The previous example deploys a remote access VPN and deploys an instance of a site to the site below:
The site to site VPN connection is two networks. Realize the mutual exchange of computers within two networks. By default, a Site-to-site VPN connection is a demand-dial connection and is established only if network traffic must be forwarded over this interface (requiring forwarding of IP packets to the corresponding remote network). At this point, the calling router (VPN client) initializes the connection, the answering router (the VPN server) listens for the connection request, receives the connection request from the calling router, establishes the connection based on the request, and disconnects after a certain amount of time (the default is 5 minutes). You can configure the connection as a permanent connection, at which point the VPN server maintains the connection state of the connection and reinitialize the connection immediately if the connection is interrupted.
To prevent the calling router from creating unwanted connections, you can limit the site to site VPN connections that the calling router establishes requests in the following two ways:
IP demand-dial filters. You can use demand-dial filtering to determine which type of IP traffic does not cause a demand-dial connection to be established or to configure which type of IP traffic can cause the connection to be established. You configure demand-dial filtering by right-clicking the demand-dial interface in the node of the Routing and Remote Access snap-in, and then clicking the demand-dial filter to set it up.
Set aside the time. You can use dial-out time to configure a time period that allows or disables the calling router to establish a site to site VPN connection. Configure Dial-out times by right-clicking the demand-dial interface in the network interface node of the Routing and Remote Access snap-in, and then clicking the dial-out time. You can also use remote access policies to configure the time allowed for incoming demand-dial routing connections.
Site to site VPN connections can be divided into the following two types: one is a one-way initialization of the connection. In a one-way initialization connection, a VPN router always acts as the calling router (the VPN client), while the other VPN router always acts as the answering router (the VPN server). When a one-way initialized site to site connection is successfully created, the calling router adds a route to the private network to which the answering router belongs, but the answering router does not add routes to the private network to which the calling router belongs, in which case the answering router does not have access to the private network to which the calling router belongs. Therefore, it is generally less common to use one-way initialization connections. A one-way initialized connection requires the following conditions: The answering router is configured as a LAN and a demand-dial router;
Adds a user account on the answering router for the authentication credentials of the calling router, a demand-dial interface is configured on the answering router, and the name is the same as the user account name used by the calling router. This demand-dial interface is not used for dialing, so it does not configure the host name or IP address of the calling router, nor does it configure valid Dial-out user authentication information.
If you are using a site to site VPN connection in l2tp/ipsec mode, you also need to install the Client authentication certificate on the calling router, install the Server authentication certificate on the answering router, or configure the preshared IPSec key if you do not install the certificate.