Routing and VPN gateways on Windows Server 2012

  • Windows Server
  • VPN, Routage
  • 2/3

5. Create and configure VPN gateways

At the moment, our VPN1 and VPN2 servers act as VPN servers and as routers.
However, for now, no one has the right to log in because the NPS server blocks all VPN accesses by default.

For more information, see : Allow VPN connection for a user

5.1. Create users

In order for our two VPN servers to be connected to each other, we will first have to create new users.

On the DC1 server (located in Brussels), we will create a new user named : paris

Next, go to the properties of this user, then in the "Dial-in" tab.
In this tab, select "Allow access" in the "Remote Access Permission (Dial-in or VPN)" section.

This will allow this user to connect through the VPN server.

Note : if you want to use policies to allow this user in some cases, then use NPS as described in "7. NPS (Network Policy Server)" section of our previous tutorial.

On the DC2 server (located in Paris), we will create a user "bruxelles".

And allow it to connect to a VPN server.

5.2. Connect site 1 (Brussels) to site 2 (Paris)

On the VPN server of the 1st network (located in Brussels), go to the "Routing and Remote Access" console and right click "New Demand-dial Interface" on "Network Interfaces".

The "Demand-Dial Interface wizard" opens.
As you will understand, it will be a connection on demand. This means that the connection will be established between the two sites (Brussels and Paris in our case), only when a user on the network tries to connect to the remote network. The rest of the time, this connection will be disconnected. This will save bandwidth.

Since we are on the Brussels server, this on-demand connection will allow us to connect to Paris.
So, write "paris" for the name of this new interface.

Select "Connect using a virtual private networking (VPN)".

Choose "PPTP" for now (because this protocol is easier to use to start).

Specify the external IP address of your VPN server.
Typically, this will be the public IP address of the remote server provided by your Internet Service Provider (ISP).

Note : on the image below, you will notice that this is a private IP address because we tested this VPN solution in our local network. But the principle is the same.

Select "Route IP packets on this interface".

For static routes, this will allow your server to know which private IP addresses are part of the remote network.
In other words, when your server attempts to access the LAN IP address of a server present on the remote network, it will know that it will have to go through that on-demand connection to access it.

Click Add.

As we are on our VPN1 server, this on-demand connection will allow us to access machines of our 2nd network (Paris).
IP addresses of this 2nd network start, in our case, with : 10.0.2
So, the network ID will be 10.0.2.0 and the subnet mask that we will use will be : 255.255.255.0

As indicated on the "Create a Static Route" page of the Microsoft Technet, the metric correspond theoretically (because it isn't required) to the number of routers between the server and the destination network.
If Windows find multiple static routes for the same destination network, Windows will use the one with the lowest metric, because this is the path that should be the fastest.
In our case, there will be only one, so we will indicate : 1

Click "Next".

To allow the Brussels VPN server to connect to the Paris VPN server, it must have the credentials of an account of the Paris server.
Since the Paris VPN server is linked to the Active Directory of Paris, we can connect with the user "bruxelles" that we had created there.

Note : if your VPN server is not a member of a domain, you will need to create a local user on this remote server and use its credentials here. For domain, leave the box empty.

The on-demand connection is configured.

Now, our VPN1 server (located in Brussels) has a network interface that will enable it to connect to the local network of Paris.

5.3. Connect site 2 (Paris) to site 1 (Brussels)

Now, we also have to configure the Paris VPN server to allow it to connect to the Brussels VPN server.
Since the principle is the same, we will not explain in detail this 2nd configuration.

On the 2nd server, create a new on-demand connection interface.

The wizard appears.

Paris will connect to Brussels.

It will also be a VPN connection.

Select "PPTP" as earlier.

Specify the external IP address of the remote VPN server (that of Brussels, in our case).

Check the box "Route IP packets on this interface".

Click Add.

The remote network (Brussels) uses private IP addresses starting with : 10.0.1

Click Next.

Paris will connect to Brussels with the account "paris" created on the Active Directory server of Brussels.

The on-demand connection is configured.

Now, the VPN server of Paris will be able to connect to the Brussels local network by using this on-demand connection.

To see also

Comments

No comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.