Site-to-site VPNs allow you to connect entire networks to one another. This can lead to significant cost savings for organizations that are using dedicated frame relay links to connect branch offices to the main office, or branch offices to one another. The ISA firewall supports site-to-site VPN networking using the following VPN protocols:

• PPTP (Point-to-Point Tunneling Protocol)

• L2TP/IPSec (Layer Two Tunneling Protocol over IPSec)

• IPSec Tunnel Mode

The most secure VPN protocol for site-to-site VPNs is the L2TP/IPSec VPN protocol. L2TP/IPSec allows you to require both machine and user authentication. The second most secure protocol for site-to-site VPNs is a matter of debate. If you have two ISA firewalls, or are connecting an ISA firewall to a Windows RRAS machine, then I recommend that you use PPTP and route certificate authentication. IPSec tunnel mode should only be used when you need to connect to downlevel VPN gateways. The major problem with IPSec tunnel mode is that most downlevel VPN gateway vendors require you to use a pre-shared key instead of certificate authentication, and there are a number of exploits that can take advantage of this situation.

Creating a site-to-site VPN can be a complex process because of the number of steps involved. However, once you understand the steps and why they're performed, you'll find that setting up a site-to-site VPN is a lot easier than you think. In this section we'll begin with creating a site-to-site VPN using the PPTP VPN protocol. After we establish...