How to setup an IPSec / GRE tunnel on Windows Server 2008

Question

I have a Windows Server 2008 that has a single network interface configured with a public IP address. My business partner has a private network. From my server, I need to access all the devices on his private network, and those devices must be able to access my server.

My business partner has a standard solution for these requirements. They will setup an IPSec + GRE tunnel to my server. They told me, that I will need an additional public IP address for this to work. If it really is necessary, there is no problem, I can get an additional public IP address, although it will be assigned to the same physical network interface.

I assume that on my server I will have both public IP addresses and also the private IP address from the tunnel (the same that is visible for the devices inside the private network).

What alternatives do I have?

1. Is it possible to configure this tunnel on my Windows Server 2008? Can it be done using only Windows tools, or do I need an additional free / commercial VPN software?
2. If it cannot be done directly on Windows, can I setup an additional virtual machine running Linux, that will handle the IPSec + GRE tasks? How to do it?
3. If it cannot be done on a virtual linux box, will I have to buy and setup a Cisco router to handle the IPSec + GRE tasks?

Thanks for your opinions. I'm watching this question to clarify any issues or questions.

Answer 1

You didn't specify what your partner's end of the tunnel is (unless I missed it). I spent a lot of time on a tunnel between Windows Server 2003 and a Cisco Router. It is supposed to be possible, but I failed in doing it, and am not the only one. You can read about here and here.

So if they are using a Cisco router, I recommend you go out and buy one too to save yourself time and lots of aggravation. OpenVPN or Linux to Cisco might be an option? But I have used Cisco to Cisco IPSec tunnels with no interruptions problems for years.

Here are Cisco docs on GRE/IpSec with NAT, but with the Cisco router you can avoid making the tunnel go through nat.

Answer 2

After weeks of problems unrelated to the tunnel itself, my admin configured the tunnel to end on a separate Linux box running Openswan. The decrypted and unpacked traffic is then routed to our Windows box and back.

There are no problems with compatibility with the Cisco router on the other end.

So we successfully went with option #2 without the need to buy a physical Cisco router.

Answer 3

Cisco's implementation of IPSec is not compatible with anything else then Cisco. I know IPSec is a standard but Cisco has a specific implementation that will keep you from connecting anything else then their equipements.

Is it possible to configure this tunnel on my Windows Server 2008? Can it be done using only Windows tools, or do I need an additional free / commercial VPN software?

Yes you need the Cisco VPN Client. It is free for IPSec and works just fine. Just be careful as it is made for desktop clients. It may have some annoying functionnalities such as short timeouts.

If it cannot be done on a virtual linux box, will I have to buy and setup a Cisco router to handle the IPSec + GRE tasks?

You can always buy a Cisco box that does IPSec. Be careful you may need specific licensing to do IPSec. This will be the most reliable and simple option by far. On the other hand, it's not a free solution. A small Cisco ASA 5505 will do the trick.

Also, you don't need to have an extra public IP address. Using the same IP you use for everything else will be fine.

Answer 4

Openswan or Libreswan to Cisco works fine. I use it as a hub a spoke arrangment, the Cisco is the hub, the linux and Digi routers are the spokes. I use GRE tunnels inside the IPsec, works great.

On the Cisco end some tips: You do NOT need an ACL to define interesting traffic on the hub, You need a route map to stop the traffic int eh tunnels form being NAT'd, Pre-shared-keys work fine, destinations are identified by the GRE tunnel routes.