
>> >> >> ** Please do NOT email, only reply to Newsgroups
>> >> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >> >>> Is it possible to create SITE-To-SITE VPN using Windows Server
>> >> >>> 2003
>> >> >>> Standard
>> >> >>> Edition without the use of ISA or any other firewall.?
>> >> >>> Is there any article to create such VPN on technet.
>> >>
>> >>
>> >>
>>

> Its quite surprising to read that SITE-To-SITE VPN will work only when
> both
> SITES are using RFC1918 addresses, that is, private ip addresses.

It's not surprising at all. If you used public addresses you'd raise the
risk of incorrect routing. There'd be the chance that hosts on one side of
the link would start using the link as a transport for ALL traffic instead
of using the local internet uplink.

"Bill Kearney" <wkearney99@hotmail.com> wrote in message
news:Pb2dnUf-9JzAGcLUnZ2dnUVZ_t7inZ2d@speakeasy.net...
>> Its quite surprising to read that SITE-To-SITE VPN will work only when
>> both
>> SITES are using RFC1918 addresses, that is, private ip addresses.
>
> It's not surprising at all. If you used public addresses you'd raise the
> risk of incorrect routing. There'd be the chance that hosts on one side
> of the link would start using the link as a transport for ALL traffic
> instead of using the local internet uplink.

Adding to that,...the public IP#s on the LAN (assuming on both LANs) would
make the VPN pointless since everything could be directly routed without the
VPN as long as the Firewall's ACLs would allow it. In such situations with
Publically addressed LANs firewalls typically do not use NAT, and just run
ACLs.

If it was one Public LAN and one Private LAN,..I'm not sure,...might be
screwed there. Might need a different VPN solution what wasn't limited to
Private addresses like that.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------