Link to home
Start Free TrialLog in
Avatar of orther
orther

asked on

Dynamic IP Address and VPN

I have a bank of static Public IP Addresses here in the US.  Our office in Singapore has a Linksys router they use to access the Internet.  Singapore office uses a Dynamic IP Address provided by there ISP.  It was my understanding that I cannot create a secure, stable VPN solution, without a Static address at both ends of the network.  I do understand that Dymanic DNS is a possible solution.  I conveyed this information to my boss as the manager of IT.

Here is my problem.  A colleague has suggested to my boss that we can use PPTP to assign one of our extra Public IP address to the Singapore office.  It is his contention that we will have no problem creating this secure, stable VPN.

As you can imagine, my credibility was somewhat diminished.

Not really sure what my question is.  I think I am more looking for some insite from the community.

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of intreeg
intreeg

Here is my overall suggestion:
Either in both or in one of the locations replace the current router with a linux box. Configure the linux box to uses Iptables, ddclient, and freeswan. Configure freeswan to connect to the other router and establish the vpn connection. Configure the remote router to accept the vpn connection from the linux router.

Here are the tools you can use to setup this solution (these are suggestions and may be replaced with other software of your choice)
Linux: SuSE 9.1 -> 2.6 Kernel
Iptables: installed with SuSE
IPSec Tools: installed with SuSE
ddclient 3.6.3: downloaded at http://www.dyndns.org/services/dyndns/clients.html 
     You will need to create your account on dyndns.org as well
freeswan (or openswan or strongswan --- freeswan comes packaged with SuSE)
     Freeswan Docs -> http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/intro.html#intro
                                !make sure to read the section about VPN and firewalls! Basically you need UDP 500 open in your iptables.



SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Jon,

> Here is my problem.  A colleague has suggested to my boss that we can use PPTP to assign one of our extra Public IP address to the Singapore office.  It is his contention that we will have no problem creating this secure, stable VPN.

From his post it sounds as if his colleague is suggesting they can establish a PPTP session to assign a public IP address to the Singapore office and then create a VPN... however... if you initiate a PPTP session from the Singapore office you already have a VPN and what's the purpose in assigning the public ip address?  I agree you could "route" the traffic to the Singapore network via a public IP address through the PPTP connection but you aren't going "assign" the IP address to the WAN connection of the Singapore office....  the traffic going to that public IP address would still route through your firewall in the US to the dynamic IP address of the Singapore office... so what's the point in routing the the public IP address?

another problem with having the Singapore office initiate the connection is you would have to allow PPTP connections to be initiated from virtually anywhere since it could be coming from a different IP address each time... (with dynamic DNS this would not be needed since you could limit connections to those coming from the FQDN)....  also... you wouldn't be able to initiate the connection from the US office...

bottom line is the ideal solution would be a dynamic DNS setup that would allow initiation of the VPN from the US office or the Singapore office... it would also allow limitations of connections to the FQDN of the Singapore office preventing attempts from other locations...  If the purpose for wanting to route the public ip address to Singapore is for some type of hosting solution, then dynamic DNS would accomplish this as well and prevent downtime due to the PPTP connection being dropped when noone is in the office to reinitiate the connection (i guess you could put a script in place to initiate the connection every couple of minutes but why?)... Dynamic DNS is extremely inexpensive... I've got it running at my house for free for the same purpose you are attempting...

p.s. orther - isn't it lovely when fellow colleagues waive a big stick and attempt to throw you under the bus... The--Captain, though I respect your right to have an opinion, your attitude seems to leave a little to be desired... why not just express your opinion, let others express theirs, and leave the attitude at home... it would probably be more productive there...
hijacking - > "you aren't going "assign" the IP address to the WAN connection of the Singapore office.... "
If this was possible then you could "hijack" the US ip, but its not. I believe this is why it was refered to as hijacking, but maybe I am off base here?
you are correct intreeg... not offbase at all
Captain,

I stand by the pointlessness of creating a PPTP tunnel from Asia to the US simply so you can use a US issued IP to create a more secure tunnel from there to another IP that is probably assigned to a router in the same building. Moreover, you still have the problem of a dynamic address on the Asian end of the PPTP tunnel. You have solved nothing.

Kent
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of orther

ASKER

Thanks all for the assistance.  Very enlightening!
Since you have a Linksys at Singapora, you only need to check if that equipment accepts VPN with Agressive Mode.

The Agressive Mode is a type of VPN where one of the sides has dynamic IP. (the other side MUST HAVE static IP)

For example: the Linksys RV series can do Agressive Mode. Check this link out:

http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=1705
&p_created=1094687137&p_sid=Dk3dSTrh&p_lva=
&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTEmcF9zZWFyY2hfdHlwZT1zZWF
yY2hfbmwmcF9wcm9kX2x2bDE9MTc2JnBfcHJvZF9sdmwyPSZwX3NjZl9sYW5nPTEmcF9wYWdlPTEmcF9zZWFyY2h
fdGV4dD1hZ3Jlc3NpdmUgbW9kZQ**&p_li=

Not sure if my message is going to break the link above. If yes, copy and past all the parts, until and including the "=" sign.

I hope I had helped.
I really don't know how you did this, but anyway...

And I really don't want to turn this topic into a "Help me with extended links".

C ya