L2TP-based Remote Site Connection

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

The Phoenix branch office is an L2TP/IPsec branch office that uses a router running Windows Server 2008 R2 to create a persistent, router-to-router VPN connection with the corporate office router in New York. The connection is never terminated even when idle.

To deploy an L2TP, two-way initiated, persistent, router-to-router VPN connection to the corporate office based on the settings configured in Common Configuration for the VPN Server and Remote Site Connection and Static Routed IP Network Example, the following settings are configured on the VPN server and Phoenix router.

VPN server configuration

The VPN server is configured with a demand-dial interface and a static route.

Demand-dial interface for router-to-router VPN connection

To connect the corporate office VPN router to the Phoenix router by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface Wizard with the following settings:

  • Interface name: VPN_Phoenix

  • Connection type: Connect using virtual private networking (VPN)

  • VPN type: Layer-2 Tunneling Protocol (L2TP)

  • Destination address: 131.107.128.1

  • Protocols and security: Route IP packets on this interface

  • Static routes for remote networks (for all locations on the Phoenix network):

    • Interface: VPN_Phoenix

    • Destination: 192.168.14.0

    • Network mask: 255.255.255.0

    • Metric: 1

  • Dial-out credentials:

    • User name: VPN_CorpHQ

    • Domain: fabrikam.com

    • Password: o3\Dn6@`-J4

    • Confirm password: o3\Dn6@`-J4

After the demand-dial interface is created, on the Options tab, under Connection type, the Persistent connection option is selected.

Phoenix router configuration

The Phoenix router was configured by the Fabrikam, Inc. network administrator while connected to the Fabrikam, Inc. intranet and then shipped to the Phoenix site. While the Phoenix router was connected to the Fabrikam, Inc. intranet, a computer certificate was installed through auto-enrollment. Additionally, the Phoenix router computer was configured with a demand-dial interface and a static route.

Demand-dial interface for router-to-router VPN connection

To connect the Phoenix office router to the corporate office router by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface Wizard with the following settings:

  • Interface name: VPN_CorpHQ

  • Connection type: Connect using virtual private networking (VPN)

  • VPN type: Layer-2 Tunneling Protocol (L2TP)

  • Destination address: 207.209.68.1

  • Protocols and security: Route IP packets on this interface

  • Static routes for remote networks (VPN server only):

    • Interface: The WAN adapter attached to the Internet

    • Destination: 207.209.68.1

    • Network mask: 255.255.255.255

    • Gateway: 0.0.0.0

    • Metric: 1

Note

Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example.

  • Static route for corporate intranet and branch offices (all locations on the corporate intranet):

    • Interface: VPN_CorpHQ

    • Destination: 172.16.0.0

    • Network mask: 255.240.0.0

    • Metric: 1

  • Static routes for remote networks (all branch office locations):

    • Interface: VPN_CorpHQ

    • Destination: 192.168.0.0

    • Network mask: 255.255.0.0

    • Metric: 1

  • Dial-out credentials:

    • User name: VPN_Phoenix

    • Domain: fabrikam.com

    • Password: z2F%s)bW$4f

    • Confirm password: z2F%s)bW$4f

After the demand-dial interface is created, on the Options tab, under Connection type, the Persistent connection option is selected.