Introduction to VPN Site-to-Site with Windows RRAS on Windows Server 2019

A site-to-site VPN creates a permanent encrypted tunnel between two networks over the internet, allowing devices at both sites to communicate as if they were on the same LAN. Windows Server 2019 RRAS (Routing and Remote Access Service) can establish site-to-site VPN connections using IKEv2, L2TP/IPsec, PPTP, or SSTP. For modern deployments, IKEv2 is recommended for its robustness, support for MOBIKE (network path changes), and strong security using AES-256 and SHA-256.

In a typical deployment, Site A (head office) and Site B (branch office) each have a Windows Server 2019 RRAS gateway. The RRAS servers have public IP addresses (or are behind NAT with UDP 500/4500 forwarded) and are configured with matching pre-shared keys or certificates. Once the tunnel is established, static routes or BGP advertise each site’s internal subnets across the tunnel.

Installing RRAS on Both Sites

Install RRAS on the gateway server at Site A and repeat at Site B:

Install-WindowsFeature -Name RemoteAccess, Routing, DirectAccess-VPN -IncludeManagementTools

Enable IP routing (required for routing traffic between subnets through the VPN tunnel):

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" -Name "IPEnableRouter" -Value 1

Configure RRAS for VPN and routing:

Install-RemoteAccess -VpnType VpnS2S

Start the RRAS service and set it to automatic:

Start-Service -Name RemoteAccess
Set-Service -Name RemoteAccess -StartupType Automatic

Configuring the Site-to-Site VPN on Site A (IKEv2 with Pre-Shared Key)

On Site A (RRAS gateway at 203.0.113.10), create the VPN interface pointing to Site B’s gateway (198.51.100.20):

Add-VpnS2SInterface -Name "SiteB" -Destination "198.51.100.20" -Protocol IKEv2 -AuthenticationMethod PSKOnly -SharedSecret "MyStr0ngPSK!xyz2024" -IPv4Subnet @("10.20.0.0/24:100") -Persistent $true -PassThru

The -IPv4Subnet parameter specifies the remote site subnet and metric. 10.20.0.0/24 is Site B’s internal network. The metric (100) determines routing priority.

Verify the VPN interface was created:

Get-VpnS2SInterface

Configuring the Site-to-Site VPN on Site B

On Site B (RRAS gateway at 198.51.100.20), create the complementary VPN interface pointing to Site A:

Add-VpnS2SInterface -Name "SiteA" -Destination "203.0.113.10" -Protocol IKEv2 -AuthenticationMethod PSKOnly -SharedSecret "MyStr0ngPSK!xyz2024" -IPv4Subnet @("10.10.0.0/24:100") -Persistent $true -PassThru

The shared secret must be identical on both ends. 10.10.0.0/24 is Site A’s internal network. Verify the interface on Site B:

Get-VpnS2SInterface

Establishing and Testing the Tunnel

Connect the site-to-site VPN from Site A (Site A initiates by default; when Persistent is true, it connects automatically):

Connect-VpnS2SInterface -Name "SiteB"

Check the connection state:

Get-VpnS2SInterface -Name "SiteB" | Select Name, Destination, ConnectionState, IPv4Subnet

The ConnectionState should show “Connected”. If it shows “Disconnected”, check the RRAS event log for errors.

Test connectivity from a workstation on Site A’s network to a server on Site B’s network:

ping 10.20.0.10 -S 10.10.0.50
Test-NetConnection -ComputerName 10.20.0.10 -Port 445

Configuring Static Routes for Site-to-Site VPN

In addition to the -IPv4Subnet parameter on the VPN interface, add static routes on both RRAS servers so the OS routing table knows to send traffic for remote subnets over the VPN tunnel.

On Site A’s RRAS server, add a route for Site B’s subnet:

route -p add 10.20.0.0 mask 255.255.255.0 0.0.0.0 if

Find the interface index:

Get-NetIPInterface | Where-Object {$_.InterfaceAlias -eq "SiteB"} | Select InterfaceIndex

Or add via PowerShell:

$vpnIf = Get-NetIPInterface -InterfaceAlias "SiteB"
New-NetRoute -InterfaceIndex $vpnIf.InterfaceIndex -DestinationPrefix "10.20.0.0/24" -NextHop "0.0.0.0" -RouteMetric 10

On Site B, add the corresponding route for Site A’s subnet through the SiteA VPN interface.

Configuring IKEv2 Cryptographic Settings

For maximum security, configure the IKEv2 cipher suite to use AES-256 and SHA-384:

Set-VpnServerConfiguration -TunnelType IKEv2 -EncryptionType MaximumEncryption -PassThru

Configure custom IKEv2 IPsec parameters via the RRAS registry (Phase 1 policy):

netsh advfirewall consec add rule name="SiteB-IKEv2" endpoint1=203.0.113.10 endpoint2=198.51.100.20 action=requireinrequireout auth1=computercert auth1ca="CN=Root CA" profile=any

Monitoring and Troubleshooting Site-to-Site VPN

View all site-to-site VPN interfaces and their state:

Get-VpnS2SInterface | Select Name, Destination, Protocol, ConnectionState, LastDisconnectReason

View RRAS connection statistics:

Get-RemoteAccessConnectionStatistics

Enable RRAS tracing for IKEv2 debugging:

netsh ras set tracing iashlpr enabled
netsh ras set tracing rasman enabled
# Traces written to C:WindowsTracing

Check Windows Firewall is allowing IKEv2 traffic (UDP 500 and 4500 for NAT traversal):

Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*IKE*" -or $_.DisplayName -like "*IPsec*"} | Select DisplayName, Enabled, Direction, Action

Windows Server 2019 RRAS site-to-site VPN provides a cost-free, software-based solution for securely connecting branch offices to headquarters or cloud environments, with support for modern IKEv2 encryption and BGP dynamic routing for scalable multi-site deployments.