Router-to-Router VPN Connections

  • Article

For router-to-router VPNs, the routing interface used to forward packets is a demand-dial interface configured as follows:

  • On the General tab, type the host name or IP address of the VPN server.

  • On the Security tab, select either Secure my password and data or Custom . If you select Custom , you must also select the appropriate encryption and authentication options.

  • On the Networking tab, select the appropriate server type and protocols to be routed. If you set the server type as Automatic , an L2TP over IPSec connection is attempted first, and then a PPTP connection.

  • Under Interface credentials, type the user name, password, and domain name used to verify the calling router.

The creation of demand-dial interfaces is automated with the Demand-Dial Interface Wizard.

The names of the demand-dial interfaces and the calling router credentials may need to be properly matched to ensure a router-to-router VPN connection. For more information, see "Demand-Dial Routing" in this book.

Temporary vs. Persistent Router-to-Router VPNs

Router-to-router VPN connections can be either temporary or persistent.

  • Temporary router-to-router VPN connections are made when there are packets to be routed across the VPN demand-dial interface and terminated after a specified amount of idle time. Idle time is configured on both the VPN client (the calling router) and the VPN server (the called router). The default idle time for demand-dial interfaces on the VPN client is unlimited. The default idle time for VPN connections on the VPN server is 20 minutes. Both idle times are configurable. Use temporary router-to-router VPN connections for branch offices who use dial-up connections to their local ISPs.

  • Persistent router-to-router VPN connections are made when the router is started and remain connected regardless of the traffic being sent. If the VPN connection is terminated, it is automatically attempted again. Use persistent router-to-router VPN connections to connect offices that have permanent connections to the Internet.

To configure either a persistent or temporary connection

  1. In the Routing and Remote Access snap-in, select Routing Interfaces .

  2. Right-click the demand-dial interface object, and then select Properties .

  3. On the Options tab, under Connection Type , select either Demand dial or Persistent .

VPNs Using Dial-Up ISP Connections

When both the VPN server and the VPN client are directly connected to the Internet using a permanent WAN link such as T1 or Frame Relay, the VPN connection can be persistent and available 24 hours a day. However, when a permanent WAN link is not possible or practical, you can configure an on-demand router-to-router VPN connection using a dial-up ISP.

An on-demand router-to-router VPN connection using a dial-up ISP connection consists of two demand-dial interfaces:

  • A demand-dial interface to dial-in to a local ISP.

  • A demand-dial interface for the router-to-router VPN connection.

An on-demand router-to-router VPN connection is automatically established when traffic to be forwarded across the VPN connection is received by the branch office router. For example, when receiving a packet to be routed to the corporate office, the branch office router first uses a dial-up link to connect to a local ISP. When the Internet connection is made, the branch office router, the VPN client, creates a router-to-router VPN connection with the corporate office router, the VPN server.

To configure an on-demand VPN connection at the branch office router

  1. Create a demand-dial interface for the Internet connection configured for the appropriate equipment (a modem or ISDN device), the phone number of the local ISP, and the user name and password used to gain Internet access.

  2. Create a demand-dial interface for the router-to-router VPN connection with the corporate office router configured for PPTP or L2TP, the IP address or host name of the corporate office VPN server's interface on the Internet, and a user name and password that can be verified by the VPN server. The user name must match the name of a demand-dial interface on the corporate office VPN server.

  3. Create a static host route for the IP address of the VPN server's Internet interface that uses the demand-dial interface used to dial the local ISP.

  4. Create a static route or routes for the IP network IDs of the corporate intranet that uses the VPN demand-dial interface.

To configure the corporate office router

  1. Create a demand-dial interface for the VPN connection with the branch office configured for a VPN device (a PPTP or L2TP port). The demand-dial interface must have the same name as the user name in the authentication credential that is used by the branch office router to create the VPN connection.

  2. Create a static route or routes for the IP network IDs of the branch office that uses the VPN demand-dial interface.

The router-to-router VPN connection is automatically initiated by the branch office router through the following process:

  1. Packets sent to a corporate hub network location from a user in the branch office are forwarded by the user to the branch office router.

  2. The branch office router checks its routing table and finds a route to the corporate intranet network ID, which uses the VPN demand-dial interface.

  3. The branch office router checks the state of the VPN demand-dial interface and finds it is in a disconnected state.

  4. The branch office router retrieves the configuration of the VPN demand-dial interface.

  5. Based on the VPN demand-dial interface configuration, the branch office router attempts to initialize a router-to-router VPN connection at the IP address of the VPN server on the Internet.

  6. To establish a VPN, either a TCP connection (by using PPTP) or an IPSec negotiation must be established with the VPN server. The VPN establishment packet is created.

  7. To forward the VPN establishment packet to the corporate office router, the branch office router checks its routing table and finds the host route using the ISP demand-dial interface.

  8. The branch office router checks the state of the ISP demand-dial interface and finds it is in a disconnected state.

  9. The branch office router retrieves the configuration of the ISP demand-dial interface.

  10. Based on the ISP demand-dial interface configuration, the branch office router uses its modem or ISDN adapter to dial and establish a connection with its local ISP.

  11. When the ISP connection is made, the VPN establishment packet is sent by the branch office router to the corporate office router.

  12. A VPN is negotiated between the branch office router and the corporate office router. As part of the negotiation, the branch office router sends authentication credentials that are verified by the corporate office router.

  13. The corporate office router checks its demand-dial interfaces and finds one that matches the user name sent during authentication and changes the interface to a connected state.

  14. The branch office router forwards the packet across the VPN and the VPN server forwards the packet to the appropriate intranet location.

Static vs. Dynamic Routing

When the demand-dial interfaces are created and the choice has been made between temporary and persistent connections, you must choose one of the following methods for adding routing information to the routing table:

  1. For temporary connections, you can manually add the appropriate static routes to reach network IDs in the other offices. Manual configuration of static routes is appropriate for small implementations with a small number of routes.

  2. For temporary connections, you can use auto-static updates to periodically update the static routes that are available across the router-to-router VPN connection. Auto-static routes work well for larger implementations with a large amount of routing information. For more information about auto-static updates, see "Demand-Dial Routing" in this book.

  3. For persistent connections, run the appropriate routing protocols over the router-to-router VPN connection treating the VPN connection as a point-to-point link.

note-icon

Note

Unlike demand-dial routing using direct physical connections, you cannot use a default IP route configured for the VPN demand-dial interface to summarize all the intranet routes available across the VPN. Because the router is connected to the Internet, you must use the default route to summarize all the routes of the Internet and configure it to use the Internet interface.