Deploying VPN Site-to-Site Access

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

To deploy a site-to-site connection between two or more servers running Windows Server® 2008 R2 or Windows Server 2008, complete each of the tasks in Checklist: Implementing a Site-to-Site Connection Design.

About site-to-site connections

Conventional routing occurs between routers over either LAN-based technologies, such as Ethernet, or WAN-based point-to-point technologies, such as T1 or Frame Relay. With conventional WAN technologies, IP packets are forwarded between two routers over a physical or logical point-to-point connection. This connection is dedicated to the customer across a private data network that is provided by the WAN service provider.

Packets can be routed between routers that are connected to the Internet across a virtual connection that emulates the properties of a dedicated, private, point-to-point connection. This type of connection is known as a router-to-router virtual private network (VPN) connection or a site-to-site connection. With site-to-site VPN connections, you can replace expensive long-distance WAN links with short-distance WAN links to your local Internet service provider (ISP).

To emulate a private, point-to-point connection, a packet that is forwarded between routers is encapsulated, or wrapped, with an additional header that provides routing information that is needed to reach the endpoint. The endpoints of the connection are the routers. The portion of the virtual private networking connection in which your data is encapsulated is called the tunnel.

For secure VPN connections, the data portion of your packets is encrypted. Intercepted packets are undecipherable without the encryption keys. In site-to-site VPN connections, the tunnel and the VPN connection are the same.