RRAS demand dial between two sites

I have two remote sites, both with ADSL connections.

Each site hosts a domain controller for the domain.
SiteA has subnet 192.168.0.0/24
SiteB has subnet 192.168.1.0/24
Each network has a DSL router with the address 192.168.x.1
The IP address of the servers is 192.168.x.2

e.g.

SiteA Server
192.168.0.2
|
SiteA Router
192.168.0.1
|
Internet
|
SiteB Router
192.168.1.1
|
SiteB Server
192.168.1.2

Port forwarding is enabled on each router to allow PPTP, and VPN
connections can be successfully established to either site.

What I'm trying to do is to enable seamless routing between the two
networks for all clients, without having to purchase any more
hardware.

I'd like to configure this using RRAS, but I'm not 100% sure how to do
it. I've attempted to do this using a demand dial interface to form a
VPN connection to the other site (and the same in the opposite
direction), but having two VPN connections (one from SiteA to SiteB
and another from SiteB to SiteA) doesn't seem right. Should I be doing
this with a single VPN connection, that can be used in both
directions? If so, how can I accomplish this?

For info, both servers are domain controllers for the same domain
(SiteA is SBS2003, SiteB is Server 2003 Std), each server is placed in
separate site, and the DCs can replicate, but this isn't very reliable
due to the link problems I'm seeing.

Kind regards,
Bryan



Bry

This is theoretically possible, but I would not recommend it. Running a
DC as a remote access server can cause all sorts of problems. You would be
well advised to forget using the WIndows servers as VPN routers and
upgrading your ADSL routers to support VPN. The routing is simpler if the
VPN router is also the default gateway for the local LAN. If you make the
Windows servers the VPN routers you need extra routing on each LAN to get
the private traffic for the "other" LAN to the VPN router.

You certainly do not have two connections for a site to site VPN. Here
is how it works with RRAS routers. Each site has a static route to the
"other" site linked to its demand-dial interface. These are stored in the
registry until the demand-dial interface becomes active. When the connection
is established it must bind to the demand-dial interface on the answering
router. You do this by using the name of the demand-dial interface on the
answering router as the username. When the connection is up and both dd
interfaces bind to the VPN connection you have a route on each router to the
"other" site through the VPN link. (Note that the two subnets will still not
route if the VPN server is not the default gateway of the LAN).

"Bry" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>I have two remote sites, both with ADSL connections.
>
> Each site hosts a domain controller for the domain.
> SiteA has subnet 192.168.0.0/24
> SiteB has subnet 192.168.1.0/24
> Each network has a DSL router with the address 192.168.x.1
> The IP address of the servers is 192.168.x.2
>
> e.g.
>
> SiteA Server
> 192.168.0.2
> |
> SiteA Router
> 192.168.0.1
> |
> Internet
> |
> SiteB Router
> 192.168.1.1
> |
> SiteB Server
> 192.168.1.2
>
> Port forwarding is enabled on each router to allow PPTP, and VPN
> connections can be successfully established to either site.
>
> What I'm trying to do is to enable seamless routing between the two
> networks for all clients, without having to purchase any more
> hardware.
>
> I'd like to configure this using RRAS, but I'm not 100% sure how to do
> it. I've attempted to do this using a demand dial interface to form a
> VPN connection to the other site (and the same in the opposite
> direction), but having two VPN connections (one from SiteA to SiteB
> and another from SiteB to SiteA) doesn't seem right. Should I be doing
> this with a single VPN connection, that can be used in both
> directions? If so, how can I accomplish this?
>
> For info, both servers are domain controllers for the same domain
> (SiteA is SBS2003, SiteB is Server 2003 Std), each server is placed in
> separate site, and the DCs can replicate, but this isn't very reliable
> due to the link problems I'm seeing.
>
> Kind regards,
> Bryan
>

On 30 Apr, 01:02, "Bill Grant" <not.available@online> wrote:
> This is theoretically possible, but I would not recommend it. Running a
> DC as a remote access server can cause all sorts of problems. You would be
> well advised to forget using the WIndows servers as VPN routers and
> upgrading your ADSL routers to support VPN. The routing is simpler if the
> VPN router is also the default gateway for the local LAN. If you make the
> Windows servers the VPN routers you need extra routing on each LAN to get
> the private traffic for the "other" LAN to the VPN router.
>
> You certainly do not have two connections for a site to site VPN. Here
> is how it works with RRAS routers. Each site has a static route to the
> "other" site linked to its demand-dial interface. These are stored in the
> registry until the demand-dial interface becomes active. When the connection
> is established it must bind to the demand-dial interface on the answering
> router. You do this by using the name of the demand-dial interface on the
> answering router as the username. When the connection is up and both dd
> interfaces bind to the VPN connection you have a route on each router to the
> "other" site through the VPN link. (Note that the two subnets will still not
> route if the VPN server is not the default gateway of the LAN).
>
> "Bry" <bryanhob...@gmail.com> wrote in message
>
> news:(E-Mail Removed) ups.com...
>
> >I have two remote sites, both with ADSL connections.
>
> > Each site hosts a domain controller for the domain.
> > SiteA has subnet 192.168.0.0/24
> > SiteB has subnet 192.168.1.0/24
> > Each network has a DSL router with the address 192.168.x.1
> > The IP address of the servers is 192.168.x.2
>
> > e.g.
>
> > SiteA Server
> > 192.168.0.2
> > |
> > SiteA Router
> > 192.168.0.1
> > |
> > Internet
> > |
> > SiteB Router
> > 192.168.1.1
> > |
> > SiteB Server
> > 192.168.1.2
>
> > Port forwarding is enabled on each router to allow PPTP, and VPN
> > connections can be successfully established to either site.
>
> > What I'm trying to do is to enable seamless routing between the two
> > networks for all clients, without having to purchase any more
> > hardware.
>
> > I'd like to configure this using RRAS, but I'm not 100% sure how to do
> > it. I've attempted to do this using a demand dial interface to form a
> > VPN connection to the other site (and the same in the opposite
> > direction), but having two VPN connections (one from SiteA to SiteB
> > and another from SiteB to SiteA) doesn't seem right. Should I be doing
> > this with a single VPN connection, that can be used in both
> > directions? If so, how can I accomplish this?
>
> > For info, both servers are domain controllers for the same domain
> > (SiteA is SBS2003, SiteB is Server 2003 Std), each server is placed in
> > separate site, and the DCs can replicate, but this isn't very reliable
> > due to the link problems I'm seeing.
>
> > Kind regards,
> > Bryan

Many thanks for the info. Could I ask what kind of problems might
surface using a DC as a RRAS server?

See KB292822. Basically the same sort of problem that you had with a
multihomed DC in NT4 (ie two or more IP addresses associated with the
server's Netbios name). With dynamic dns you now can see a similar problem
with DNS names.

"Bry" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> On 30 Apr, 01:02, "Bill Grant" <not.available@online> wrote:
>> This is theoretically possible, but I would not recommend it. Running
>> a
>> DC as a remote access server can cause all sorts of problems. You would
>> be
>> well advised to forget using the WIndows servers as VPN routers and
>> upgrading your ADSL routers to support VPN. The routing is simpler if the
>> VPN router is also the default gateway for the local LAN. If you make the
>> Windows servers the VPN routers you need extra routing on each LAN to get
>> the private traffic for the "other" LAN to the VPN router.
>>
>> You certainly do not have two connections for a site to site VPN.
>> Here
>> is how it works with RRAS routers. Each site has a static route to the
>> "other" site linked to its demand-dial interface. These are stored in the
>> registry until the demand-dial interface becomes active. When the
>> connection
>> is established it must bind to the demand-dial interface on the answering
>> router. You do this by using the name of the demand-dial interface on the
>> answering router as the username. When the connection is up and both dd
>> interfaces bind to the VPN connection you have a route on each router to
>> the
>> "other" site through the VPN link. (Note that the two subnets will still
>> not
>> route if the VPN server is not the default gateway of the LAN).
>>
>> "Bry" <bryanhob...@gmail.com> wrote in message
>>
>> news:(E-Mail Removed) ups.com...
>>
>> >I have two remote sites, both with ADSL connections.
>>
>> > Each site hosts a domain controller for the domain.
>> > SiteA has subnet 192.168.0.0/24
>> > SiteB has subnet 192.168.1.0/24
>> > Each network has a DSL router with the address 192.168.x.1
>> > The IP address of the servers is 192.168.x.2
>>
>> > e.g.
>>
>> > SiteA Server
>> > 192.168.0.2
>> > |
>> > SiteA Router
>> > 192.168.0.1
>> > |
>> > Internet
>> > |
>> > SiteB Router
>> > 192.168.1.1
>> > |
>> > SiteB Server
>> > 192.168.1.2
>>
>> > Port forwarding is enabled on each router to allow PPTP, and VPN
>> > connections can be successfully established to either site.
>>
>> > What I'm trying to do is to enable seamless routing between the two
>> > networks for all clients, without having to purchase any more
>> > hardware.
>>
>> > I'd like to configure this using RRAS, but I'm not 100% sure how to do
>> > it. I've attempted to do this using a demand dial interface to form a
>> > VPN connection to the other site (and the same in the opposite
>> > direction), but having two VPN connections (one from SiteA to SiteB
>> > and another from SiteB to SiteA) doesn't seem right. Should I be doing
>> > this with a single VPN connection, that can be used in both
>> > directions? If so, how can I accomplish this?
>>
>> > For info, both servers are domain controllers for the same domain
>> > (SiteA is SBS2003, SiteB is Server 2003 Std), each server is placed in
>> > separate site, and the DCs can replicate, but this isn't very reliable
>> > due to the link problems I'm seeing.
>>
>> > Kind regards,
>> > Bryan
>
> Many thanks for the info. Could I ask what kind of problems might
> surface using a DC as a RRAS server?
>

On 30 Apr, 11:10, "Bill Grant" <not.available@online> wrote:
> See KB292822. Basically the same sort of problem that you had with a
> multihomed DC in NT4 (ie two or more IP addresses associated with the
> server's Netbios name). With dynamic dns you now can see a similar problem
> with DNS names.
>
> "Bry" <bryanhob...@gmail.com> wrote in message
>
> news:(E-Mail Removed) oups.com...
>
> > On 30 Apr, 01:02, "Bill Grant" <not.available@online> wrote:
> >> This is theoretically possible, but I would not recommend it. Running
> >> a
> >> DC as a remote access server can cause all sorts of problems. You would
> >> be
> >> well advised to forget using the WIndows servers as VPN routers and
> >> upgrading your ADSL routers to support VPN. The routing is simpler if the
> >> VPN router is also the default gateway for the local LAN. If you make the
> >> Windows servers the VPN routers you need extra routing on each LAN to get
> >> the private traffic for the "other" LAN to the VPN router.
>
> >> You certainly do not have two connections for a site to site VPN.
> >> Here
> >> is how it works with RRAS routers. Each site has a static route to the
> >> "other" site linked to its demand-dial interface. These are stored in the
> >> registry until the demand-dial interface becomes active. When the
> >> connection
> >> is established it must bind to the demand-dial interface on the answering
> >> router. You do this by using the name of the demand-dial interface on the
> >> answering router as the username. When the connection is up and both dd
> >> interfaces bind to the VPN connection you have a route on each router to
> >> the
> >> "other" site through the VPN link. (Note that the two subnets will still
> >> not
> >> route if the VPN server is not the default gateway of the LAN).
>
> >> "Bry" <bryanhob...@gmail.com> wrote in message
>
> >>news:(E-Mail Removed) roups.com...
>
> >> >I have two remote sites, both with ADSL connections.
>
> >> > Each site hosts a domain controller for the domain.
> >> > SiteA has subnet 192.168.0.0/24
> >> > SiteB has subnet 192.168.1.0/24
> >> > Each network has a DSL router with the address 192.168.x.1
> >> > The IP address of the servers is 192.168.x.2
>
> >> > e.g.
>
> >> > SiteA Server
> >> > 192.168.0.2
> >> > |
> >> > SiteA Router
> >> > 192.168.0.1
> >> > |
> >> > Internet
> >> > |
> >> > SiteB Router
> >> > 192.168.1.1
> >> > |
> >> > SiteB Server
> >> > 192.168.1.2
>
> >> > Port forwarding is enabled on each router to allow PPTP, and VPN
> >> > connections can be successfully established to either site.
>
> >> > What I'm trying to do is to enable seamless routing between the two
> >> > networks for all clients, without having to purchase any more
> >> > hardware.
>
> >> > I'd like to configure this using RRAS, but I'm not 100% sure how to do
> >> > it. I've attempted to do this using a demand dial interface to form a
> >> > VPN connection to the other site (and the same in the opposite
> >> > direction), but having two VPN connections (one from SiteA to SiteB
> >> > and another from SiteB to SiteA) doesn't seem right. Should I be doing
> >> > this with a single VPN connection, that can be used in both
> >> > directions? If so, how can I accomplish this?
>
> >> > For info, both servers are domain controllers for the same domain
> >> > (SiteA is SBS2003, SiteB is Server 2003 Std), each server is placed in
> >> > separate site, and the DCs can replicate, but this isn't very reliable
> >> > due to the link problems I'm seeing.
>
> >> > Kind regards,
> >> > Bryan
>
> > Many thanks for the info. Could I ask what kind of problems might
> > surface using a DC as a RRAS server?

Ah yes, i did have that problem, but managed to resolve it. I'm going
to try and correct this in software first, but it's looking like a
hardware purchase might be the best idea all round. (Off topic for the
group, but can anyone recommend a pair DSL routers that can
transparently route the networks together?)