Windows Server 2012 - Routing and VPN gateways

Page 1 / 3
  • Published on : 09 December 2016 at 13:20 UTC
  • By Lionel Eppe

When you have offices in different countries, it may be interesting to have access to data hosted elsewhere in the world.
To do this, we will use the VPN gateway system.

In this tutorial we will take the example of a company that would be implemented in Belgium (with an office in Brussels) and who would also have another office in France (in Paris).

Note : if you want to learn more about VPN technology, see our previous tutorial : Windows Server 2012 - Routing and VPN server

  1. Network configuration used
  2. Hardware firewalls configuration
  3. Install the VPN server and the router
  4. Configure the VPN server and the router
  5. Create and configure VPN gateways
    1. Create users
    2. Connect site 1 (Brussels) to site 2 (Paris)
    3. Connect site 2 (Paris) to site 1 (Brussels)
  6. Static routing for LAN computers
    1. Static routing in command line
    2. Static routing with group policies (GPO)
  7. Test VPN Gateways
  8. Configure VPN gateways to use L2TP/IKEv2
  9. Test VPN gateways (over L2TP/IKEv2)

1. Network configuration used

To implement this solution and best match the configuration of a real corporate network, here is the network configuration we used :

  • 1 Active Directory server in each network (the Active Directory role must already be configured on these servers)
  • 1 server in each network with DHCP (already installed), VPN and router (so, these servers have 2 network cards : 1 for the LAN network and the other connected to the Internet)

The VPN1 and VPN2 servers will act as VPN gateways, but also as routers for machines on our intranets (LANs).

Important : to access servers on the internal network, as well as those on the remote network, it's recommended to use different IP addresses on these two networks. Indeed, with the VPN connection, all the machines of the two networks will be on the same network.
As you can see on the image below, each server has an unique LAN IP address. For example : 10.0.1.10 for the domain controller (Active Directory) of the 1st network and 10.0.2.10 for the domain controller of the remote network.

For the configuration of the DHCP servers, here is their configurations :

  • The DHCP server of the 1st network (VPN1 server in the image above) distributes IP addresses from 10.0.1.20 to 10.0.1.30 with a subnet mask of 255.255.255.0
  • The DHCP server of the 2nd network (VPN2 server in the image above) distributes IP addresses from 10.0.2.20 to 10.0.2.30 with a subnet mask of 255.255.255.0

For the scope options, we will use the following options / values.

For the DHCP server of the 1st network :

  • 003 Router : 10.0.1.11 (IP address of the VPN1 server)
  • 006 DNS Servers : 10.0.1.10 (IP address of the Active Directory server)
  • 015 DNS Domain Name : nom de domaine local choisi lors de la création de votre Active Directory.

For the DHCP server of the 2nd network :

  • 003 Router : 10.0.2.11 (IP address of the VPN2 server)
  • 006 DNS Servers : 10.0.2.10 (IP address of the Active Directory server)
  • 015 DNS Domain Name : local domain name specified when creating your Active Directory.

2. Hardware firewalls configuration

Since the VPN gateway system will allow you to connect multiple remote networks in a single network, it may be necessary to configure the hardware firewalls that would be present between your network and the Internet. This is particularly the case in large companies.

Warning : it isn't about the Windows firewall, which is, by default, configured correctly to allow the PPTP and L2TP VPN connections that we will use in this tutorial.

To know which ports to unblock (depending on your configuration), see the "Which ports to unblock for VPN traffic to pass-through ?" page created by Samir Jain on the Microsoft Technet.

3. Install the VPN server and the router

To install the VPN server and the router, launch the Add Roles and Features Wizard and select "Role-based or feature-based installation".

Important : this must be done on your 2 servers (VPN1 and VPN2).

Select your server and click "Next".

Select "Remote Access" and click Next.

Select "DirectAccess and VPN (RAS)" for the installation of the VPN gateway and "Routing" for the router.

Click Install.

The installation begins.

At the end of the installation, click on the "Open the Getting Started Wizard" link.

4. Configure the VPN server and the router

Click "Deploy VPN only".

Important : this must be done on your 2 servers (VPN1 and VPN2).

Right-click the name of your server and click "Configure and Enable Routing and Remote Access".

The Routing and Remote Access Setup Wizard opens.

Select "Virtual Private Network (VPN) access and NAT" and click "Next".

Select the network interface (network adapter) of your server connected to the Internet.

Note : as you can see, we had already renamed our LAN and WAN network cards to know which network card is connected to the Internet and which network card is connected to the internal network.

Select "Automatically" so that your DHCP server distributes the IP addresses to the VPN server clients.

Choose "No, use Routing and Remote Access to authenticate connection requests". By choosing this option, this server will use your Active Directory to authenticate your users.

The wizard displays a summary of the configuration.

Windows will display a message about the configuration of the DHCP Relay Agent. Click OK.

The server initializes the Routing and Remote Access server, and then starts the necessary services.

To complete the configuration, go to IPv4 and right click "Properties" on "DHCP Relay Agent".

Specify the address of your DHCP server and click Add, and then click OK.
In our case, for our VPN1 server, this is the IP address : 10.0.1.11

For our VPN2 server, this is the IP address : 10.0.2.11