Is it possible to create a VPN tunnel into a public IP address space?
A client of ours gave us 3 IP address, 1 Public Concentator IP, 2 Public IP addresses to their servers. The servers are running in our client's DMZ.
Is it possible to setup a VPN in this scenario? I had always though VPN required a Private IP end point?
Any help or clarification would be appreciated!
Thanks!
The VPN will be from two public IP's to each other, to start the communications, then, depending on the setup, you may have subnet 1 on your end and subnet 2 on their end - you only want to set the rules to allow the exact IP/Ports that you need exposed on both end - don't setup a VPN where you expose subnet 1/24 to subnet 2/24.
So, the two VPN's have to start with Public IP's in order to reach each other, then the second part is the Internal range they can access, then the last is what ports/ip inside each range.
Spam Catcher wrote in news:Xns972BB1C7D339Cusenethoneypotrogers@127.0.0.1:
Just answering my own question... yes it works. Got it to work with a SonicWall 3060 thanks to SonicWall Tech Doc.
Should work on almost any set of boxes, the fact that the IP's on either end are public or private really does not matter. However there is one wrinkle in using publics for the vpn cloud addresses, the box must understand to route packets bound for those IP's into the tunnel rather than out the default gateway to the internet. Most decent boxes are fine with this type of configuration. Then of course there is the slightly separate issue of mapping the public IP back to a private locally to talk to the actual box in question, if you aren't literally assigning the public IP to it, which most people don't.
Many places have gone to this method for all vpn's, since they were forever having problems with overlapping private IP's amongst connecting parties. They will only offer, and connect to, public IP's inside their tunnels. Some places have taken to buying blocks of public IP's strictly for this purpose (inclusion inside VPNs) that will never be publicly routed on the Internet. Others just "borrow" them from real internet parties in faraway places that they never expect to need to reach, which works as long as both parties agree (ie put them in the tunnel only).
-Russ.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.