Introduction
A site-to-site VPN connection connects two or more networks using a VPN link over the Internet. The VPN site-to-site configuration works just like a LAN router; packets destined for IP addresses at a remote site are routed through the ISA Server 2004 machine. The ISA Server 2004 firewall machine acts as a VPN gateway that joins two networks over the Internet.
Each site-to-site link can use one of the following VPN protocols:
•PPTP
•L2TP/IPSec
•IPSec tunnel mode
PPTP is the Point-to-Point Tunneling Protocol. PPTP provides a good level of security, depending on the complexity of the password used to create the PPTP connection. You can enhance the level of security applied to a PPTP link by using EAP/TLS based-authentication methods.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec encryption protocol to secure the connection. You can use computer and user certificates to provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to deploy a certificate infrastructure, you can use a pre-shared key to create the site-to-site L2TP/IPSec VPN connection.
ISA Server 2004 supports IPSec tunnel mode for site-to-site VPN connections. You should only use IPSec tunnel mode when you need to create a site-to-site link with third-party VPN gateways. Third-party IPSec tunnel mode gateways do not support the high level of security provided by L2TP/IPSec, so they must use a weaker VPN protocol. IPSec tunnel mode site- to-site links are useful in branch office scenarios where the main office is still in the process of replacing their current VPN gateways with ISA Server 2004 firewall VPN gateways.
In this ISA Server 2004 Configuration Guide chapter, we will go through the procedures required to create a site-to-site link between two ISA Server 2004 firewall machines. The ISALOCAL machine will simulate the main office firewall, and the REMOTEISA will simulate the branch office firewall. We will use the L2TP/IPSec VPN protocol to create the site-to-site link, and a pre-shared key will be used to support the IPSec encryption protocol.
You will complete the following procedures to create the site to site VPN connection:
•Create the Remote Site at the Main Office
•Create the Network Rule at the Main Office
•Create the Access Rules at the Main Office
•Create the VPN Gateway Dial-in Account at the Main Office
•Set the Shared Password in the RRAS Console at the Main Office
•Create the Remote Network at the Branch Office
•Create the Network Rule at the Branch Office
•Create the Access Rules at the Branch Office
•Create the VPN Gateway Dial-in Account at the Main Office
•Set the Shared Password in the RRAS Console at the Branch Office
•Activate the Site-to-Site Links