Filter
Top Products
ISA Server 2004 Configuration Guide 239
Introduction
A site-to-site VPN connection connects two or more networks using a VPN link over the
Internet. The VPN site-to-site configuration works just like a LAN router; packets destined for
IP addresses at a remote site are routed through the ISA Server 2004 machine. The ISA
Server 2004 firewall machine acts as a VPN gateway that joins two networks over the
Internet.
Each site-to-site link can use one of the following VPN protocols:
• PPTP
• L2TP/IPSec
• IPSec tunnel mode
PPTP is the Point-to-Point Tunneling Protocol. PPTP provides a good level of security,
depending on the complexity of the password used to create the PPTP connection. You can
enhance the level of security applied to a PPTP link by using EAP/TLS based-authentication
methods.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec
encryption protocol to secure the connection. You can use computer and user certificates to
provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to
deploy a certificate infrastructure, you can use a pre-shared key to create the site-to-site
L2TP/IPSec VPN connection.
ISA Server 2004 supports IPSec tunnel mode for site-to-site VPN connections. You should
only use IPSec tunnel mode when you need to create a site-to-site link with third-party VPN
gateways. Third-party IPSec tunnel mode gateways do not support the high level of security
provided by L2TP/IPSec, so they must use a weaker VPN protocol. IPSec tunnel mode site-
to-site links are useful in branch office scenarios where the main office is still in the process of
replacing their current VPN gateways with ISA Server 2004 firewall VPN gateways.
In this ISA Server 2004 Configuration Guide chapter, we will go through the procedures
required to create a site-to-site link between two ISA Server 2004 firewall machines. The
ISALOCAL machine will simulate the main office firewall, and the REMOTEISA will simulate
the branch office firewall. We will use the L2TP/IPSec VPN protocol to create the site-to-site
link, and a pre-shared key will be used to support the IPSec encryption protocol.
You will complete the following procedures to create the site to site VPN connection:
• Create the Remote Site at the Main Office
• Create the Network Rule at the Main Office
• Create the Access Rules at the Main Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Set the Shared Password in the RRAS Console at the Main Office
• Create the Remote Network at the Branch Office
• Create the Network Rule at the Branch Office
• Create the Access Rules at the Branch Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Set the Shared Password in the RRAS Console at the Branch Office
• Activate the Site-to-Site Links