Dynamic IP Address and VPN

I have a bank of static Public IP Addresses here in the US.  Our office in Singapore has a Linksys router they use to access the Internet.  Singapore office uses a Dynamic IP Address provided by there ISP.  It was my understanding that I cannot create a secure, stable VPN solution, without a Static address at both ends of the network.  I do understand that Dymanic DNS is a possible solution.  I conveyed this information to my boss as the manager of IT.

Here is my problem.  A colleague has suggested to my boss that we can use PPTP to assign one of our extra Public IP address to the Singapore office.  It is his contention that we will have no problem creating this secure, stable VPN.

As you can imagine, my credibility was somewhat diminished.

Not really sure what my question is.  I think I am more looking for some insite from the community.

Thanks
ortherAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
You most certainly can create stable, secure dynamic VPN tunnels between a dynamic IP address and your "home" static IP address. It all depends on what you have at your end..
I can post examples if you use Cisco PIX firewall at your end, and VPN-capable Linkys at the other end.
Else, you can use a VPN client at the Singapore office to connect to your end. In this case, the end client would get an IP address on or local LAN, not one of your public IP's. I'm not quite sure what your colleague is suggesting, but I don't think it would work.

The only time you need static IP addresses is if you need to "push" data from HQ to Singapore over the VPN, but as long as the tunnel is already established (a single ping from the remote site), until it times out (8 hours default), then the tunnel is open to traffic both ways. Typically, there is enough traffic to maintain the tunnel in a virtual permanent state of open..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
intreegCommented:
Even it the circumstance that would require a static IP you could also use dynamic dns to create a static DNS record for you dynamic IP address as you suggested. I am using a very similar configuration to allow myself securley into my home network, using a linux router running freeswan and the ddclient for dynamic dns, since my home conenction is a cable modem with a dynamic ip. Works with the standard windows vpn client for "road warrior" configuration or it can be set to create a static tunnel with variety of other VPN/Routers. All a free solution that is secure and stable.
0
kain21Commented:
I have never heard of using PPTP to assign an Public IP address of an ISP in the US to route to an ISP of an office in Singapore... this would be impossible... you would have to use the IP address of the office in Singapore to create the tunnel... Dynamic DNS would solve the problem... Ask your colleague how he intends to perform the feat of hijacking an ISP's IP address and rerouting through another ISP.... remember... when you lease public IP addresses you are "renting" them from the allotted range of that particular ISP... they would only be routable through that ISP...
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

intreegCommented:
Here is my overall suggestion:
Either in both or in one of the locations replace the current router with a linux box. Configure the linux box to uses Iptables, ddclient, and freeswan. Configure freeswan to connect to the other router and establish the vpn connection. Configure the remote router to accept the vpn connection from the linux router.

Here are the tools you can use to setup this solution (these are suggestions and may be replaced with other software of your choice)
Linux: SuSE 9.1 -> 2.6 Kernel
Iptables: installed with SuSE
IPSec Tools: installed with SuSE
ddclient 3.6.3: downloaded at http://www.dyndns.org/services/dyndns/clients.html 
     You will need to create your account on dyndns.org as well
freeswan (or openswan or strongswan --- freeswan comes packaged with SuSE)
     Freeswan Docs -> http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/intro.html#intro
                                !make sure to read the section about VPN and firewalls! Basically you need UDP 500 open in your iptables.



0
EmpKentCommented:
You just need to get a VPN device that supports Agressive mode. This allows tunnels from dynamic IP addresses.

PPTP is a VPN tunnel... less secure than IPSec. His suggestion makes very little sense.

Kent
0
The--CaptainCommented:
>I have never heard of using PPTP to assign an Public IP address of an ISP in the US to route to an ISP of an office in
>Singapore...  this would be impossible...

Have you actually ever used a PPTP VPN?  The suggested config of the colleague is quite simple - just get Singapore to initiate the PPTP VPN (which could give Singapore a valid static IP from the US block of IPs), and then route traffic accordingly.  In this scenario, Singapore would not need a static IP...

>you would have to use the IP address of the office in Singapore to create the tunnel...

Yup. That's why the Singapore office is required to initiate the connection.

>Dynamic DNS would solve the problem...

Only if the Singapore office could not initiate the connection.

>Ask your colleague how he intends to perform the feat of hijacking an ISP's IP address and rerouting through another ISP.

Ummm - maybe by having the Singapore office initiate the connection - I don't know why you insist on calling this "hijacking"

>PPTP is a VPN tunnel... less secure than IPSec.

I agree that if you completely understand the options regarding IPSEC vs PPTP that IPSEC is somewhat more secure.  Both create "tunnels" - I'm not sure why you mentioned that as a factor...

>His suggestion makes very little sense

Since we're dealing with Mickeysoft products, I tend to disagree...

Cheers,
-Jon



0
kain21Commented:
Jon,

> Here is my problem.  A colleague has suggested to my boss that we can use PPTP to assign one of our extra Public IP address to the Singapore office.  It is his contention that we will have no problem creating this secure, stable VPN.

From his post it sounds as if his colleague is suggesting they can establish a PPTP session to assign a public IP address to the Singapore office and then create a VPN... however... if you initiate a PPTP session from the Singapore office you already have a VPN and what's the purpose in assigning the public ip address?  I agree you could "route" the traffic to the Singapore network via a public IP address through the PPTP connection but you aren't going "assign" the IP address to the WAN connection of the Singapore office....  the traffic going to that public IP address would still route through your firewall in the US to the dynamic IP address of the Singapore office... so what's the point in routing the the public IP address?

another problem with having the Singapore office initiate the connection is you would have to allow PPTP connections to be initiated from virtually anywhere since it could be coming from a different IP address each time... (with dynamic DNS this would not be needed since you could limit connections to those coming from the FQDN)....  also... you wouldn't be able to initiate the connection from the US office...

bottom line is the ideal solution would be a dynamic DNS setup that would allow initiation of the VPN from the US office or the Singapore office... it would also allow limitations of connections to the FQDN of the Singapore office preventing attempts from other locations...  If the purpose for wanting to route the public ip address to Singapore is for some type of hosting solution, then dynamic DNS would accomplish this as well and prevent downtime due to the PPTP connection being dropped when noone is in the office to reinitiate the connection (i guess you could put a script in place to initiate the connection every couple of minutes but why?)... Dynamic DNS is extremely inexpensive... I've got it running at my house for free for the same purpose you are attempting...

p.s. orther - isn't it lovely when fellow colleagues waive a big stick and attempt to throw you under the bus... The--Captain, though I respect your right to have an opinion, your attitude seems to leave a little to be desired... why not just express your opinion, let others express theirs, and leave the attitude at home... it would probably be more productive there...
0
intreegCommented:
hijacking - > "you aren't going "assign" the IP address to the WAN connection of the Singapore office.... "
If this was possible then you could "hijack" the US ip, but its not. I believe this is why it was refered to as hijacking, but maybe I am off base here?
0
kain21Commented:
you are correct intreeg... not offbase at all
0
EmpKentCommented:
Captain,

I stand by the pointlessness of creating a PPTP tunnel from Asia to the US simply so you can use a US issued IP to create a more secure tunnel from there to another IP that is probably assigned to a router in the same building. Moreover, you still have the problem of a dynamic address on the Asian end of the PPTP tunnel. You have solved nothing.

Kent
0
zaferusCommented:
You could use a 3rd party program to help with this:

If you went and registered with a dynamic DNS company, many of them have little windows (or other OS) based programs that run on a system at each side and every once in a while send a signal to this DDNS companies' server.  In the signal is just an identification number as to what domain it is sending it on behalf of.  The DDNS system then checks if the IP address has changed and if it has updates it to the new IP address.

This way you can keep both domains as dynamic, but have very little downtime if they change.

So lets say oooo.com is you domain name.  You could have this split to vpn1 and vpn2.

So at site vpn1 - you set it up with this software on a local server to send it's signal every hour.  On the DDNS company you call this site vpn1.oooo.com and set up it's VPN by domain name to go to vpn2.oooo.com.  

And at site vpn2 - you set up the software on local server to send it's signal every hour.  On the DDNS company you call this site vpn2.oooo.com and set up it's VPN by domain to go to vpn1.oooo.com.

This way you don't spend any extra cash on creating extra domains.  You will have to pay about $30-50 / year for this type of DDNS hosting, and will have to set up your normal domain information here as well.  But these places are great!  You can have MX and www. failover and it can also E-mail you if any of your connections are down, and a host of other features.  The one our company uses is dnsmadeeasy.com - but I'm sure there are lots of providers out there.
0
ortherAuthor Commented:
Thanks all for the assistance.  Very enlightening!
0
rafael_martinCommented:
Since you have a Linksys at Singapora, you only need to check if that equipment accepts VPN with Agressive Mode.

The Agressive Mode is a type of VPN where one of the sides has dynamic IP. (the other side MUST HAVE static IP)

For example: the Linksys RV series can do Agressive Mode. Check this link out:

http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=1705
&p_created=1094687137&p_sid=Dk3dSTrh&p_lva=
&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTEmcF9zZWFyY2hfdHlwZT1zZWF
yY2hfbmwmcF9wcm9kX2x2bDE9MTc2JnBfcHJvZF9sdmwyPSZwX3NjZl9sYW5nPTEmcF9wYWdlPTEmcF9zZWFyY2h
fdGV4dD1hZ3Jlc3NpdmUgbW9kZQ**&p_li=

Not sure if my message is going to break the link above. If yes, copy and past all the parts, until and including the "=" sign.

I hope I had helped.
0
rafael_martinCommented:
I really don't know how you did this, but anyway...

And I really don't want to turn this topic into a "Help me with extended links".

C ya
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.