Using static internal IPs through two VPN devices

Posted on 2013-05-29
Last Modified: 2013-10-14
I have a group of users who are assigned static IPs when VPNing into our network, in order to accurately send them audio/video streams.  They are getting assigned 192.168.7.x IPs.  Routing for 192.168.7.x on our internal core switches points towards our single VPN endpoint.

I would like to configure a backup VPN endpoint that might be used by these users.  I can assign them their 192.168.7.x IPs through RADIUS, but how would my routing work?  My core switches are currently pointing towards the existing VPN device for 192.168.7.x addresses.  Is there any way to tell them that 192.168.7.x address might be through VPN device 1, but might also be through VPN device 2?  Thank you for any help that you can provide.
Question by:sloth10k
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 70

Expert Comment

ID: 39206167
You can provide a route to the other device, with a higher metric (TTL). However, that requires that the link to the primary VPN router goes down, or an according ICMP message is sent back from that router if the VPN is not available.

Author Comment

ID: 39208395
As you point out, that solution would require sort of an all-or-nothing cutover between the two devices.  I am looking for a solution where the two VPN devices could be used in parallel.  For example, remote users on a certain ISP cannot access VPN device 1, but they can access device 2, because the two devices are on different carriers.  Thanks for the suggestion.
LVL 70

Expert Comment

ID: 39208412
A route can always point to a single gateway only. The info of where a incoming packet was coming from (which router etc.) is not available (or ignored), so a "return same way" approach is not feasible.

I assume the association between client and ISP (and hence device to use) is static? Then you should be able to split the .7 network in subclasses reserved for each VPN device, and create routes accordingly. Instead of subclassing, different VLAN tagging might be working, too.
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.


Author Comment

ID: 39216603
Unfortunately, the association between client and ISP is not static.  It's possible that any remote client may need to come into either of the two VPN devices.
LVL 70

Accepted Solution

Qlemo earned 500 total points
ID: 39217455
Then "You can't do that" seems to be the appropriate answer ...

Expert Comment

ID: 39218253
The only solution is the split 192.168.7.x into 2 subnets, and assign IPs depending on what VPN router the user hits. So on VPN he might get and on VPN2 me might get
LVL 70

Expert Comment

ID: 39571642

The asker insists on having static IPs, with "dynamic" ISP. Subnetting has been suggested already, but is not available because of the non-static ISP association.

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month10 days, 20 hours left to enroll

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question