sloth10k
asked on
Using static internal IPs through two VPN devices
I have a group of users who are assigned static IPs when VPNing into our network, in order to accurately send them audio/video streams. They are getting assigned 192.168.7.x IPs. Routing for 192.168.7.x on our internal core switches points towards our single VPN endpoint.
I would like to configure a backup VPN endpoint that might be used by these users. I can assign them their 192.168.7.x IPs through RADIUS, but how would my routing work? My core switches are currently pointing towards the existing VPN device for 192.168.7.x addresses. Is there any way to tell them that 192.168.7.x address might be through VPN device 1, but might also be through VPN device 2? Thank you for any help that you can provide.
I would like to configure a backup VPN endpoint that might be used by these users. I can assign them their 192.168.7.x IPs through RADIUS, but how would my routing work? My core switches are currently pointing towards the existing VPN device for 192.168.7.x addresses. Is there any way to tell them that 192.168.7.x address might be through VPN device 1, but might also be through VPN device 2? Thank you for any help that you can provide.
Qlemo
You can provide a route to the other device, with a higher metric (TTL). However, that requires that the link to the primary VPN router goes down, or an according ICMP message is sent back from that router if the VPN is not available.
ASKER
As you point out, that solution would require sort of an all-or-nothing cutover between the two devices. I am looking for a solution where the two VPN devices could be used in parallel. For example, remote users on a certain ISP cannot access VPN device 1, but they can access device 2, because the two devices are on different carriers. Thanks for the suggestion.
A route can always point to a single gateway only. The info of where a incoming packet was coming from (which router etc.) is not available (or ignored), so a "return same way" approach is not feasible.
I assume the association between client and ISP (and hence device to use) is static? Then you should be able to split the .7 network in subclasses reserved for each VPN device, and create routes accordingly. Instead of subclassing, different VLAN tagging might be working, too.
I assume the association between client and ISP (and hence device to use) is static? Then you should be able to split the .7 network in subclasses reserved for each VPN device, and create routes accordingly. Instead of subclassing, different VLAN tagging might be working, too.
ASKER
Unfortunately, the association between client and ISP is not static. It's possible that any remote client may need to come into either of the two VPN devices.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The only solution is the split 192.168.7.x into 2 subnets, and assign IPs depending on what VPN router the user hits. So on VPN he might get 192.168.7.3 and on VPN2 me might get 192.168.7.131.
terminal_dk,
The asker insists on having static IPs, with "dynamic" ISP. Subnetting has been suggested already, but is not available because of the non-static ISP association.
The asker insists on having static IPs, with "dynamic" ISP. Subnetting has been suggested already, but is not available because of the non-static ISP association.