L2TP-based Remote Site Connection
Applies To: Windows Server 2008, Windows Server 2008 R2
The Phoenix branch office is an L2TP/IPsec branch office that uses a router running Windows Server 2008 R2 to create a persistent, router-to-router VPN connection with the corporate office router in New York. The connection is never terminated even when idle.
To deploy an L2TP, two-way initiated, persistent, router-to-router VPN connection to the corporate office based on the settings configured in Common Configuration for the VPN Server and Remote Site Connection and Static Routed IP Network Example, the following settings are configured on the VPN server and Phoenix router.
VPN server configuration
The VPN server is configured with a demand-dial interface and a static route.
Demand-dial interface for router-to-router VPN connection
To connect the corporate office VPN router to the Phoenix router by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface Wizard with the following settings:
Interface name: VPN_Phoenix
Connection type: Connect using virtual private networking (VPN)
VPN type: Layer-2 Tunneling Protocol (L2TP)
Destination address: 131.107.128.1
Protocols and security: Route IP packets on this interface
Static routes for remote networks (for all locations on the Phoenix network):
Interface: VPN_Phoenix
Destination: 192.168.14.0
Network mask: 255.255.255.0
Metric: 1
Dial-out credentials:
User name: VPN_CorpHQ
Domain: fabrikam.com
Password: o3\Dn6@`-J4
Confirm password: o3\Dn6@`-J4
After the demand-dial interface is created, on the Options tab, under Connection type, the Persistent connection option is selected.
Phoenix router configuration
The Phoenix router was configured by the Fabrikam, Inc. network administrator while connected to the Fabrikam, Inc. intranet and then shipped to the Phoenix site. While the Phoenix router was connected to the Fabrikam, Inc. intranet, a computer certificate was installed through auto-enrollment. Additionally, the Phoenix router computer was configured with a demand-dial interface and a static route.
Demand-dial interface for router-to-router VPN connection
To connect the Phoenix office router to the corporate office router by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface Wizard with the following settings:
Interface name: VPN_CorpHQ
Connection type: Connect using virtual private networking (VPN)
VPN type: Layer-2 Tunneling Protocol (L2TP)
Destination address: 207.209.68.1
Protocols and security: Route IP packets on this interface
Static routes for remote networks (VPN server only):
Interface: The WAN adapter attached to the Internet
Destination: 207.209.68.1
Network mask: 255.255.255.255
Gateway: 0.0.0.0
Metric: 1
Note
Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example.
Static route for corporate intranet and branch offices (all locations on the corporate intranet):
Interface: VPN_CorpHQ
Destination: 172.16.0.0
Network mask: 255.240.0.0
Metric: 1
Static routes for remote networks (all branch office locations):
Interface: VPN_CorpHQ
Destination: 192.168.0.0
Network mask: 255.255.0.0
Metric: 1
Dial-out credentials:
User name: VPN_Phoenix
Domain: fabrikam.com
Password: z2F%s)bW$4f
Confirm password: z2F%s)bW$4f
After the demand-dial interface is created, on the Options tab, under Connection type, the Persistent connection option is selected.