Networking - VPN Tunnels question

Hey all, networking question.... we have a lot of IPSec VPN tunnels to outside vendors, customers, clients, etc.

So the way we have done it is connect our public IP with their public IP and grant permissions to the relevant internal IPs/devices, using PSK (IkeV1 and IkeV2 or something) plus preshared keys for security.  I think this is how most people do it?

We are moving to a few new IPs and maybe switch again a few years after that, and obviously everytime we switch ISPs we get new a new IP address block, and hence we have to reconfigure all the VPNs with all the customers, clients, etc because of this.



Is there a better way to do this? I know you can buy an IP block from ARIN and move this IP block between ISPs and hence don't have to continue reconfiguring them everytime we switch, but they only sell a /24 network and we definitely don't need 128 IPs, and you have to prove you need all of them.  The nice way about this one is that it would also give us the ability to do BGP with an AS # (I think), and be easy to failover between ISPs should one go down and not have to worry about multiple ISP VPN tunnels and such....

I also heard there is a way to configure IPSec VPN tunnels to DNS names or something? Hence if I purchased a cloud DNS name (or an internal one, not sure), say outsidevpn.company.com, I can configure the IPSec VPN tunnels from the outside to this? So if we do switch IPs we don't have to worry about it since all the vendors would simply have the tunnel to outsidevpn.company.com? I don't know how BGP/failover would work, or if we still need Ikev1, Ikev2, etc.



Any suggestions? Thanks
s aitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi Friend,

If you plan to change your IPs in the future, it's better to use names instead of IP and the names can be managed either by a DNS server or sipmly local host mapping.

Best Regards.

Salah
s aitAuthor Commented:
Thanks, could you give me more info? Can the ASAs and other networking brand or devices support names? Cisco TAC is telling me it is not possible.

Would a DNS server be something like Amazon AWS?
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi,

Of course ASA support names!!!

To cinfigure local host name and IP mapping, here is the command: ip host router1 172.31.1.1

To configure DNS name resolution, refer to the following link; https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting

For the DNS Server, for sure you have a domaine name!! this domain name is managed by your self and you have a DNS server? or it's managed by your ISP? in all cases an A record need to be defined in the DNS server.

For your info, in your VPN concentrator it's not mandatory to use local host name mapping or DNS resolution since your customers and clients whom will be affected by IP addresses changes, so if they have Cisco ASA appliances you can share the procedure to them otherwise can't help since devices brand unknown.

Best Regards.

Salah
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

s aitAuthor Commented:
Hi, we are considering getting 10GB switches (most likely copper) for our environment....

We currently have a few servers including a sql server that are experiencing some network related bottlenecks

There are a few servers that 'talk' mostly to each other (application to/from database servers) so we were planning on getting 10GB Nic cards for them and a 10GB switch to connect them to to increase throughput.

I was wondering though, if we kept the 1GB NICs for regular network connectivity and simply added 10GBE NICs for the servers and connected the servers directly to each other via the new two 10GBE NICs, would that work?

Also, what is the biggest difference between 10GBE and 10GBASE-T?
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi,

I could not figure out the relation between your question regarding Ip changes that will affect the VPN and your last post talking about 10GB NIC!!

Is it a mistake posting this comment or you want to rebuild your architecture?

Regards.

Salah

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
s aitAuthor Commented:
Rebuild with 10GB!

Thanks
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Nice to hear about it!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.