In these two articles i will show you two examples, how to connect two computers like two DB servers for example, securely through the internet, with the use of the VPN tunel technology.
I will use two Windows 2008 R2 Servers with a Microsoft SQL Server 2005 installed on each of them. The Servers are installed with a dedicated NIC for this task. I will concentrate on configuring the VPN Tunnel, and only mention some general info about routing, firewall, or DB link configurations needed.
Let’s say you want to create a direct db link connection between two MS SQL DB Servers. Let’s say the two DB Servers are in two different locations, like different cities or even different countries. In this case you will have to build up the connection through the internet. Of course you will have to secure that connection so, that no unauthorised persons can steal your data, traveling through the world. The most common and easiest way is to create a VPN tunnel between the Servers. There are several ways to do that, but the basics are always the same. Basically there are three types of implementations, we can talk about:
- Client to Gateway connection
Creating a VPN server on one of the two servers, and connect to it as a client from the other one. You can do that even with the built-in VPN solution of Microsoft, but i would not really recommend it, because of its security, reliability, and management weaknesses. (It’s just not designed for this purpose). So i wont talk about this option.
- Gateway to gateway VPN tunnel implemented with a VPN software like “TheGreenBow”
It’s not free, but it is reliable, secure, relatively inexpensive, and easy to use. Besides it gives you a 30 day trial period with full functionality, so that you can try and test it, before you make the decision, spending your laboriously earned coins on something that may not even suited for the job.
- A gateway to gateway VPN tunnel implemented with a dedicated hardware, like a VPN Router
This is the most reliable and the most convenient way to do the job, but of course also the most expensive one. In our case i will show you a basic GW to GW config on the most basic VPN Router of the Cisco family, the Cisco RV042. This is a small business VPN Router that originally was created under the brand of Linksys, and delivers us all the functionality needed for the job in a small business environment, and all that on a relatively consolidated price of roughly 160 €.
These HW and SW solutions are of course not the only ones, suitable for the job, but these are the ones, i have got the most experience with, and the basic configuration should not really differ by any other vendor. So, let’s cut in the case…
Before we can see the exact configurations of the two different tools, we have to make clear, that the job is to build up a vpn tunnel between the two DB servers, only to be able to create a db link connection between them. That means, of course, that each of the two db Servers are connected to a Local Network, which should be hidden, and unreachable for the foreign Server, and the network components of the foreign LAN. So the tunnel should be created between the exact two servers, and not between the two LANs, that is an important section at the configuration.
Gateway to gateway VPN tunnel implemented with the VPN software “TheGreenBow”
The example configuration is as shown below:
- lan ip: 192.168.1.1
- wan ip: 188.8.131.52
- wan host name: server.one.com
- lan ip: 192.168.2.1
- wan ip: 184.108.40.206
- wan host name: server.two.com
Authentication (IPSec with IKE and Preshared key):
- preshared key: “i_am_the_preshared_key”
- encryption: DES
- authentication: MD5
- Key Group: DH1 768 bit
That is all what’s needed.
1. Now download, and install the trial software on both Servers. http://www.thegreenbow.com/
2. Configure the VPN gateway on server 1.:
- You start te wizard, in the configuration menu
- There you can choose either to build up a vpn tunnel to another computer, or to a router or a gateway. Choose the second one!
- In the “external IP, or DNS” field you write: “server.two.com”
- In the “internal IP” field you write: 192.168.1.1
- Than you click “finish” and see what you have done. Now you should have got a purely configured Gateway (named “Gateway”) and a Tunnel for that Gateway (named “tunnel” what a surprise). Now we need to do some more configuration.
3. The configuration of the gateway:
- On the “Authentication” tab of the gateway, you can choose the NIC you want to use on “Server one” for the tunnel. The available NICs IPs will be shown in a drop down list.
- Now you just have to select the used IKE methods for encryption, authentication and key group, as defined in the “example configuration” section above.
- At the “Advanced” tab you have to adjust the “Local ID”: 192.168.1.1 and the “Remote ID”: 192.168.2.1 of the tunnel. You can set the ID on various other ways too, like DNS, or e-mail.
- There are two more configuration possibilities to mention at this section:
1. “Aggressive Mode”: it squeezes the IKE SA negotiation into three packets, and so the negotiation is quicker. Always choose this option, if you want to connect to a cisco device!
2. “NAT-T”: means NAT Traversal. We all know what NAT is used for, but unfortunately manipulating the packet’s original IP header, is impacting the IPSec functionality in a bad way. NAT-T was created to solve that problem, and is now widely used in routers and vpn applications. In our case we won’t need it, so we can choose “disabled”.
- We also have got the possibility to use certificate instead of pre-shared key. This can be configured at the certificate tab, but we won’t use it in this tutorial either.
4. The configuration of the tunnel:
- VPN client address: here we have to set the virtual ip address of the VPN Client, like 192.168.2.2 for example.
- Address type: here you can choose between “single address”, “ip range” and “subnet” now we need “single address” set to 192.168.2.1 This is actually the other end of the vpn tunnel. In our case this is the same node as the gateway itself, because the secure gateway application is running on the DB server itself (this is not likely to happen in a productive environment) If there it exists a standalone GW, and a DB server behind of it, and the tunnel needs to reach the DB server, then here you should type the local ip address of the DB server. I will describe this situation in the second part of this article.
- Encryption, authentication and key group we need to set the same, as we did by the gateway, written above.
- PFS: means Perfect Forward Secrecy. IPSec uses PFS, to prevent the possibility of a third party discovering a key value. Select it!
- We can choose two modes, like tunnel and transport.
- Tunnel means a connection between two gateways acting like a gateway or like a proxy for the hosts behind. In this case both payload and the whole header will be encrypted (UDP/TCP and IP).
- Transport on the other side means a connection between two gateways, where one of the gateways is acting like a host. In that case, only the data will be encrypted and the IP header will be leaved untouched. Now we need Tunnel mode.
- At the other tree tabs you can adjust a lot of useful, but not necessarily needed functions, like starting the tunnel after, or even before the windows logon, or running scripts at the opening of the tunnel. Now we won’t need them.
- By the tunnel configuration we only need to set the “IPSec” tab:
5. At this point we are done with the configuration of the first Gateway.
6. Now we have to configure the second gateway identically.
7. After both the gateways are set, we just have to open the tunnel on both gateways
- Right click on the tunnel, and click “open tunnel”. If we have done everything right, the tunnel should be opened.
At that point, the two Servers not necessarily see each other, if the firewalls, and the routing is not set properly. Some thoughts to that topic:
- IPSec vpn uses UDP protocol on the ports 500, 4500, 1723. These ports should be opened on the firewalls, and if needed, the communication through these ports should be forwarded to the VPN gateways.
- Depending on our network layout, there could be a need to create some static routing rules on the Servers. For that you can use the “route” command of windows, like:
- route print – prints the actual routing table
- route -f – flushes the actual routing table
- route add -p 192.168.2.1 mask 255.255.255.255 gateway 192.168.1.1 metric 10 if 2 – permanently adds the routing rule to the table
- route delete 192.168.2.1 mask 255.255.255.255 gateway 192.168.1.1 metric 10 if 2 – removes the rule from the routing table.
If we want to build up the SQL link, we need to open the port 1433 TCP on the firewalls, because this is the default port for creating linked DB in MS SQL. After we can reach each other DB server with telnet through the 1433 port there should be no problem to create the DB link in MS SQL.
The Green Bow is a widely compatible software tool, so you can build up “gateway to gateway” or “client to gateway” VPN Tunnels with it, with the tools and devices of many foreign vendors, like cisco for example. These Configurations does sometimes has there specialities, but there ar many documentation to find all ower the internet, for exact configurations. So if it’s not working for the first try, don’t panic, there is always a solution.
In the next part i will show you an example, how to create an IPSec VPN tunnel between these two DB servers, through two Cisco RV042 Gateways.
Goodbye until then!