Site to Site VPN with Windows Server 2003

Dear All,



I am freshman to VPN and just to make sure I understand that correctly I
would like to ask as follows:



If I create a site to site VPN connection with Windows Server 2003 Routing
and Remote Access Service then I go through the "Add dial on demand network
interface" wizard. It asks me for the public IP address of the remote router
and the user name it will pass when connecting. Then I can create a static
route and enter the network address and subnet mask of the remote network.
After that the wizard has created a static route assigned to the VPN
interface. It creates an entry under IP-Routing > General and last but not
least an entry under network interfaces with type "dial on demand".



What I do not understand is if the remote router initiates the connections
how does the RRAS service know that this incoming connection corresponds to
the VPN connection I created as mentioned above. For example the route to
the remote network has to be assigned to it. Or is it necessary that for a
bidirectional connection two VPN connections have to be established, one for
each direction? Wouldn't that be very inefficient?



--

Kind regards,

Dominik

You will create the demand-dial on the remote sites as the same procedure you mentioned here. Then you will have the Answering and Calling Routers.

Site to Site VPN To setup a Site-to-Site VPN Connection , you may need to configure two windows ... For the consultants, check the site to site vpn.doc for the details. ...
www.chicagotech.net/site%20to%20site%20vpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Dominik Rappaport" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
Dear All,



I am freshman to VPN and just to make sure I understand that correctly I
would like to ask as follows:



If I create a site to site VPN connection with Windows Server 2003 Routing
and Remote Access Service then I go through the "Add dial on demand network
interface" wizard. It asks me for the public IP address of the remote router
and the user name it will pass when connecting. Then I can create a static
route and enter the network address and subnet mask of the remote network.
After that the wizard has created a static route assigned to the VPN
interface. It creates an entry under IP-Routing > General and last but not
least an entry under network interfaces with type "dial on demand".



What I do not understand is if the remote router initiates the connections
how does the RRAS service know that this incoming connection corresponds to
the VPN connection I created as mentioned above. For example the route to
the remote network has to be assigned to it. Or is it necessary that for a
bidirectional connection two VPN connections have to be established, one for
each direction? Wouldn't that be very inefficient?



--

Kind regards,

Dominik

Thank's a lot! To name the user equal to the dial on demand interface was what I didn't know!
Kind regards,
Dominik

"Robert L [MS-MVP]" <(E-Mail Removed)> schrieb im Newsbeitrag news:(E-Mail Removed)...
You will create the demand-dial on the remote sites as the same procedure you mentioned here. Then you will have the Answering and Calling Routers.

Site to Site VPN To setup a Site-to-Site VPN Connection , you may need to configure two windows ... For the consultants, check the site to site vpn.doc for the details. ...
www.chicagotech.net/site%20to%20site%20vpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Dominik Rappaport" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
Dear All,



I am freshman to VPN and just to make sure I understand that correctly I
would like to ask as follows:



If I create a site to site VPN connection with Windows Server 2003 Routing
and Remote Access Service then I go through the "Add dial on demand network
interface" wizard. It asks me for the public IP address of the remote router
and the user name it will pass when connecting. Then I can create a static
route and enter the network address and subnet mask of the remote network.
After that the wizard has created a static route assigned to the VPN
interface. It creates an entry under IP-Routing > General and last but not
least an entry under network interfaces with type "dial on demand".



What I do not understand is if the remote router initiates the connections
how does the RRAS service know that this incoming connection corresponds to
the VPN connection I created as mentioned above. For example the route to
the remote network has to be assigned to it. Or is it necessary that for a
bidirectional connection two VPN connections have to be established, one for
each direction? Wouldn't that be very inefficient?



--

Kind regards,

Dominik

Yes, that is the key to it. The RRAS server identifies the incoming call
by its username. If the username matches one of its demand-dial interface
names, it connects to that interface and the routes linked to that interface
are activated. You then have a routed connection between the sites.

If the username does not match the name of any demand-dial interface,
the connection is made to the default "internal" interface. In this case it
only sets up a host route back to the calling machine. (That means is sets
up a normal client-server connection, not a router to router connection).
Only the calling machine can use the link, not the workstations on its
subnet.

Dominik Rappaport wrote:
> Thank's a lot! To name the user equal to the dial on demand interface
> was what I didn't know!
> Kind regards,
> Dominik
>
> "Robert L [MS-MVP]" <(E-Mail Removed)> schrieb im Newsbeitrag
> news:(E-Mail Removed)...
> You will create the demand-dial on the remote sites as the same
> procedure you mentioned here. Then you will have the Answering and
> Calling Routers.
>
> Site to Site VPN To setup a Site-to-Site VPN Connection , you may
> need to configure two windows ... For the consultants, check the site
> to site vpn.doc for the details. ...
> www.chicagotech.net/site%20to%20site%20vpn.htm
>
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "Dominik Rappaport" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> Dear All,
>
>
>
> I am freshman to VPN and just to make sure I understand that
> correctly I
> would like to ask as follows:
>
>
>
> If I create a site to site VPN connection with Windows Server
> 2003 Routing
> and Remote Access Service then I go through the "Add dial on
> demand network
> interface" wizard. It asks me for the public IP address of the
> remote router
> and the user name it will pass when connecting. Then I can create
> a static
> route and enter the network address and subnet mask of the remote
> network.
> After that the wizard has created a static route assigned to the
> VPN
> interface. It creates an entry under IP-Routing > General and
> last but not
> least an entry under network interfaces with type "dial on
> demand".
>
>
>
> What I do not understand is if the remote router initiates the
> connections
> how does the RRAS service know that this incoming connection
> corresponds to
> the VPN connection I created as mentioned above. For example the
> route to
> the remote network has to be assigned to it. Or is it necessary
> that for a
> bidirectional connection two VPN connections have to be
> established, one for
> each direction? Wouldn't that be very inefficient?
>
>
>
> --
>
> Kind regards,
>
> Dominik

Bill,

thank you for that I forgot to mention.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Bill Grant" <not.available@online> wrote in message news:(E-Mail Removed)...
Yes, that is the key to it. The RRAS server identifies the incoming call
by its username. If the username matches one of its demand-dial interface
names, it connects to that interface and the routes linked to that interface
are activated. You then have a routed connection between the sites.

If the username does not match the name of any demand-dial interface,
the connection is made to the default "internal" interface. In this case it
only sets up a host route back to the calling machine. (That means is sets
up a normal client-server connection, not a router to router connection).
Only the calling machine can use the link, not the workstations on its
subnet.

Dominik Rappaport wrote:
> Thank's a lot! To name the user equal to the dial on demand interface
> was what I didn't know!
> Kind regards,
> Dominik
>
> "Robert L [MS-MVP]" <(E-Mail Removed)> schrieb im Newsbeitrag
> news:(E-Mail Removed)...
> You will create the demand-dial on the remote sites as the same
> procedure you mentioned here. Then you will have the Answering and
> Calling Routers.
>
> Site to Site VPN To setup a Site-to-Site VPN Connection , you may
> need to configure two windows ... For the consultants, check the site
> to site vpn.doc for the details. ...
> www.chicagotech.net/site%20to%20site%20vpn.htm
>
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "Dominik Rappaport" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> Dear All,
>
>
>
> I am freshman to VPN and just to make sure I understand that
> correctly I
> would like to ask as follows:
>
>
>
> If I create a site to site VPN connection with Windows Server
> 2003 Routing
> and Remote Access Service then I go through the "Add dial on
> demand network
> interface" wizard. It asks me for the public IP address of the
> remote router
> and the user name it will pass when connecting. Then I can create
> a static
> route and enter the network address and subnet mask of the remote
> network.
> After that the wizard has created a static route assigned to the
> VPN
> interface. It creates an entry under IP-Routing > General and
> last but not
> least an entry under network interfaces with type "dial on
> demand".
>
>
>
> What I do not understand is if the remote router initiates the
> connections
> how does the RRAS service know that this incoming connection
> corresponds to
> the VPN connection I created as mentioned above. For example the
> route to
> the remote network has to be assigned to it. Or is it necessary
> that for a
> bidirectional connection two VPN connections have to be
> established, one for
> each direction? Wouldn't that be very inefficient?
>
>
>
> --
>
> Kind regards,
>
> Dominik