23
Feb
09

Site to Site PPTP VPN Tunnel

VPN tunnelHereby I will demonstrate a simplest PPTP site to site VPN tunnel built on Windows 2003 which none of the following are required:

  • RADIUS server
  • IAS server
  • Active Directory
  • Internal DNS server
  • Internal DHCP server

In short, it is just simply 2 Windows 2003 VPN endpoint. The VPN tunnel has to be initialized by one VPN endpoint (so called “Calling Server”) to another VPN endpoint (so called “Answering Server”).

Such manual is based on a fresh Windows 2003 where Routing and Remote Access Service is started.

Configuring Answering Server:
Start -> Settings -> Control Panel -> Administrative Tools -> Routing and Remote Access:
Right click on the server (eg ‘win12’ left panel) -> click Configure and Enable Routing and Remote Access
Welcome to the Routing and Remote Access Server Setup Wizard Menu: Click Next
Select Secure connection between Two private networks.

Do you want to use demand-dial connections to access remote networks? Select Yes -> click Next

How do you want IP address to be assigned to remote clients? Select From a specified range of address -> click Next

Enter the range of private IP address of Calling Server (eg. 192.168.200.0 – 192.168.200.255) -> Click OK

Completing the Routing and Remote Access Server Setup Wizard:  Click Finish.

Welcome to the Demand Dial Interface Wizard: Click Next.

Create Interface Name (eg. HK_VPNEndpoint, preferable in one word and same as Dial Out username which used to connect with remote server later on) -> click Next

Connection Type: Select Connect using virtual private networking (VPN) -> click Next

VPN type: Select Point to Point Tunneling Protocol (PPTP) -> click Next

Destination Address: Enter Calling Server’s IP address -> click Next

Protocols and Security: Select both Route IP packets on This Interface and Add a user account so a remote router can dial in. -> click Next

Static Routers for Remote Networks: Click Add -> Enter the remote server private IP range
eg.     Destination:         192.168.0.0
Network Mask:    255.255.255.0
Metric:            1
Click OK -> Click Next

Dial In Credentials:
Username is grey out, same as the Interface Name -> Create Password -> Confirm Password -> Click Next
(This username and password are to be used while the calling server dial in)

Dial Out Credentials:
Create UserName, Domain (optional, leave it blank for non-Active Directory environment), Password.
(This username and password are to be used to dial out for 2-way initialized connection, just enter the username for 1-way initialized connection)

Completing the Demand-Dial Interface Wizard -> Click Finish

Configuring Calling Server:
Start -> Settings -> Control Panel -> Administrative Tools -> Routing and Remote Access:
Right click on the server -> click Configure and Enable Routing and Remote Access
Welcome to the Routing and Remote Access Server Setup Wizard Menu: Click Next
Select Secure connection between Two private networks.

Do you want to use demand-dial connections to access remote networks? Select Yes

How do you want IP address to be assigned to remote clients? Select From a specified range of address

Enter the range of private IP address of Calling Server (eg. 10.0.2.0 – 10.0.2.255) -> OK

Completing the Routing and Remote Access Server Setup Wizard -> Click Finish.

Welcome to the Demand Dial Interface Wizard: Click Next.

Create Interface Name (eg. MY_VPNEndpoint, preferable in one word and same as Dial Out username which used to connect with remote server later on) -> click Next

Connection Type: Select Connect using virtual private networking (VPN) -> click Next

VPN type: Select Point to Point Tunneling Protocol (PPTP) -> click Next

Destination Address: Enter Calling Server’s IP address -> click Next

Protocols and Security: Select both Route IP packets on This Interface and Add a user account so a remote router can dial in. -> click Next

Static Routers for Remote Networks: Click Add  Enter the remote private IP range
eg.     Destination:         192.168.200.0
Network Mask:    255.255.255.0
Metric:            1
Click OK -> Click Next

Dial In Credentials:
Username is grey out, same as the Interface Name -> Create Password -> Confirm Password -> Click Next
(This username and password are to be used while the calling server dial in)

Dial Out Credentials:
Create UserName, Domain (optional, leave it blank for non-Active Directory environment), Password.
(This username and password are to be used to dial out for 2-way initialized connection, just enter the username for 1-way initialized connection)

Completing the Demand-Dial Interface Wizard: Click Finish

Establishing connection

Start -> Settings -> Control Panel -> Administrative Tools -> Routing and Remote Access -> Server -> Network Interfaces (left panel): (Right panel) Right click the Demand Dial Interface (eg. HK_VPNEndpoint) -> Click Connect

Static Route setting on other server (both side’s private network)
No Active Directory = No automatic deployment.
Add static route for remote private network to be passed to PPTP server:
route add [remote private IP address] mask [remote network mask] [local VPN server private IP address]
eg: route add 192.168.0.0 mask 255.255.255.0 192.168.200.250 (on answering server’s site)

Reference:

  1. Deploying a PPTP-based Site-to-Site VPN Connection
  2. Microsoft Site-to-Site VPN
Advertisements

5 Responses to “Site to Site PPTP VPN Tunnel”


  1. 1 konrad
    May 12, 2010 at 7:06 am

    hey, can u give some tip what is the adressing on those 2 lans? which lan is 10.0.2.0 and which 192.168.200.0 (on calling or answering router site) cheers

  2. 2 albertsiow
    May 14, 2010 at 2:36 am

    192.168.0.0(Calling machine) :======

    [tunnel] (10.0.2.0, dedicated segment for tunnel, /30 subnet is ok too!) [tunnel]

    ======: 192.168.200.0 (answering machine)

    Hope this help!

  3. 3 Maurycy
    September 12, 2011 at 2:51 pm

    So the answering server doesn’t need to know about 10.0.2.0?

    • 4 albertsiow
      September 12, 2011 at 5:40 pm

      Yes, the hosts in the networks at two end (not the VPN endpoint) don’t need to know 10.0.2.0. It should be 10.0.2.0/30, for 2 VPN endpoint to connect each other (point to point link).

  4. April 16, 2013 at 5:20 am

    I’m really enjoying the design and layout of your site. It’s a very easy on the eyes which makes it much more enjoyable for me to come here and visit more
    often. Did you hire out a designer to create your theme?
    Exceptional work!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: