End point VPN routers on geographically separate Win2K3 DC controlled networks

I've asked this a few times but have not gotten an answer
that addresses my question. So I will try to be as
detailed with my question as possible.

2 offices, geographically separate, each has it's own
Win2K3 Standard Edition network.
One office has cable modem - the other ADSL. Their
respective routers are currently the DG default gateways
for each respective network. This is how each office
currently connects to the internet.
Both offices have static IP.
ADSL office has Exchange Server 2003.
Cable office gets email from ADSL office via OWA (but
wants to use desktop Outlook).
Each office has file server that the other wishes to
access.
I wish to connect the 2 offices via VPN which I think will
resolve both issues.

I figured I'd use the steps at:
http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/dnw2kmag00/html/VPN.asp

I've read much of the documentation for each router and
cannot figure out how to get the routers to point traffic
to the Win2K3 VPN router (if and only if that traffic is
destined for the other office). So I thought that it must
be handled by the DC server (which includes the DNS & DHCP
servers). The above article speaks about configuring the
workstations to point to the VPN server as their default
gateway - but I do NOT
want one office to traverse the wire to use the other
office's DG for internet access. That would make things
prohibitively slow. Since I use a DC that includes a DHCP
server, I wonder why I would configure each workstation.
That led me to assume that the suggestions laid out in
that article were based upon a peer to peer network, vice
a DC controlled network. We are using 2 DC controlled
networks. I had hoped to attach each VPN server to their
respective network with a static route to the other static
IP address. I guess each VPN server would be in the DMZ
for each router (current DG) for each office.

As you can see I am thoroughly confused. I assume that I'd
have some sort of icon on the workstations that allows the
users to access the VPN connection at will (but it would
always be open - I'd create a ping daemon to keep the
connection alive), but I'd hope to not have to create
these connections manually, instead allow any new
workstation that connects to the network to automatically
have access to the VPN.

Does anyone have any specific suggestions to handle this?

I replied to this in the other thread you asked it. I have repeated it
below.

"ch" <(E-Mail Removed)> wrote in message
news:2f2401c428ad$01504eb0$(E-Mail Removed)...
> You wrote:
> "whatever is their default gateway must have the routing
> setup on it so that it knows to send anything for the
> remote network to the VPN box"
>
> Right now the default gateways are the routers (connected
> to the cable modem / ADSL modem) for each respective
> office. This is how each office currently connects to the
> internet.

That is normal.

> I've read much of the documentation for each router and
> cannot figure out how to get the routers to point traffic
> to the Win2K3 VPN router (if and only if that traffic is
> destined for the other office). So I thought that it must
> be handled by the DC server (which houses the DNS & DHCP
> servers).

No, DCs, DNS, and DHCP lives in a totally different realm and have
no relationship to Layer3 Routing. Routing is,...well..Layer3, while all
that
other stuff is well up and beyond Layer7.

>The article I am building my end-point routers
> by speaks about configuring the workstations to point to
> the VPN server as thier default gateway - but I do NOT
> want one office to traverse teh wire to use teh other
> office's DG for internet access. That would make things
> probitively slow.

I think you undestand the problem exactly. You either have to get those
routers setup to send the proper traffic to the VPN device or the VPN device
must become the Clients Default Gateway. But pointing the clients to the
VPN Device doesn't mean that all the traffic would go over the VPN. The VPN
Device would have *its* Default Gateway set to the ADSL Router and would
then forward all "unspecified routes" (the Internet) to the ADSL Router and
send the "specified routes" (VPN traffic) to the remote VPN network based on
the destination address. Remember that the VPN Device knows about the
networks on both sides of it and therefore knows what to do with those
destinations. In the worst case, you might have to add static routes to the
VPN Device's routing table, but I think they would already be there since
those respresent "Directly Connected Networks" from the VPN Device's
perspective.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Dude, you are the man! I'd asked someone if that set up
(VPN as DG and it's DG = router) would work and was told
no - so I keep posting until I can get a methodology that
would work - been spinning my wheels for nothing. Yes -
I'd planned to go static route - as there are only two
IP's in the mix (each office's public IP).

THANK YOU - (now I can sleep - this has to be implemented
by Tuesday)

ch


>-----Original Message-----
>I replied to this in the other thread you asked it. I
have repeated it
>below.
>
>"ch" <(E-Mail Removed)> wrote in
message
>news:2f2401c428ad$01504eb0$(E-Mail Removed)...
>> You wrote:
>> "whatever is their default gateway must have the routing
>> setup on it so that it knows to send anything for the
>> remote network to the VPN box"
>>
>> Right now the default gateways are the routers
(connected
>> to the cable modem / ADSL modem) for each respective
>> office. This is how each office currently connects to
the
>> internet.
>
>That is normal.
>
>> I've read much of the documentation for each router and
>> cannot figure out how to get the routers to point
traffic
>> to the Win2K3 VPN router (if and only if that traffic is
>> destined for the other office). So I thought that it
must
>> be handled by the DC server (which houses the DNS & DHCP
>> servers).
>
>No, DCs, DNS, and DHCP lives in a totally different realm
and have
>no relationship to Layer3 Routing. Routing
is,...well..Layer3, while all
>that
>other stuff is well up and beyond Layer7.
>
>>The article I am building my end-point routers
>> by speaks about configuring the workstations to point to
>> the VPN server as thier default gateway - but I do NOT
>> want one office to traverse teh wire to use teh other
>> office's DG for internet access. That would make things
>> probitively slow.
>
>I think you undestand the problem exactly. You either
have to get those
>routers setup to send the proper traffic to the VPN
device or the VPN device
>must become the Clients Default Gateway. But pointing
the clients to the
>VPN Device doesn't mean that all the traffic would go
over the VPN. The VPN
>Device would have *its* Default Gateway set to the ADSL
Router and would
>then forward all "unspecified routes" (the Internet) to
the ADSL Router and
>send the "specified routes" (VPN traffic) to the remote
VPN network based on
>the destination address. Remember that the VPN Device
knows about the
>networks on both sides of it and therefore knows what to
do with those
>destinations. In the worst case, you might have to add
static routes to the
>VPN Device's routing table, but I think they would
already be there since
>those respresent "Directly Connected Networks" from the
VPN Device's
>perspective.
>
>--
>
>Phillip Windell [MCP, MVP, CCNA]
>www.wandtv.com
>
>
>
>.
>