IT Employment

General discussion


VPN with Dynamic IP Addresses

By maxwell edison ·
I'm in the process of setting up a VPN. I'm running it through a Linksys BEFVP41 router on the office side, and the remote users will have SSH Sentinel IPSec client on their remote computers. (At least that's what I'm planning, but I'm certainly open to changing the strategy.) The remote users, by the way, have a variety of ISPs, a variety of Internet connection methods (satellite, modem, broadband, etc.), and a variety of operating systems. It's my intention to simply map a networked drive on the remote client (through a VPN tunnel via the Internet) to a server in the office.

The issue I'm having is this: at both the office side and the remote side, the assigned IP addresses are dynamic, not static. On the office side, the WAN IP address is automatically renewed by the ISP every 5-7 days, although it oftentimes (but not always) renews itself to have the same number. And on the remote client side, the IP address is subject to change - and probably will change - perhaps several times a day, depending on how often the remote Internet connection is open/closed. It's not that difficult (for me) to determine and change the settings accordingly, but for the "common remote user", it's jumping through more hoops than we care to require. The way it is now, the remote user would have to:

1. Determine the office WAN IP address.
2. Determine their own IP address
3. Change SSH Sentinel configuration settings accordingly.
4. Add a new route to the routing table.
5. Change the mapped drives accordingly.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

VPN - dynamic IP address - continued

by maxwell edison In reply to VPN with Dynamic IP Addre ...

Not only is this a real PITA, but it's just not a very good system - not to mention the remote users don't understand a bit of it. I want the remote connections to be as seamless and as easy as possible - and I don't want to spend any more money. I'm just starting to look at a service called DNS2GO, which is a free service that will keep track of an IP address assigned to a particular domain name, but it falls short (I think) in changing configuration settings - such as mapped drives - on the remote client.

I'm looking at other options (such as using the W2K Server VPN, which may have issues of its own), but at this point I'll just see where this summary takes the discussion. Perhaps this discussion will answer some questions, reveal some unasked questions, and if we're lucky, get some bipartisan and multi-national answers.

Collapse -

Quite an interesting issue.

by Oz_Media In reply to VPN - dynamic IP address ...

Max I don't know if I'm missing your objective or not.
Lack of money would be a pitfall here I think, I don't feel confident about free software enough to use it in a secure environment.
Can you not use couple of STATIC IP's on your Router with Port Address Translation to work around the IP renewal issues?
I understand you are quite security concious so I'm sure you looked at and downed the idea, maybe you can enlighten me as to why thyis wouldn't work for you.


Collapse -

Oz . . .

by maxwell edison In reply to Quite an interesting issu ...

Port Address Translation is something I'll look into. Thanks for the suggestion.

Collapse -

That's what I did

by OzMEdias In reply to Oz . . .

I 'm sure that I don't have the exact same su=ituation you do. But wit hmy Netware server, I run DHCP at th eserver and use PAT on the ADSL router. It is a little redundant though because I get NAT from Netware.
Worth a shot though.

Good luck

Collapse -

Free.... Why Not??

by LordInfidel In reply to Quite an interesting issu ...

Linux is free.... and with FreeS/Wan and IPtables installed, it rivals and can beat commercial products.

In fact, alot of commercial products are based on FreeS/Wan and the linux/unix firewalling standards.

I use both commercial based (not thesymantec or raptor crap either, i'm talking checkpoint and beefy cisco concentrators, the stuff that costs more money then my annual salary)
And Linux based vpn and firewall systems.

The main difference is thru put and dedicated hardware devicesthat run a embedded OS.

But for a small subnet/single IP, there is no reason in the world why free (linux and FreeS/Wan would not be secure)

I'm not blasting you, so don't take it the wrong way. I'm just stating what every security professional out there worth his weight in bits knows.

Also, PAT would be pointless for a 1 to 1 routable IP translation. Plus his current dsl router would not support that configuration.

If he had a static IP, then none of this would be an issue.

Collapse -


by Cactus Pete In reply to Free.... Why Not??

I'll have you know - it's quite difficult to be worth my [over] weight in bits.

Collapse -

Ok then... how bout gigabytes

by LordInfidel In reply to *gasp*

For our more robust members

I hate to think about terabytes

Collapse -


by Cactus Pete In reply to VPN - dynamic IP address ...

Since you'll be using IPSec, I'd comment that some ISPs do not support that sort of traffic over their lines... I think I hit that wall with AOL about two years ago. I don't know if that's changed , but since you have such disparate clients, this sort of thing may be an issue for you.

I realize you may not want to get too specific, but what is the purpose of the VPN, anyway? [and you do appear to be doing this on the less expensive side, right?]

Are you mostly just looking for a 'no cost' [client perception] solution to get your clients access to documentation on your servers?

Collapse -

Using IPSec

by maxwell edison In reply to Unasked?

This is just a simple remote access VPN for employees (owners) who want to work at home or when they're on the road from a laptop. These remote users will have a mapped drive to a couple of file servers. Most clients will be broadband (living in thecity) or satellite (living outside the city) or a couple who are still on modems. None, that I know of, use AOL. I too have heard of some ISPs not supporting IPSec, but ours is not one of them, nor are the clients I've configured thus far.

I've got this finished and working except for the issue of the dynamic IP at the office end, but there may be a work-around for that. (And besides, the "dynamic" IP address has remained unchanged so far, even though it's been renewed a few times.)

Thanks, dpetrak (whoever you are), for the thoughts.

Collapse -

dynamic issues

by Cactus Pete In reply to Using IPSec

If your work around doesn't cut it, let me know. I'm interested enough to get more involved...

And if is DOES work, let meknow what you did. I haven't come across a configuration like yours, but I may some day...

Related Discussions

Related Forums