Networking - VPN Tunnels question

Hey all, networking question.... we have a lot of IPSec VPN tunnels to outside vendors, customers, clients, etc.

So the way we have done it is connect our public IP with their public IP and grant permissions to the relevant internal IPs/devices, using PSK (IkeV1 and IkeV2 or something) plus preshared keys for security.  I think this is how most people do it?

We are moving to a few new IPs and maybe switch again a few years after that, and obviously everytime we switch ISPs we get new a new IP address block, and hence we have to reconfigure all the VPNs with all the customers, clients, etc because of this.



Is there a better way to do this? I know you can buy an IP block from ARIN and move this IP block between ISPs and hence don't have to continue reconfiguring them everytime we switch, but they only sell a /24 network and we definitely don't need 128 IPs, and you have to prove you need all of them.  The nice way about this one is that it would also give us the ability to do BGP with an AS # (I think), and be easy to failover between ISPs should one go down and not have to worry about multiple ISP VPN tunnels and such....

I also heard there is a way to configure IPSec VPN tunnels to DNS names or something? Hence if I purchased a cloud DNS name (or an internal one, not sure), say outsidevpn.company.com, I can configure the IPSec VPN tunnels from the outside to this? So if we do switch IPs we don't have to worry about it since all the vendors would simply have the tunnel to outsidevpn.company.com? I don't know how BGP/failover would work, or if we still need Ikev1, Ikev2, etc.



Any suggestions? Thanks
dealstrikeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi Friend,

If you plan to change your IPs in the future, it's better to use names instead of IP and the names can be managed either by a DNS server or sipmly local host mapping.

Best Regards.

Salah
0
dealstrikeAuthor Commented:
Thanks, could you give me more info? Can the ASAs and other networking brand or devices support names? Cisco TAC is telling me it is not possible.

Would a DNS server be something like Amazon AWS?
0
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi,

Of course ASA support names!!!

To cinfigure local host name and IP mapping, here is the command: ip host router1 172.31.1.1

To configure DNS name resolution, refer to the following link; https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting

For the DNS Server, for sure you have a domaine name!! this domain name is managed by your self and you have a DNS server? or it's managed by your ISP? in all cases an A record need to be defined in the DNS server.

For your info, in your VPN concentrator it's not mandatory to use local host name mapping or DNS resolution since your customers and clients whom will be affected by IP addresses changes, so if they have Cisco ASA appliances you can share the procedure to them otherwise can't help since devices brand unknown.

Best Regards.

Salah
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

dealstrikeAuthor Commented:
Hi, we are considering getting 10GB switches (most likely copper) for our environment....

We currently have a few servers including a sql server that are experiencing some network related bottlenecks

There are a few servers that 'talk' mostly to each other (application to/from database servers) so we were planning on getting 10GB Nic cards for them and a 10GB switch to connect them to to increase throughput.

I was wondering though, if we kept the 1GB NICs for regular network connectivity and simply added 10GBE NICs for the servers and connected the servers directly to each other via the new two 10GBE NICs, would that work?

Also, what is the biggest difference between 10GBE and 10GBASE-T?
0
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi,

I could not figure out the relation between your question regarding Ip changes that will affect the VPN and your last post talking about 10GB NIC!!

Is it a mistake posting this comment or you want to rebuild your architecture?

Regards.

Salah
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dealstrikeAuthor Commented:
Rebuild with 10GB!

Thanks
0
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Nice to hear about it!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.