1. Home
  2. Virtual Private Networks
  3. VPN Advice...do I need a purchased static ip address on the external interface?

VPN Advice...do I need a purchased static ip address on the external interface?

I have done a lot of reading but think I am missing some fundementals. If someone could set me straight on these points it would help me a lot....

Am I right in thinking that to use a VPN from a remote location to a Server then that server must have a been assigned a purchased static IP address to an external interface (by purchased I mean registered with whatever organisation, a class A,B, or C ip address?). To elaborate, if I was to try and use Windows 2000 SBS as the server for the VPN, then this server would need to two physical network cards - one with the external ip address that the world can see (the purchased static ip) and an internal one that it routes to.

If I used a router instead then the router would have this purchased IP address?

Is it because you need a static IP on either a router/external server interface that you could never VPN between two "home" machines that are assigned IP addresses from ADSL modems by there ISP? Or am I mistaken and provided one of the machines had VPN server software and one had client then they could establish a VPN?

After all that, it might be clearer if I indicate the specific job...

What I would like to do is VPN from 3 "home" ADSL connections to an office machine running SBS 2000. The business doeshave it's own domain so I think it has a "purchased" IP (but am curious if this is nescessary?) Am I better off using the Windows VPN with routing and remote access (In which case I need another network card?) or puchasing a VPN capable router?

Reply to
Matty
Loading thread data ...

You can away without a fixed address if you use a vpn router that supports dynamic dns, then users connect to the dynamic dns name and should the IP address change the router updates the dynamic dns server of this fact. If you go down the windows route can can use a single nic in the server, keep it on the lan and direct the inbound vpn connections to it using port mapping on the router. simon

Reply to
Simon

Simon is correct. However, if your router does not do this you can still use a dynamic domain name by installing a DDNS client. Suggest that you have a look at the following:

formatting link
formatting link
formatting link
formatting link
formatting link
Note: the last recommends software clients, and I agree. But I've been updating my multiple DynDNS domains with hardware for quite some time (BEFVP41's) and seldom have a problem. The disadvantage (for me) in using hardware clients is that I typically don't know that the DDNS has gone down or not been updated until I check the VPN links and find that they've been disconnected (like this morning :-). I would have noticed the problem immediately had I been running the software client instead. That said, I can probably count on 1 hand the times that the VPN's have disconnected due to failure of the router to update the DDNS over the past 12 months. I've tried both, and settled on hardware because: 1) I use an old computer with limited CPU & memory resources, and 2) I'm lazy... I tend to prefer the set & forget unless it becomes an operational or security problem.

Added note: The only other problem that I've had using hardware is that sometimes the dynamic IP that one of the servers sits on doesn't change for 28 days or more, so I then have to go and force a lease update. However, DynDNS are kind enough to send me a 5 day notice alerting me of this each time that it happens.

Reply to
glgxg

Cheers for that, one I put in recently was on cable, and that around here if you don't turn off the modem can give you a 6 month lease. simon

Reply to
Simon

Let me give a generic answer. The ends of a vpn need to be able to find each other. One way to do this is to use static IPs, another is to use dynamic DNS. If you use dynamic DNS you need to (a) keep it updated and (b) have the client and/or server vpn software know how to use it.

If you control your firewall you can add some port knocking and improve your security. Note that these measures make it harder to connect from behind a firewall, such as a laptop being used on customer premises. I'll stop, this is really not directly related to vpn, it can be used to pre-validate any access.

Reply to
Bill Davidsen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.