Components of a router-to-router VPN connection

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Components of a router-to-router VPN connection

A router-to-router VPN connection includes the following components:

• Virtual private network (VPN) clients

  The VPN client is the router that initiates the VPN connection, also known as the calling router. For router-to-router VPN connections, you can configure servers running Routing and Remote Access (available in both Windows 2000 and the Windows Server 2003 family) and computers running Windows NT Server 4.0 and the Routing and Remote Access Service (RRAS) as VPN clients.

• VPN servers

  The VPN server is the router that accepts the connection from the calling router, also known as the answering router. For router-to-router VPN connections, you can configure both servers running Routing and Remote Access and computers running Windows NT Server 4.0 and RRAS as VPN servers. On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.

• LAN and remote access protocols

  LAN protocols are used to transport information. Remote access protocols are used to negotiate connections and provide framing for LAN protocol data. Routing and Remote Access supports the routing of TCP/IP LAN protocol packets by using the PPP remote access protocol across a router-to router VPN connection.

• Tunneling protocols

  Tunneling protocols are used by VPN clients and VPN servers to manage tunnels and send tunneled data. Routing and Remote Access includes support for the Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) tunneling protocols. Windows NT Server 4.0 with RRAS only includes the PPTP tunneling protocol.

• WAN options

  VPN servers are typically connected to the Internet by using permanent WAN connections such as T1 or Frame Relay. VPN clients are connected to the Internet by using permanent WAN connections or by dialing in to a local Internet service provider (ISP) that uses standard telephone lines or ISDN. Once connected to the Internet, the VPN client can connect to the VPN server.

• Demand-dial interfaces

  The VPN client (the calling router) must have a demand-dial interface configured for:

  • The host name or IP address of the interface of the VPN server on the Internet.

  • A PPTP port (for a PPTP-based VPN connection) or an L2TP port (for an L2TP-based connection).

  • The user account credentials (user name, domain, password) for a user account that can be validated by the VPN server.

  • For an L2TP/IPSec-based connection, a valid certificate that can be validated by the VPN server.

  The VPN server (the answering router) must have a demand-dial interface with the same name as the user account that is used by the VPN client (the calling router) in order for the incoming connection to be recognized and accepted as a demand-dial connection.

• User accounts

  A user account must be created for the calling router. This account can be created automatically when you run the Routing and Remote Access with the Routing and Remote Access Server Setup Wizard. This account must have dial-in permissions either through the dial-in properties of the user account or through remote access policies. For more information, see Introduction to remote access policies.

• Static routes or routing protocols

  In order for each router to forward packets across the router-to-router VPN connection, each router must contain the appropriate routes in the routing tables. Routes are added to the routing tables of both routers either as static routes or by enabling a routing protocol to operate across a persistent router-to-router VPN connection.

• Security options

  Because the router-to-router VPN connection is validated by the server running Routing and Remote Access, you can utilize all of the security features of the Windows Server 2003 family, including domain security, data encryption, Remote Authentication Dial-In User Service (RADIUS), smart cards, and callback. For more information, see Remote Access Security.

The following illustration shows the components of a router-to-router VPN connection.