VPN on Dynamic IP

samtam · 18th August 2008

I have done VPN on statistic IP before with no problem but I am wondering how does it run on dynamic IP..
I know i can use DDNS service to point to the IP but when the IP gets changed will it result in downtime/

Sam

burble · 18th August 2008

A bit. You can get applications for some DDNS services (dyndns for example) that you run on a machine behind the dynamic IP that will keep it updated. The IP shouldn't get changed unless you reconnect, so the only extra downtime you'll have is a longer reconnect time (exact time depending on your DDNS service and how you configure your update software). I've been running a non-critical machine on a dynamic IP with dyndns for several years without any major problems.

Have you contacted the ISP to ask if they'll give you a static IP? Most seem to, at least as a payable upgrade. If not, might be worth moving - I guess it depends on how critical access to the VPN is.

markcastle · 18th August 2008

First question would be... what type of VPN?
PPTP is no problem on a dynamic IP.
Normal IPsec works on a dynamic IP but every time your IP changes you have to edit the config at the remote end to re-establish the link (if you use the IP and not a DDNS name).
Have a look at Mobile IPsec.
I'm not sure about OpenVPN.

freethought · 18th August 2008

Are both ends going to be on a dynamic IP or will one end (acting as the server) be on a static IP?

Companies like Cisco and Fortinet have IPSec based software clients that can handle coming from dynamic IPs and even being behind NATs (NAT-T/NAT Traversal. These needs to be terminated on a proprietary device made by that company.
I don't know about Cisco, but Fortinet can build tunnels TO a device on a dynamic IP as long as it has DyDNS

I THINK you can use Racoon on Linux as both the software client and the server for a dynamic IPSec VPN but I've never done it myself.

SSL based clients are all the rage these days and can take a lot of the headaches out of configuring VPNs. OpenVPN is an open source SSL VPN client/server that somehow manages to put a lot of the headaches back in.

There are open source L2TP and PPTP packages to act as both the client and the server that don't mind being on dynamic IPs but I have no idea what they are called off hand.

samtam · 18th August 2008

Well here what I want to do
Location A Switch <--->VPN Server A <--->Internet Cloud<--->VPN Server B<--->Lots of Backup servers(each with a IP from Location A)
So I want to assign the backup servers with the location A IP addresses and make it as it is in Location A. And type of like tunneling the whole thing through.

Of course my concern is if I have to use dynamic IP at the Location B, (Statistic IP is too expensive is location B- talking about silly prices) and their IP can be changed without even reloggin. And therefore I want min. download, that why I am asking whether if anyone has experience on using VPN via dynamic IP and whether there is any downtime during the IP change.
Thanks
Sam

freethought · 18th August 2008

I work from home via a VPN regularly and I've not had any problems so far, but then again NTL changes my IP once in a blue moon...

BurtyB · 19th August 2008

Quote:

Originally Posted by samtam

Well here what I want to do
Location A Switch <--->VPN Server A <--->Internet Cloud<--->VPN Server B<--->Lots of Backup servers(each with a IP from Location A)
So I want to assign the backup servers with the location A IP addresses and make it as it is in Location A. And type of like tunneling the whole thing through.

If you have a static IP in location A you should be fine using something like OpenVPN which if configured as client in location B, and server in location A will reconnect happily when the IP changes [i.e. when the VPN drops]. You can also add rules to add/remove routes when the VPN is up/down to allow access to the IPs over the VPN.

ChrisB.

PeteK · 28th August 2008

The whole thing doesn't sound too promising if they are backup servers at location B to me. Surely if the session drops, the backups will terminate, be they actual disk to disk, or rsync or a client server and when the vpn re-establishes later when dyndns or whatever has sorted its life out, you are well stuffed.
Surely you are going to have to have static IPs if this is a "business" solution?

othellotech · 29th August 2008

Quote:

Originally Posted by PeteK

Surely you are going to have to have static IPs if this is a "business" solution?

Static IP's cost money, and this is Sam we're talking to ...

BurtyB · 29th August 2008

Quote:

Originally Posted by PeteK

The whole thing doesn't sound too promising if they are backup servers at location B to me. Surely if the session drops, the backups will terminate, be they actual disk to disk, or rsync or a client server and when the vpn re-establishes later when dyndns or whatever has sorted its life out, you are well stuffed.

This isn't how it works for me, when a VPN drops and reconnects the packets get queued up and retrys for a while. If during this time it reconnects all is well but if it takes longer and things timeout then I just check the error code on rsync (or whatever your using) and try a few times again.

ChrisB.

freethought · 29th August 2008

Quote:

Originally Posted by BurtyB

This isn't how it works for me, when a VPN drops and reconnects the packets get queued up and retrys for a while. If during this time it reconnects all is well but if it takes longer and things timeout then I just check the error code on rsync (or whatever your using) and try a few times again.

ChrisB.

Same here, I've seen ping responses of close to a minute for the first packet due to queuing while a VPN tries to re-establish to a particularly busy node.