Implementing an isolated guest WLAN via IPSec VPN on Windows

Posted by sysadmin1138 on Server Fault See other posts from Server Fault or by sysadmin1138
Published on 2012-06-19T15:10:23Z Indexed on 2012/06/19 15:18 UTC
Read the original article Hit count: 269

Filed under:
|
|

We are attempting to set up a guest WLAN network that is isolated from the rest of our network. This is proving difficult due to a couple of technical reasons. My first choice was to use a separate VLAN, on which our Firewall's handy WLAN port would handle DHCP, DNS and the network isolation we need. Unfortunately, due to the fact that our main office and our Internet connection itself are in different locations connected by way of a Metro Ethernet connection, I'm at the mercy of our ISP for VLAN transit.

They won't pass a second VLAN between our two sites. And my hardware doesn't support 802.1ad "Q-in-Q", which would also solve this problem. So I can't use the VLAN method for isolation. At least not without spending money.

As our Firewall can handle IPSec site-to-site VPN connections, I hope it is possible to connect a Server 2008R2 (standard) server I have in the office location to the WLAN and provide gateway services to the firewall. Thusly:

Network diagram

Unfortunately, I don't know if it is possible to connect the two this way. The firewall has a pretty flexible IPSec/L2TP implementation (I've used it to connect iPads in the wild), but is neither Kerberized or supports NTLM. The Connection Security Rules view on the Windows server seems to get close to what I think needs to be done, but I'm failing on figuring out how to get it to do what I need it to do.

Is this even possible, or do I need to pursue alternate solution?

© Server Fault or respective owner

Related posts about windows-server-2008

Related posts about ipsec