Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

STEP 3: Configure routing and forwarding between EDGE-1 and 3-EDGE1 using pre-shared key authentication

Published: August 10, 2012

Updated: August 10, 2012

Applies To: Windows Server 2012, Windows Server 2012 R2



To create an IKE-V2-based site-to-site connection, perform the following tasks:

  1. Configure site-to-site on the fabrikam (hoster) RRAS Server, 3-EDGE1.

  2. Configure the demand-dial interface on 3-EDGE1.

  3. Configure site-to-site on the contoso (corporate) RRAS Server, EDGE1.

  4. Configure the demand-dial interface on EDGE1.

  5. Confirm remote access policy configuration on EDGE1 and 3-EDGE1.

  6. Initiate the site-to-site connection.

  7. Test the site-to-site connection.

  1. On 3-EDGE1, click Start, and then click Routing and Remote Access.

  2. In Routing and Remote Access, right-click 3-EDGE1 (local) in the console tree, and then click Configure and Enable Routing and Remote Access.

  3. The Routing and Remote Access Server Setup Wizard appears. Click Next.

  4. On the Configuration page, select Secure connection between two private networks. Connect this network to a remote network such as a branch office., and then click Next.

  5. On the Demand-Dial Connections page, verify that Yes is checked and then click Next.

  6. Click Next. On the IP Address Assignment page, select Automatically.

  7. Click Finish

PowerShell Logo Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

ipmo remoteaccess
install-remoteaccess -vpntype vpns2s

  1. The Demand-Dial Interface Wizard will start. To complete the Demand-Dial Interface Wizard, click Next.

  2. On the Interface Name page, type 3-EDGE1. The interface name must match the user account name of the calling router.

  3. Click Next. On the Connection Type page, select Connect using virtual private networking (VPN).

  4. Click Next. On the VPN Type page, select IKEv2.

  5. Click Next. On the Destination Address page, type 131.107.0.2 in the Host name or IP address box.

  6. Click Next. On the Protocols and Security page, do the following:

    1. Select Route IP packets on this interface.

    2. Select Add a user account so a remote router can dial in.

  7. Click Next. On the Static Routes for Remote Networks page, click Add.

  8. In the Static Route dialog box, do the following:

    1. In the Destination box, type 10.0.0.0.

    2. In the Network Mask box, type 255.255.255.0.

    3. In the Metric box type 1.

  9. Click OK. On the Static Routes for Remote Networks page, click Next.

  10. Click Next. On the Dial In Credentials page, type Pass@word1 for the EDGE1 user account, and then retype Pass@word1 in the Confirm password box. The User name box is pre-populated with the value 3-EDGE1.

    noteNote
    The username for dial-In credentials should be the same as the name of the site to site interface if the peer is Windows server site-to-site VPN.

  11. Click Next. On the Dial Out Credentials page, do the following:

    1. In the User name box, type 3-EDGE1.

    2. In the Domain box, type corp.contoso.com.

    3. In the Password box, type Pass@word1 for the fabrikam user account that will be created on 3-EDGE1.

    4. In the Confirm password box, retype the password for the fabrikam user account.

      noteNote
      The username for dial-out credentials should be the same as the name of the site to site interface if the peer is Windows server site-to-site VPN.

  12. Click Next. On the last Demand-Dial Interface Wizard page, click Finish.

PowerShell Logo Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Add-VpnS2SInterface  EDGE1  131.107.0.2 -Protocol IKEv2 -AuthenticationMethod EAP -UserName Contoso\3-EDGE1 -password Pass@word1 -IPv4Subnet 10.0.0.0/24:1


Optionally you can change the authentication method to preshared key. However, if you change the authentication method on 3-EDGE1, you will also have to change it correspondingly on EDGE1.

  1. In the Routing and Remote Access snap-in, expand 3-EDGE1, and then click Network Interfaces.

  2. Right-click Remote Router and then click Properties.

  3. Click the Security tab and then select Use preshared key for authentication.

  4. Type abc in Key:, and then click OK.

PowerShell Logo Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Add-VpnS2SInterface 3-EDGE1  -Protocol IKEv2 –AuthenticationMethod –SharedSecret “abc”

  1. On EDGE1, click Start, and then click Routing and Remote Access.

  2. In Routing and Remote Access, right-click EDGE1 (local) in the console tree, and then click Configure and Enable Routing and Remote Access.

  3. The Routing and Remote Access Server Setup Wizard appears. Click Next.

  4. On the Configuration page, select Secure connection between two private networks. Connect this network to a remote network such as a branch office., and then click Next.

  5. On the Demand-Dial Connections page, verify that Yes is checked and then click Next.

  6. Click Next. On the IP Address Assignment page, select Automatically.

  7. Click Finish

PowerShell Logo Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

ipmo servermanager
add-windowsFeature -name  routing -IncludeManagementTools
ipmo remoteaccess
install-remoteaccess -vpntype vpns2s –IPv6Prefix 2001:db8:1:200::/64 - 

  1. The Demand-Dial Interface Wizard will start. To complete the Demand-Dial Interface Wizard, click Next.

  2. On the Interface Name page, type EDGE1. The interface name must match the user account name of the calling router.

  3. Click Next. On the Connection Type page, select Connect using virtual private networking (VPN).

  4. Click Next. On the VPN Type page, select IKEv2.

  5. Click Next. On the Destination Address page, type 131.107.0.4 in the Host name or IP address box.

  6. Click Next. On the Protocols and Security page, do the following:

    1. Select Route IP packets on this interface.

    2. Select Add a user account so a remote router can dial in.

  7. Click Next. On the Static Routes for Remote Networks page, click Add.

  8. In the Static Route dialog box, do the following:

    1. In the Destination box, type 192.168.1.0.

    2. In the Network Mask box, type 255.255.255.0.

    3. In the Metric box type 1.

  9. Click OK. On the Static Routes for Remote Networks page, click Next.

  10. Click Next. On the Dial In Credentials page, type Pass@word1 for the EDGE1 user account, and then retype Pass@word1 in the Confirm password box. The User name box is pre-populated with the value EDGE1.

  11. Click Next. On the Dial Out Credentials page, do the following:

    1. In the User name box, type 3-EDGE1.

    2. In the Domain box, type corp.fabrikam.com.

    3. In the Password box, type Pass@word1 for the VPN_Corpnet user account that will be created on 3-EDGE1.

    4. In the Confirm password box, retype the password for the VPN_Corpnet user account.

  12. Click Next. On the last Demand-Dial Interface Wizard page, click Finish.

PowerShell Logo Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Add-VpnS2SInterface  3-EDGE1 131.107.0.4 -Protocol IKEv2 -AuthenticationMethod EAP -UsecName Fabrikam\EDGE1 -password Pass@word1 -IPv4Subnet 192.168.1.0 /24:1

Optionally you can change the authentication method to preshared key. However, if you change the authentication method on EDGE1, you should have also changed it correspondingly on 3-EDGE1.

  1. In the Routing and Remote Access snap-in, expand 3-EDGE1, and then click Network Interfaces.

  2. Right-click Remote Router and then click Properties.

  3. Click the Security tab and then select Use preshared key for authentication.

  4. Type abc in Key:, and then click OK.

PowerShell Logo Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Add-VpnS2SInterface  EDGE1  -Protocol IKEv2 –AuthenticationMethod –SharedSecret “abc”

Initiate the VPN connection by performing the following steps on 3-EDGE1.

  1. On 3-EDGE1, in the console tree of the Routing and Remote Access snap-in, click Network Interfaces.

  2. In the details pane, right-click contoso, and then click Connect.

  3. Confirm that the connection state of VPN_Corpnet is connected.

  1. On DC1 at the Start menu, type cmd and then hit Enter. At the command prompt, type ping 10.6.0.2. Verify that there are four replies from 10.6.0.2

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.