Site-to-Site VPN Peer IP Addresses

shugonaka
shugonaka used Ask the Experts™
on
Hi, I have a question for VPN peer IP address. I have a block of public IP addresses I can use. One of them of course is assigned to the public facing interface on my firewall. I need to set up a half dozen site-to-site VPN on the firewall with external agencies. What is the pros and cons of using the interface IP address as the VPN peer IP address for all the VPN sites v.s. using the different public IP address for each individual VPN sites? I am thinking maybe using unique IP address for each VPN peer makes it is easier for tracing and troubleshooting issues, but that's just my random thoughts. Is there a set standard and reasoning as to how you should assign IP address when there are multiple VPN peers?

Also, when it is necessary to NAT the VPN encryption domain (interesting traffic) to a public IP address, is it recommended to use an IP address other than your VPN peer IP address? It seems like using the peer IP for NAT works just fine, but I was told once it's not recommended with no clear explanation.

Thank you in advance for your comments!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Depending on the firewall, I don't think you'll have a choice other than to use the IP assigned to the interface of the firewall. I know for certain that Cisco ASA will not do that.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
There is no pro for using different IP addresses for each VPN tunnel. For organisation purposes it might make sense to use a common non-default public IP for all, though. But tracing works well without.
Since it usually adds complexity to the config to use a different IP for VPN tunnels, it is usually not worth the effort.

To the second part: Why would you want to NAT your private IPs to a pbulic IP inside of a VPN, for heaven's sake? You use private IPs, of course. You might have to NAT to a different network becauase of conflicts for source or destination, but as said you choose "internal" IPs, not public ones.
If you would apply NAT to a public IP, this coiuld make direct access to that public IP impossible. It is always best to NAT to unique IPs you do not need to access directly.

Author

Commented:
@Les Moore, thanks for your comment. Our firewall is Cisco ASA, so I guess using the IP address that is not the outside interface for VPN peer is not an option.

@Qlemo, thanks for your comment. I've always used a private IP to NAT our internal network through a VPN tunnel.  However, one of our external partner agency asked us to use a public IP for NAT'ing because they have so many internal network with various range of private IPs and did not want to have conflicts. It was the first time I had to set up a VPN with a public IP as a NAT mapped address. I was not sure if it'd work but it did. We also have another VPN with another agency and for this we are using our VPN peer IP address as the NAT mapped address per their request. I also was not sure if it'd work, but again it worked. These 2 VPN setups make me wonder what is the standard VPN setup people typically use and if there is pros and cons in them. I guess it's all depends on each agency's requirements and use-case.
"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
That request (to avoid conflicts with other networks) is the only valid one which came into my mind, so that fits.
What we did in the past is to map all traffic to a single private IP. That worked for most, but has no real advantage over using a public IP. Important is only that the NAT address is not used for other purposes, viewed from the remote site.

If you apply src NAT mapping to a public IP for a VPN tunnel, all issues applying to ingress traffic (from outside to inside) do the same for the tunnel. You won't have issues for traffic orginating from your own network, besides being able to easily identify on remote which IP is the real one accessing that remote device (for diagnostics or logging purposes outside of your ASA). Ingress traffic would require port forwarding  and/or the use of different public IPs - as if you would provide an internal service for public access.
It makes no difference. Using private ips behind nat, public ips, a bunch of different ips or ports... whatever are the same as long as you do not mess up with the authentication setup. Which will either work of not work.

Regarding debugging and administration, it is usually simpler to use different vpn instances, so either different port or addresses. but not required. And useless if you change or use the vpns seldom enough an occasional restart does not bother you much

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial