How to Set Up Site-to-Site VPN with RRAS on Windows Server 2012 R2

How to Set Up Site-to-Site VPN with RRAS on Windows Server 2012 R2

A site-to-site VPN connects two geographically separate networks over the internet as if they were directly connected. Windows Server 2012 R2 RRAS (Routing and Remote Access Service) can act as a VPN gateway for site-to-site connections, establishing persistent encrypted tunnels between a central office and branch offices, or between an on-premises network and an Azure Virtual Network. Site-to-site VPNs in RRAS use demand-dial interfaces — virtual interfaces that bring the VPN tunnel up when traffic needs to flow, and optionally keep it up persistently. RRAS supports IKEv2, L2TP/IPsec, and SSTP for site-to-site tunnels. IKEv2 is the recommended protocol for modern deployments due to its certificate-based authentication, NAT traversal, and mobility support.

Prerequisites

Two Windows Server 2012 R2 servers — one at each site — or one RRAS server connecting to a compatible third-party VPN gateway. Both servers must have public IP addresses accessible to each other, or use NAT traversal (IKEv2 supports NAT-T). Computer certificates are required for IKEv2 site-to-site VPN — both servers need machine certificates from a trusted CA. For L2TP/IPsec, a pre-shared key can be used as an alternative to certificates. Static public IP addresses on both ends simplify configuration. RRAS must be installed on both servers. The internal network ranges on both sides must not overlap. Document the IP address ranges at both sites before starting.

Network Topology Reference

For this guide, assume the following topology:

Site A (HQ):
  Public IP: 203.0.113.10
  Internal Network: 192.168.1.0/24
  RRAS Server: HQ-VPN01

Site B (Branch):
  Public IP: 203.0.113.20
  Internal Network: 10.10.0.0/24
  RRAS Server: BRANCH-VPN01

Step 1: Install RRAS on Both Servers

Install the RRAS role on both the HQ and Branch servers:

Install-WindowsFeature RemoteAccess, Routing -IncludeManagementTools

Install-RemoteAccess -VpnType VpnS2S

Step 2: Configure Machine Certificates for IKEv2

Both RRAS servers require computer certificates for IKEv2 authentication. Request certificates from your enterprise CA:

# On both servers - request a machine certificate from Active Directory CA
$certTemplate = "Machine"  # Use the appropriate template name
$dn = "CN=$env:COMPUTERNAME"

$cert = Get-Certificate -Template $certTemplate `
    -CertStoreLocation "Cert:LocalMachineMy" `
    -SubjectName $dn

Write-Host "Certificate thumbprint: $($cert.Certificate.Thumbprint)"
Write-Host "Subject: $($cert.Certificate.Subject)"

Verify the certificate is in the local machine store:

Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like "*$env:COMPUTERNAME*"} | Select-Object Subject, Thumbprint, NotAfter

Step 3: Create the Demand-Dial VPN Interface on HQ Server

Create a demand-dial interface on HQ-VPN01 that points to the branch site:

# On HQ-VPN01
Add-VpnS2SInterface -Name "Branch-Site" `
    -Destination "203.0.113.20" `
    -Protocol IKEv2 `
    -AuthenticationMethod MachineCertificate `
    -IPv4TriggerFilter "10.10.0.0/24" `
    -IPv4Subnet @("10.10.0.0/24:100") `
    -EncryptionType RequireEncryption `
    -SADataSizeForRenegotiationKilobytes 33553408 `
    -SALifeTimeSeconds 28800 `
    -MMSALifeTimeSeconds 86400 `
    -ConnectionTrigger DemandDial `
    -PersistentTunnel $true

Verify the interface was created:

Get-VpnS2SInterface | Select-Object Name, Destination, Protocol, ConnectionState, IsEnabled

Step 4: Create the Demand-Dial VPN Interface on Branch Server

Create the reciprocal interface on BRANCH-VPN01:

# On BRANCH-VPN01
Add-VpnS2SInterface -Name "HQ-Site" `
    -Destination "203.0.113.10" `
    -Protocol IKEv2 `
    -AuthenticationMethod MachineCertificate `
    -IPv4TriggerFilter "192.168.1.0/24" `
    -IPv4Subnet @("192.168.1.0/24:100") `
    -EncryptionType RequireEncryption `
    -SADataSizeForRenegotiationKilobytes 33553408 `
    -SALifeTimeSeconds 28800 `
    -MMSALifeTimeSeconds 86400 `
    -ConnectionTrigger DemandDial `
    -PersistentTunnel $true

Step 5: Add Static Routes for Site-to-Site Traffic

Configure static routes on each RRAS server so that traffic destined for the remote site is directed through the VPN tunnel interface:

# On HQ-VPN01 - route traffic to Branch (10.10.0.0/24) via tunnel
Add-VpnS2SInterface -Name "Branch-Site" `
    -IPv4Subnet @("10.10.0.0/24:100")

# Add static route in the routing table
$interface = Get-NetAdapter | Where-Object {$_.InterfaceDescription -like "*WAN*"}
New-NetRoute -DestinationPrefix "10.10.0.0/24" `
    -InterfaceAlias "Branch-Site" `
    -RouteMetric 100

Repeat on BRANCH-VPN01 for the HQ subnet.

Step 6: Configure Firewall Rules for IKEv2

Allow IKEv2 traffic (UDP 500 and 4500) and ESP protocol through the Windows Firewall on both servers:

New-NetFirewallRule -DisplayName "IKEv2 VPN In" `
    -Direction Inbound `
    -Protocol UDP `
    -LocalPort 500, 4500 `
    -Action Allow

New-NetFirewallRule -DisplayName "IKEv2 VPN Out" `
    -Direction Outbound `
    -Protocol UDP `
    -RemotePort 500, 4500 `
    -Action Allow

# Allow ESP (IP Protocol 50) for IPsec encrypted traffic
New-NetFirewallRule -DisplayName "IPsec ESP In" `
    -Direction Inbound `
    -Protocol 50 `
    -Action Allow

New-NetFirewallRule -DisplayName "IPsec ESP Out" `
    -Direction Outbound `
    -Protocol 50 `
    -Action Allow

Step 7: Connect the VPN Tunnel

Initiate the VPN connection from either server:

# On HQ-VPN01 - connect to branch
Connect-VpnS2SInterface -Name "Branch-Site"

# Monitor connection state
Get-VpnS2SInterface -Name "Branch-Site" | Select-Object Name, ConnectionState, LastError, LastDisconnectReason

A successful connection shows ConnectionState: Connected.

Step 8: Verify End-to-End Connectivity

Test connectivity across the VPN tunnel from each site to the other:

# From HQ server - ping branch internal hosts
Test-NetConnection -ComputerName "10.10.0.1" -TraceRoute

# Verify routing table shows the remote subnet via the tunnel
Get-NetRoute | Where-Object {$_.DestinationPrefix -like "10.10.*"} | Select-Object DestinationPrefix, NextHop, InterfaceAlias

Summary

Site-to-site VPN with RRAS on Windows Server 2012 R2 provides a cost-effective, software-based VPN gateway that can connect branch offices or establish hybrid connectivity to cloud environments. IKEv2 with certificate authentication is the most secure and resilient option. For Azure connectivity, configure the RRAS server to connect to an Azure VPN Gateway using IKEv2 with a pre-shared key or certificates — RRAS is specifically supported by Azure as an on-premises VPN device. Persistent tunnels ensure the connection remains up continuously without waiting for demand-dial triggers.