We help IT Professionals succeed at work.
Get Started
Networking - VPN Tunnels question
Hey all, networking question.... we have a lot of IPSec VPN tunnels to outside vendors, customers, clients, etc.
So the way we have done it is connect our public IP with their public IP and grant permissions to the relevant internal IPs/devices, using PSK (IkeV1 and IkeV2 or something) plus preshared keys for security. I think this is how most people do it?
We are moving to a few new IPs and maybe switch again a few years after that, and obviously everytime we switch ISPs we get new a new IP address block, and hence we have to reconfigure all the VPNs with all the customers, clients, etc because of this.
Is there a better way to do this? I know you can buy an IP block from ARIN and move this IP block between ISPs and hence don't have to continue reconfiguring them everytime we switch, but they only sell a /24 network and we definitely don't need 128 IPs, and you have to prove you need all of them. The nice way about this one is that it would also give us the ability to do BGP with an AS # (I think), and be easy to failover between ISPs should one go down and not have to worry about multiple ISP VPN tunnels and such....
I also heard there is a way to configure IPSec VPN tunnels to DNS names or something? Hence if I purchased a cloud DNS name (or an internal one, not sure), say outsidevpn.company.com, I can configure the IPSec VPN tunnels from the outside to this? So if we do switch IPs we don't have to worry about it since all the vendors would simply have the tunnel to outsidevpn.company.com? I don't know how BGP/failover would work, or if we still need Ikev1, Ikev2, etc.
Any suggestions? Thanks
So the way we have done it is connect our public IP with their public IP and grant permissions to the relevant internal IPs/devices, using PSK (IkeV1 and IkeV2 or something) plus preshared keys for security. I think this is how most people do it?
We are moving to a few new IPs and maybe switch again a few years after that, and obviously everytime we switch ISPs we get new a new IP address block, and hence we have to reconfigure all the VPNs with all the customers, clients, etc because of this.
Is there a better way to do this? I know you can buy an IP block from ARIN and move this IP block between ISPs and hence don't have to continue reconfiguring them everytime we switch, but they only sell a /24 network and we definitely don't need 128 IPs, and you have to prove you need all of them. The nice way about this one is that it would also give us the ability to do BGP with an AS # (I think), and be easy to failover between ISPs should one go down and not have to worry about multiple ISP VPN tunnels and such....
I also heard there is a way to configure IPSec VPN tunnels to DNS names or something? Hence if I purchased a cloud DNS name (or an internal one, not sure), say outsidevpn.company.com, I can configure the IPSec VPN tunnels from the outside to this? So if we do switch IPs we don't have to worry about it since all the vendors would simply have the tunnel to outsidevpn.company.com? I don't know how BGP/failover would work, or if we still need Ikev1, Ikev2, etc.
Any suggestions? Thanks
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE