1. Home
  2. Virtual Private Networks
  3. Site to Site VPN w/DHCP

Site to Site VPN w/DHCP

Freinds, I have an intresting task assigned to me that I don't think is possible but I figured I'd throw it out there at least.

Two sites, one site in USA one in China. USA site has a static address, China site will have a DHCP from the provider. China office needs to telnet to USA server to do whatever they do. I need a site to site VPN from one site to the other so this is all secured as best as possible. Obviously if the provider in China assigns a fresh DHCP address, the VPN tunnel will be broken. Is there a way to make this work? Static to DHCP site to site VPN using Cisco PIX equipment. I don't think there is a way but if there is let me know. Cisco seems to say only static addresses.

"The public IP addresses are specified in the IPsec peers configuration, and require that the public addresses of the VPN routers to be static addresses."

Thanks, Adam

Reply to
amattina
Loading thread data ...

formatting link

Reply to
David Kelly

Hello Adam,

I do this regularly with Dynamic DNS (dyndns.com, among others; Google on "Dynamic DNS"). I setup a DDNS client (dyndns.com has one for free, but I like DirectUpdate, 'cause it's more flexible) at the other end on a computer that's on all the time; it reports the current IP address regularly, and whenever it changes, to the DDNS provider. So, you end up with a domain name like ChinaOffice.dyndns.com (but I make 'em more cryptic, to keep my strategy private to my client). Now, you use ChinaOffice.dyndns.com as the "other end" address, instead of an IP. When their IP changes, dyndns.com gets notified within seconds. I virtually never can't make a connection.

Secondary hint: If you have lots of these (as I do), then go to

formatting link
and download "Servers Alive." Up to ten sites can be monitored for free, and you pay for a license above that. Now I've got an orange ball in my system tray that turns to a red "Stop sign" when one or more are inaccessible. When I know a site remains inaccessible for more than about ten minutes, I know I've got some admin chores to attend to with folks at that site.

--Carol Anne

Reply to
Carol Anne

Carol, Thanks for the tip. I have found through some other avenues a way to do this natively with some PIXs:

formatting link
I am working on this now. ServersAlive isn't that bad. I run Nagios though, which crushes the functionality of SA...but still a good thought!

SSH: I already suggested this, they want to have the machines on a Windows domain so we can do corporate antivirus and easy management. I'm working on getting the VPN going but just having one problem. Here is a little cross-thread/cross-group action for ya if someone wants to take a quick peek:

formatting link
Thanks, Adam

Carol Anne wrote:

Reply to
amattina

That makes no sense.

You plan on using telnet to reach a machine of some sort which runs a telnet daemon to listen for such connections. Any such machine capable of running a telnet daemon is equally capable of running a ssh daemon.

As for the client end of things, thats even easier. Every Unix worth its electrons ships with ssh, even stock MacOS X. Several choices for Windows as well, I suggest PuTTY.

Ssh literally is telnet with a built-in VPN. It can tunnel more than the keyboard/telnet session, but not as easily as a full VPN.

Reply to
David Kelly

Reply to
amattina

Hi,

SSH? IPSec? This is CHINA, not USA, they are filtering and blocking most of traffic on the goverment level, which uses TCP/GRE (IPSec, Windows VPN).

You need to use some VPN like SSL based (OpenVPN) or ViPNet based (ViPNet vpn).

try one of them: ViPNet

formatting link

Openvpn

formatting link
(free, but it will requre many reconnections)

Reply to
Norvik

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.