Solved

Site-to-site VPn tunnel with no public IP

Posted on 2013-11-14
9
1,257 Views
Last Modified: 2013-11-18
This is not a specific issue, but rather a technical question about a hypothetical VPN scenario for a possible solution.

We have two locations, but unfortunately only one have a public IP so we cannot establish a classic site-to-site VPN tunnel between them.

What we had in mind was for one location to establish a VPN tunnel by a software client to the other with the public VPN server address, keeping this tunnel open by sending traffic from client.

However, sometimes we also would need to initiate traffic from VPN server location to the client location, essentially using the existing tunnel to initiate traffic in opposite direction so is this possible?
0
Comment
Question by:AndersBiro
  • 5
  • 4
9 Comments
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
It is possible to do this with Sonicwalls. You don't mention what hardware you have, so consider the following link an example of how it is done with Sonicwalls.

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=4834
0
 

Author Comment

by:AndersBiro
Comment Utility
Thanks for the suggestion, in this case we will most likely not deal with Sonicwall firewalls but rather an Open VPN solution but perhaps this offer similar functionality?
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
A quick bit of research seems to indicate that OpenVpn can be configured with one or both ip's as dynamic addresses.
0
 

Author Comment

by:AndersBiro
Comment Utility
That is very interesting, would this also apply on an Open VPN server end-node being on a local NAT IP behind another firewall, or it has to be a dynamic public IP?
0
NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

 
LVL 20

Expert Comment

by:carlmd
Comment Utility
If I understand your question, "another firewall" would be the fixed or dynamic ip that you used for OpenVPN. That firewall would require rules to pass through the vpn connection to the device behind the firewall. If configured properly I expect that it would work.

However, why not just make the tunnel to the firewall itself (most would support this), and then allow access to the LAN from there?
0
 

Author Comment

by:AndersBiro
Comment Utility
Well, to be more specific the thing of interest is to get two machines to communicate in a secure tunnel through the internet.

The first machine resides behind a firewall but has the benefit of being mappable to a public IP, and so it can be setup with an IPSec server service that is accessible from the internet.

The second machine does however reside on a local IP without mapping option to public IP, so it can only initiate outgoing traffic but not receive incoming traffic like the first one.

The idea is to set up an VPN-tunnel using IPSec on both machines, and keep a persistent tunnel for communication.

The second machine can easily initiate traffic to the first with public IP, but the question would be that the first machine should also be able to initiate traffic using the tunnel to the local IP.

I hope this makes sense or let me know, we do unfortunately not have access to tamper on the firewall for the second machine, but only for the first one with public NAT IP.
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
If you cannot modify the firewall setting then you will probably have to initiate the vpn tunnel from the system behind it. Typically a firewall will permit the response to traffic (no rules) initiated from the LAN. Depending upon the firewall and configuration, this may or may not be true in your case. I would ask whomever is responsible for the firewall if they expect such  would work in your case.

You say the second system is on a local IP, is this physically at the same location as the first? Perhaps a diagram of the setup would help. You say it can only initiate outgoing traffic and not receive incoming traffic. Why is this (what configuratiion is restricting this)?

If the second system cannot receive traffic, and the firewall at the first cannot be modified to accept and pass traffic from the second, then we are kind of at a standstill. It would seen that neither system would be able to initiate the tunnel.
0
 

Author Comment

by:AndersBiro
Comment Utility
Hello, I am afraid I cannot provide a diagram but I can try to give a more through description:

Machine 1 resides on a location with local IP behind a firewall, we do have control of this particular firewall so it can be SAT configured to respond to a public IP that is redirected to the local IP of the machine.

This machine can hence be set up as an IPSEC server that can respond to the requests from the internet.

The second machine resides at a different independent location woth local IP behind a firewall, but the firewall cannot be configured.

It is therefore possible to initiate traffic from machine 2 to the IPSEC server residing at machine 1, but not the other way around since machine 2 does not have a public IP.

Have I understood it correctly that machine 2 can still initiate a site-to-site VPN tunnel to machine 1 despite not having a public IP as long as machine 1 has one?

The idea is that this tunnel should be persistent, and so machine 1 should be able to initiate traffic to machine 2 using the tunnel IP?

Does this make more sense, and it is feasible?
0
 
LVL 20

Accepted Solution

by:
carlmd earned 500 total points
Comment Utility
Makes sense and is feasible! Machine 2 can initiate the tunnel to a fixed ip. How to do it will depend on the VPN software, but is you plan to use OpenVPN is appears well documented.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now