Configuring Routing on a VPN Server

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To enable a VPN server to correctly forward traffic to locations on your intranet, perform one of two routing configurations:

  • Configure the server with static routes that summarize all possible IP addresses on the intranet.

  • Configure the server with routing protocols that enable it to act as a dynamic router, automatically adding routes for intranet subnets to its routing table.

In a small, stable networking environment, static routing might be an appropriate choice for a VPN solution. However, in most corporate networking environments, the increased administrative overhead required to maintain static routes is prohibitive. The preferred method for a VPN solution is to configure the VPN server as a dynamic router.

Configuring Static Routes on the Server

If you manually configure IP address ranges for a static address pool on any of your VPN servers, and if any of the ranges is an off-subnet range, your intranet routing infrastructure must include routes representing the off-subnet address ranges. To provide the best summarization of address ranges for routes, choose your address ranges so that they can be expressed using a single prefix and subnet mask.

To ensure this, add static routes representing the off-subnet address ranges to the routers neighboring the VPN servers, and then use the routing protocol of your intranet to propagate the off-subnet routes to other routers. When you add the static routes to the neighboring routers, specify that the gateway or the next hop address is the intranet interface of the VPN server.

For information about adding static routes, see "Configuring the branch office network" in Help and Support Center for Windows Server 2003.

Configuring the Server as a Dynamic Router

If you are using RIP or OSPF, you can configure any VPN server that is using off-subnet address ranges as a RIP or OSPF router.

For OSPF, you must also configure the VPN server as an autonomous system boundary router (ASBR). For more information, see "OSPF design considerations" in Help and Support Center for Windows Server 2003.

If you use a routing protocol other than a RIP or OSPF, such as Interior Gateway Routing Protocol (IGRP), on the VPN server’s neighboring intranet router, configure the interface connected to the subnet to which the VPN server is assigned for RIP or OSPF and configure all other interfaces for IGRP.

To configure the VPN server with an on-subnet address range, configure the VPN server to obtain IP addresses through DHCP or manually configure on-subnet address ranges.

For information about: