first of all: thank you very much; your articles and this discussion helped me to throw away my false impression that answering side authenticates against calling side. This false impression comes deep in my mind long time ago, when Windows was NT4, and latest SP was 3, and I was busy with VPNning interstate offices. Microsoft was saying in their RRAS whitepaper that routers authenticate against each other; I thought they are doing it simultaneousely, but now I realised it was a mistake. When one side "dials", it authenticates against the second one, and that's all - both interfaces are connected; and vice versa: if second side initiates the connection, it authenticates against the first one, again making both interfaces connected.
OK, thanks again.
But let's go back to your scenario, part 2. When creating DoD interface on the REMOTEVPN server, you are saying:
>>I HIGHLY RECOMMEND that you use the same name for the interface as the name of the computer youĂre connecting to. In this case, the Local VPN gateway is named LOCALVPN. So weĂll use that name in this example.
That's not true.
In reality, you shoud name it with _username_ (not computer name), used in credentials for REMOTEVPN interface on the LOCALVPN server! Remember, I asked you "what makes LOCALVPN interface to change it's state to Connected"? This is black magic of W2K RRAS: it connects "answering" interface if it's name is the same as credentials sent by calling side.
Your example worked because usernames and computernames were the same!
Let me repeat that process step-by-step, to avoid misunderstanding:
1. Calling router on LOCALVPN server initiates connection, and sends credentials to REMOTEVPN server as follows:
domain: REMOTEVPN domain or machine name
password: password of that LOCALVPN user
2. Answering RRAS on REMOTEVPN server authenticates user and searches inteface list. If it founds that interface name (LOCALVPN) is equal to user name (received in credentials), it understands that it is DoD connection, and connects that corresponding interface - LOCALVPN. This is black magic of RRAS.
3. If user name in credintials does not correspond to any interface names, then RRAS considers connection as normal RAS connection, and does not do anything to local interfaces.
Well, I hope I explained it clear...
Now let's go back to "my" scenario. I am going to show you how to adopt your scenaio (part 2) to it. Here you go:
Step 1: go to REMOTEVPN server console, open RRAS and delete static route to localvpn network.
Step 2: delete LOCALVPN interface as well.
Step 3: Start Computer Management, go to user list, open properties for LOCAVPN user. Go to Dial-in tab, check "Apply Static Routes" option and press Static Routes button. Add static route you deleted in step 1.
That's it. No changes are necessary on LOCALVPN server, all these steps should be done on REMOTEVPN server only.
After that, your VPN will work the same as before. But things seem to be more logical: for example, there are no useless "Connect" interface menu that should not be touched on the REMOTEVPN. And no strange bogus users - they are eliminated in my scenario!
I hope you'll find it interesting.