DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
VPN with a public IP as local endpoint
- starch
- Topic Author
- Offline
- New Member
Less
More
- Posts: 1
- Thank you received: 0
06 Oct 2011 14:57 #69605
by starch
VPN with a public IP as local endpoint was created by starch
Hello,
I have a Vigor 3300.
When agreeing with counterparties for gateway and local endpoint of a VPN, the counterparty often require our endpoint to be a public IP (ie not being a range defined in RFC 1918).
Is that possible with the vigor ? I can enter my public IP as gateway and endpoint in VPN creation dialog, but in that case, the traffic would never end on my lan.
Is there any way to achieve that ?
Thank you very much
I have a Vigor 3300.
When agreeing with counterparties for gateway and local endpoint of a VPN, the counterparty often require our endpoint to be a public IP (ie not being a range defined in RFC 1918).
Is that possible with the vigor ? I can enter my public IP as gateway and endpoint in VPN creation dialog, but in that case, the traffic would never end on my lan.
Is there any way to achieve that ?
Thank you very much
Please Log in or Create an account to join the conversation.
- captain-midnight
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
25 Oct 2011 11:11 #69796
by captain-midnight
Replied by captain-midnight on topic Re: VPN with a public IP as local endpoint
Hmm.....
Not sure I understand the issue really, but here goes......
In classical point-to-point VPNs, the endpoints of the VPNs are generally always public IP addresses - otherwise each endpoint would have no idea how to router across the internet to the other site?
Just because the VPN publically 'terminates' on the WAN interface of the router, that doesn't mean to say the router won't understand what to do with the traffic once it has been decrypted using the encryption transform set that was applied to the traffic before it entered into the vpn tunnel from the other sites router. The tunnel endpoint is the routers WAN interface but the encrypted traffics destination will be the other side of the router and it will know that surely - as that will be part of your configuration?
Site-to-site VPNs are exactly that, generally an encrypted VPN tunnel is created between two external public facing IP addresses that are connected to the VPN terminating routers or are NAT'd to the terminating routers - but that can add some complications, best if possible to keep it simple, unless the VPN router external interface is being protected by a further external firewall device.
In a business environment, I would never form a site-to-site VPN with anything other than public IPs from an external point of view - what you do internally and how you NAT them if required to something else is up to each indervidual site.
Not sure I understand the issue really, but here goes......
In classical point-to-point VPNs, the endpoints of the VPNs are generally always public IP addresses - otherwise each endpoint would have no idea how to router across the internet to the other site?
Just because the VPN publically 'terminates' on the WAN interface of the router, that doesn't mean to say the router won't understand what to do with the traffic once it has been decrypted using the encryption transform set that was applied to the traffic before it entered into the vpn tunnel from the other sites router. The tunnel endpoint is the routers WAN interface but the encrypted traffics destination will be the other side of the router and it will know that surely - as that will be part of your configuration?
Site-to-site VPNs are exactly that, generally an encrypted VPN tunnel is created between two external public facing IP addresses that are connected to the VPN terminating routers or are NAT'd to the terminating routers - but that can add some complications, best if possible to keep it simple, unless the VPN router external interface is being protected by a further external firewall device.
In a business environment, I would never form a site-to-site VPN with anything other than public IPs from an external point of view - what you do internally and how you NAT them if required to something else is up to each indervidual site.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek