Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Dynamic IP Address and VPN

Posted on 2004-11-15
15
Medium Priority
?
18,010 Views
Last Modified: 2012-05-05
I have a bank of static Public IP Addresses here in the US.  Our office in Singapore has a Linksys router they use to access the Internet.  Singapore office uses a Dynamic IP Address provided by there ISP.  It was my understanding that I cannot create a secure, stable VPN solution, without a Static address at both ends of the network.  I do understand that Dymanic DNS is a possible solution.  I conveyed this information to my boss as the manager of IT.

Here is my problem.  A colleague has suggested to my boss that we can use PPTP to assign one of our extra Public IP address to the Singapore office.  It is his contention that we will have no problem creating this secure, stable VPN.

As you can imagine, my credibility was somewhat diminished.

Not really sure what my question is.  I think I am more looking for some insite from the community.

Thanks
0
Comment
Question by:orther
  • 3
  • 3
  • 2
  • +5
14 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 336 total points
ID: 12585815
You most certainly can create stable, secure dynamic VPN tunnels between a dynamic IP address and your "home" static IP address. It all depends on what you have at your end..
I can post examples if you use Cisco PIX firewall at your end, and VPN-capable Linkys at the other end.
Else, you can use a VPN client at the Singapore office to connect to your end. In this case, the end client would get an IP address on or local LAN, not one of your public IP's. I'm not quite sure what your colleague is suggesting, but I don't think it would work.

The only time you need static IP addresses is if you need to "push" data from HQ to Singapore over the VPN, but as long as the tunnel is already established (a single ping from the remote site), until it times out (8 hours default), then the tunnel is open to traffic both ways. Typically, there is enough traffic to maintain the tunnel in a virtual permanent state of open..
0
 
LVL 5

Assisted Solution

by:intreeg
intreeg earned 332 total points
ID: 12585992
Even it the circumstance that would require a static IP you could also use dynamic dns to create a static DNS record for you dynamic IP address as you suggested. I am using a very similar configuration to allow myself securley into my home network, using a linux router running freeswan and the ddclient for dynamic dns, since my home conenction is a cable modem with a dynamic ip. Works with the standard windows vpn client for "road warrior" configuration or it can be set to create a static tunnel with variety of other VPN/Routers. All a free solution that is secure and stable.
0
 
LVL 8

Assisted Solution

by:kain21
kain21 earned 332 total points
ID: 12586606
I have never heard of using PPTP to assign an Public IP address of an ISP in the US to route to an ISP of an office in Singapore... this would be impossible... you would have to use the IP address of the office in Singapore to create the tunnel... Dynamic DNS would solve the problem... Ask your colleague how he intends to perform the feat of hijacking an ISP's IP address and rerouting through another ISP.... remember... when you lease public IP addresses you are "renting" them from the allotted range of that particular ISP... they would only be routable through that ISP...
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 5

Expert Comment

by:intreeg
ID: 12586804
Here is my overall suggestion:
Either in both or in one of the locations replace the current router with a linux box. Configure the linux box to uses Iptables, ddclient, and freeswan. Configure freeswan to connect to the other router and establish the vpn connection. Configure the remote router to accept the vpn connection from the linux router.

Here are the tools you can use to setup this solution (these are suggestions and may be replaced with other software of your choice)
Linux: SuSE 9.1 -> 2.6 Kernel
Iptables: installed with SuSE
IPSec Tools: installed with SuSE
ddclient 3.6.3: downloaded at http://www.dyndns.org/services/dyndns/clients.html 
     You will need to create your account on dyndns.org as well
freeswan (or openswan or strongswan --- freeswan comes packaged with SuSE)
     Freeswan Docs -> http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/intro.html#intro
                                !make sure to read the section about VPN and firewalls! Basically you need UDP 500 open in your iptables.



0
 
LVL 7

Assisted Solution

by:EmpKent
EmpKent earned 332 total points
ID: 12588315
You just need to get a VPN device that supports Agressive mode. This allows tunnels from dynamic IP addresses.

PPTP is a VPN tunnel... less secure than IPSec. His suggestion makes very little sense.

Kent
0
 
LVL 16

Assisted Solution

by:The--Captain
The--Captain earned 332 total points
ID: 12592104
>I have never heard of using PPTP to assign an Public IP address of an ISP in the US to route to an ISP of an office in
>Singapore...  this would be impossible...

Have you actually ever used a PPTP VPN?  The suggested config of the colleague is quite simple - just get Singapore to initiate the PPTP VPN (which could give Singapore a valid static IP from the US block of IPs), and then route traffic accordingly.  In this scenario, Singapore would not need a static IP...

>you would have to use the IP address of the office in Singapore to create the tunnel...

Yup. That's why the Singapore office is required to initiate the connection.

>Dynamic DNS would solve the problem...

Only if the Singapore office could not initiate the connection.

>Ask your colleague how he intends to perform the feat of hijacking an ISP's IP address and rerouting through another ISP.

Ummm - maybe by having the Singapore office initiate the connection - I don't know why you insist on calling this "hijacking"

>PPTP is a VPN tunnel... less secure than IPSec.

I agree that if you completely understand the options regarding IPSEC vs PPTP that IPSEC is somewhat more secure.  Both create "tunnels" - I'm not sure why you mentioned that as a factor...

>His suggestion makes very little sense

Since we're dealing with Mickeysoft products, I tend to disagree...

Cheers,
-Jon



0
 
LVL 8

Expert Comment

by:kain21
ID: 12593526
Jon,

> Here is my problem.  A colleague has suggested to my boss that we can use PPTP to assign one of our extra Public IP address to the Singapore office.  It is his contention that we will have no problem creating this secure, stable VPN.

From his post it sounds as if his colleague is suggesting they can establish a PPTP session to assign a public IP address to the Singapore office and then create a VPN... however... if you initiate a PPTP session from the Singapore office you already have a VPN and what's the purpose in assigning the public ip address?  I agree you could "route" the traffic to the Singapore network via a public IP address through the PPTP connection but you aren't going "assign" the IP address to the WAN connection of the Singapore office....  the traffic going to that public IP address would still route through your firewall in the US to the dynamic IP address of the Singapore office... so what's the point in routing the the public IP address?

another problem with having the Singapore office initiate the connection is you would have to allow PPTP connections to be initiated from virtually anywhere since it could be coming from a different IP address each time... (with dynamic DNS this would not be needed since you could limit connections to those coming from the FQDN)....  also... you wouldn't be able to initiate the connection from the US office...

bottom line is the ideal solution would be a dynamic DNS setup that would allow initiation of the VPN from the US office or the Singapore office... it would also allow limitations of connections to the FQDN of the Singapore office preventing attempts from other locations...  If the purpose for wanting to route the public ip address to Singapore is for some type of hosting solution, then dynamic DNS would accomplish this as well and prevent downtime due to the PPTP connection being dropped when noone is in the office to reinitiate the connection (i guess you could put a script in place to initiate the connection every couple of minutes but why?)... Dynamic DNS is extremely inexpensive... I've got it running at my house for free for the same purpose you are attempting...

p.s. orther - isn't it lovely when fellow colleagues waive a big stick and attempt to throw you under the bus... The--Captain, though I respect your right to have an opinion, your attitude seems to leave a little to be desired... why not just express your opinion, let others express theirs, and leave the attitude at home... it would probably be more productive there...
0
 
LVL 5

Expert Comment

by:intreeg
ID: 12594828
hijacking - > "you aren't going "assign" the IP address to the WAN connection of the Singapore office.... "
If this was possible then you could "hijack" the US ip, but its not. I believe this is why it was refered to as hijacking, but maybe I am off base here?
0
 
LVL 8

Expert Comment

by:kain21
ID: 12594931
you are correct intreeg... not offbase at all
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 12596350
Captain,

I stand by the pointlessness of creating a PPTP tunnel from Asia to the US simply so you can use a US issued IP to create a more secure tunnel from there to another IP that is probably assigned to a router in the same building. Moreover, you still have the problem of a dynamic address on the Asian end of the PPTP tunnel. You have solved nothing.

Kent
0
 

Assisted Solution

by:zaferus
zaferus earned 336 total points
ID: 12609904
You could use a 3rd party program to help with this:

If you went and registered with a dynamic DNS company, many of them have little windows (or other OS) based programs that run on a system at each side and every once in a while send a signal to this DDNS companies' server.  In the signal is just an identification number as to what domain it is sending it on behalf of.  The DDNS system then checks if the IP address has changed and if it has updates it to the new IP address.

This way you can keep both domains as dynamic, but have very little downtime if they change.

So lets say oooo.com is you domain name.  You could have this split to vpn1 and vpn2.

So at site vpn1 - you set it up with this software on a local server to send it's signal every hour.  On the DDNS company you call this site vpn1.oooo.com and set up it's VPN by domain name to go to vpn2.oooo.com.  

And at site vpn2 - you set up the software on local server to send it's signal every hour.  On the DDNS company you call this site vpn2.oooo.com and set up it's VPN by domain to go to vpn1.oooo.com.

This way you don't spend any extra cash on creating extra domains.  You will have to pay about $30-50 / year for this type of DDNS hosting, and will have to set up your normal domain information here as well.  But these places are great!  You can have MX and www. failover and it can also E-mail you if any of your connections are down, and a host of other features.  The one our company uses is dnsmadeeasy.com - but I'm sure there are lots of providers out there.
0
 

Author Comment

by:orther
ID: 12630127
Thanks all for the assistance.  Very enlightening!
0
 

Expert Comment

by:rafael_martin
ID: 12714929
Since you have a Linksys at Singapora, you only need to check if that equipment accepts VPN with Agressive Mode.

The Agressive Mode is a type of VPN where one of the sides has dynamic IP. (the other side MUST HAVE static IP)

For example: the Linksys RV series can do Agressive Mode. Check this link out:

http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=1705
&p_created=1094687137&p_sid=Dk3dSTrh&p_lva=
&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTEmcF9zZWFyY2hfdHlwZT1zZWF
yY2hfbmwmcF9wcm9kX2x2bDE9MTc2JnBfcHJvZF9sdmwyPSZwX3NjZl9sYW5nPTEmcF9wYWdlPTEmcF9zZWFyY2h
fdGV4dD1hZ3Jlc3NpdmUgbW9kZQ**&p_li=

Not sure if my message is going to break the link above. If yes, copy and past all the parts, until and including the "=" sign.

I hope I had helped.
0
 

Expert Comment

by:rafael_martin
ID: 12741745
I really don't know how you did this, but anyway...

And I really don't want to turn this topic into a "Help me with extended links".

C ya
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question