Joining Networks over the Internet with a Gateway to Gateway VPN: ISA Server to Windows 2000 RRAS – Part 2


Joining Networks over the Internet with a Gateway to Gateway VPN:


ISA Server to Windows 2000 RRAS – Part 2


by Thomas W Shinder, M.D.


In the first part of this two part article on configure a gateway to gateway VPN configuration between an ISA Server and an Windows 2000 RRAS machine, we went over some basic VPN gateway concepts, configuration of the ISA Server and configuration of the Local VPN gateway machine. You learned that the Local VPN gateway (at the main office) is the gateway that initiates the call. The Remote gateway is the machine that receives the call.


In part 2 of this article, we’ll go over enabling and configuring the demand-dial interface at the remote office and then test the configuration.


Get the Book!


Enabling RRAS and configuring the Demand Dial interface on the Branch Office VPN Gateway


Now we need to configure the VPN gateway at the branch office. The primary difference between the VPN gateway at the Local site and the branch office (Remote site) is that the VPN gateway at the Remote site never initiates the connection for the demand-dial interface. As I’ve pointed out earlier, you must avoid both sides initiating the demand-dial interface at the same time. I figure most of the IT staff is going to be at the Local site, so its better to configure the Local VPN gateway to be the one to initiate the demand-dial interface connections.


The branch office demand-dial interface will have a static route to the Local (main office) network. This provides a route to the remote network in the same way that the static route we configured on the Local VPN gateway allowed connections to the Remote network. The main difference between the static route configurations at the Local and Remote offices is that the Remote site’s VPN gateway will not allow the static route to initiate a demand-dial connection.


Perform the following steps to configure the branch office VPN gateway:



  1. Open the Routing and Remote Access console from the Administrative Tools menu.

  2. In the Routing and Remote Access console, right click on the server name and click the Configure and Enable Routing and Remote Access command.

  3. Click Next on the Welcome to the Routing and Remote Access Server Setup Wizard page.

  4. On the Common Configuration page, select the Network Router option and click Next.

  5. On the Routed Protocols page, TCP/IP will be listed and the default option Yes, all of the available protocols are on this list is selected. Leave the default options as they are and click Next.

  6. Select Yes on the Demand-Dial Connections page. Note that the Wizard will not walk you through creating the demand-dial interface; it will just enable RRAS to support demand-dial routing, as seen in the figure below. Click Next.



  1. On the IP Address Assignment page, select the From a specified range of addresses option and click Next.

  2. Click the New button on the Address Range Assignment page. In the New Address Range dialog box, type in a Start IP address and an End IP address in the text boxes. Click OK. Note that these addresses can be assigned to the VPN gateway computer that is calling this machine, or to any VPN clients that might connect to this server. Click Next.

  3. Click Finish on the Completing the Routing and Remote Access Server Setup Wizard page.

Now that RRAS is enabled and configured, we can create the demand dial interface and the static route:



  1. Right click on the Routing Interfaces node in the left pane of the console and click the New Demand-dial Interface command.

  2. Click Next on the Welcome to the Demand Dial Interface Wizard page.

  3. On the Interface Name page, type in a name for the interface. I HIGHLY RECOMMEND that you use the same name for the interface as the name of the computer you’re connecting to. In this case, the Local VPN gateway is named LOCALVPN. So we’ll use that name in this example. Click Next.



  1. Accept the Automatic selection option on the VPN Type page and click Next.

  2. On the Destination Address page, type in the IP address or the FQDN for the other end of the gateway to gateway connection. In this case, the Local VPN gateway has the address 172.16.0.2, so we’ll enter that into this dialog box. Click Next.



  1. On the Protocols and Security page, select the Route IP packets on this interface and Add a user account so that a remote router can dial in option. The second option is particularly important, because this will allow you to add the user account the Local VPN gateway will use to authenticate against this VPN gateway server.

  2. The Dial In Credentials page allows you to enter the password for the account the Local VPN gateway at the central office will use to connect to this VPN gateway. Note that the user name is already entered and is based on the name you assigned to this interface (this is just one of the reasons why the name of the interfaces is so important). Enter the same password you entered when you configured the credentials on the Local VPN gateway over at the main office.



  1. You’ll put in bogus credentials on the Dial Out Credentials page. The reason is that the remote VPN gateway never initiates a call to the Local VPN gateway, it only receives calls. Put in the user name bogus in the user name text box, and type in any password you like, since this account does not exist on the Local VPN gateway machine is doesn’t matter.



  1. Click Finish on the Completing the demand dial interface wizard page.

Get the New Book!


The last step is to create the static route:



  1. In the Routing and Remote Access console, expand the IP Routing node and right click on the Static Routes node. Click on the New Static Route command.

  2. In the Static Route dialog box, select the demand-dial interface in the Interface drop down list box. Type in the destination network ID and subnet mask in the Destination and Network mask text boxes. Remove the checkmark from the Use this route to initiate demand-dial connections checkbox. You do not want this VPN gateway to initiate a call with the Local VPN gateway. Click OK.


Congratulations! You’ve configured the Remote VPN gateway. The local and remote VPN gateways are now configured and will work immediately.


Testing the Configuration


Its very easy to test the configuration. Just go to a computer on the main office network and ping a computer on the branch office network. Once the connections are established you’ll see information about them in the RRAS console. You can see the LOCALVPN interface at the Remote VPN gateway is enabled and has been assigned an IP address by the Local VPN gateway. The Remote VPN gateway has the IP address 10.0.0.104, which is one from the static address pool configured on the Local VPN gateway as the main office.



If we look at the RRAS console at the Local VPN gateway, we can see that it has been assigned an IP address by the Remote VPN gateway. The Local VPN gateway has the IP address 192.168.10.104, which is an IP address taken from the static address pool we configured on the Remote VPN gateway.



Notes on the Gateway to Gateway Configuration


As you’ve seen in parts one and two of this article, there are a lot of steps that go into creating the VPN gateway to gateway setup. Its easy to make a simple configuration error or click the incorrect option. If things aren’t working, review your configuration and make sure everything is set up correctly. If you’re not sure what you’re looking for, you can always disable the Routing and Remote Access Service on each machine and start over. You can run the VPN Server Wizard on the ISA Server machine as many times as you want, it won’t hurt anything.


Common configuration errors include:



  • Not creating a static address pool on each gateway. Without the address pool, the gateway won’t be able to assign an address to the gateway connecting to it

  • Not creating the static routing table entry or not using the demand-dial interface in the static routing table entry

  • The internal network clients must be able to route to the remote network through the internal interface of the ISA Server. All network routers must be aware of this route

  • Name resolution works the same as any other routed network. NetBIOS broadcasts won’t cross VPN routers

  • Both sides were configured to dial up. Make sure that only side is configured to dial up

  • All networks weren’t included in the LAT. Remember that all networks must be in the LAT, since the networks connected by the VPN gateways are internal networks

  • Get the Book!


    Summary


    In this two part article we went over the procedures required to create a gateway to gateway VPN connection to join networks over the Internet when one side has ISA Server installed on the gateway and the other side uses only the Windows 2000 Routing and Remote Access service. While this configuration requires some manual configuration, its relatively simple to carry out in just a few wizard and non-wizard driven steps.


    I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001398 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

    Leave a Comment

    Your email address will not be published.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top