Re: VPN Advice...do I need a purchased static ip address on the external interface?

From: glgxg <glgxg@xxxxxxxxxxxxxxxxx>
Date: Tue, 10 Jan 2006 11:32:12 -0800

Simon wrote:

> Matty wrote:
>> I have done a lot of reading but think I am missing some fundementals.
>> If someone could set me straight on these points it would help me a
>> lot....
>>
>> Am I right in thinking that to use a VPN from a remote location to a
>> Server then that server must have a been assigned a purchased static IP
>> address to an external interface (by purchased I mean registered with
>> whatever organisation, a class A,B, or C ip address?). To elaborate,
>> if I was to try and use Windows 2000 SBS as the server for the VPN,
>> then this server would need to two physical network cards - one with
>> the external ip address that the world can see (the purchased static
>> ip) and an internal one that it routes to.
>>
>> If I used a router instead then the router would have this purchased IP
>> address?
>>
>> Is it because you need a static IP on either a router/external server
>> interface that you could never VPN between two "home" machines that are
>> assigned IP addresses from ADSL modems by there ISP? Or am I mistaken
>> and provided one of the machines had VPN server software and one had
>> client then they could establish a VPN?
>>
>> After all that, it might be clearer if I indicate the specific job...
>>
>> What I would like to do is VPN from 3 "home" ADSL connections to an
>> office machine running SBS 2000. The business doeshave it's own domain
>> so I think it has a "purchased" IP (but am curious if this is
>> nescessary?) Am I better off using the Windows VPN with routing and
>> remote access (In which case I need another network card?) or puchasing
>> a VPN capable router?
>>
> You can away without a fixed address if you use a vpn router that
> supports dynamic dns, then users connect to the dynamic dns name and
> should the IP address change the router updates the dynamic dns server
> of this fact.
> If you go down the windows route can can use a single nic in the server,
> keep it on the lan and direct the inbound vpn connections to it using
> port mapping on the router.
> simon

Simon is correct. However, if your router does not do this you can still
use a dynamic domain name by installing a DDNS client. Suggest that you
have a look at the following:

http://www.dyndns.com/
http://www.dyndns.com/services/
http://www.dyndns.com/services/dns/dyndns/
http://www.dyndns.com/support/clients/
http://www.dyndns.com/support/clients/hardware/
http://www.dyndns.com/support/kb/archives/why_we_recommend_software_clients.html

Note: the last recommends software clients, and I agree. But I've been
updating my multiple DynDNS domains with hardware for quite some time
(BEFVP41's) and seldom have a problem. The disadvantage (for me) in
using hardware clients is that I typically don't know that the DDNS has
gone down or not been updated until I check the VPN links and find that
they've been disconnected (like this morning :-). I would have noticed
the problem immediately had I been running the software client instead.
That said, I can probably count on 1 hand the times that the VPN's have
disconnected due to failure of the router to update the DDNS over the
past 12 months. I've tried both, and settled on hardware because: 1) I
use an old computer with limited CPU & memory resources, and 2) I'm
lazy... I tend to prefer the set & forget unless it becomes an
operational or security problem.

Added note: The only other problem that I've had using hardware is that
sometimes the dynamic IP that one of the servers sits on doesn't change
for 28 days or more, so I then have to go and force a lease update.
However, DynDNS are kind enough to send me a 5 day notice alerting me of
this each time that it happens.

.

Follow-Ups:
- Re: VPN Advice...do I need a purchased static ip address on the external interface?
  - From: Simon

References:
- VPN Advice...do I need a purchased static ip address on the external interface?
  - From: Matty
- Re: VPN Advice...do I need a purchased static ip address on the external interface?
  - From: Simon

Prev by Date: Re: VPN Internet routing problem
Next by Date: Re: Access Internet/Email while using VPN
Previous by thread: Re: VPN Advice...do I need a purchased static ip address on the external interface?
Next by thread: Re: VPN Advice...do I need a purchased static ip address on the external interface?
Index(es):
- Date
- Thread

Relevant Pages

Re: vpn probl
... not to vpn server, so when workstations needed to reply to the ping requests ... they were trying to respond though their gateway that was the adsl router ... static route 172.16.x..x pointing to vpn remote router in rras, ...
(microsoft.public.windows.server.networking)
Re: Problem
... telephoned the office where the server was and asked her to re-boot the ... Once I saw the config of the VPN router there, I knew what to do on the ... on the remote site and see if they have the connection manager installed. ...
(microsoft.public.windows.server.sbs)
Re: Please Help Site-To-Site without ISA
... You can configure more than one site to site VPN connection on the ... You set up a new demand-dial interface and configure a new site to ... public IP of the VPN server at the second site on the front. ... to router connection. ...
(microsoft.public.windows.server.networking)
Re: vpn probl
... fact that you have ISA server at one end and not at the other. ... site to site link in ISA creates a file to configure the "answering" router. ... hub (as all other sites have a VPN link to the hub). ... > static routes redirecting the their needs. ...
(microsoft.public.windows.server.networking)
Re: How to Setup Mailserver??
... I am behind a DSL provider and my IP address changes everytime my router ... I use a Dynamic DNS provider. ... NAT and "Port Forward" necessary ports to the server behind the router..... ...
(RedHat)