VPNs with dynamic IP

An ITKnowledgeExchange user recently asked a question I hear fairly often, which is: "How do you connect sites across the Internet when their public IP address changes fairly often?"

Most of the VPN protocols

    Requires Free Membership to View

in use have evolved to accommodate the very common scenario where one side of the tunnel is dynamically addressed, and usually Network Address Translated (NAT). However, when both sides are dynamic, or behind NAT, it presents a challenging problem.

The typical answer I hear was repeated on the forum several times, which is to use a third-party service that acts like DNS, resolving IP addresses -- except that it provides a way to keep track of dynamic addresses for people who don't actually own the address (it's owned by their ISP, which prohibits them from using a legitimate DNS domain and regular DDNS). There are several of these services mentioned, and depending on your organization and what your budget is, and support requirements, and tolerance for risk, this can be a good option. However, it's not typically something that would be well-received in an enterprise environment.

More on this topic

Static vs. dynamic IP address: defined on Whatis.com

Crash Course: VPNs

Browse more VPN tips

Browse Routing & Switching tips

Another option (but one I'd steer clear of) is recognizing that cable modem ISPs don't actually change their leases all that often, even though they're technically dynamically assigned. So you could just configure your VPN boxes using a dynamic remote end, and manually change it when necessary, hoping it's not all that often. Again, there's a tradeoff between downtime and price, and this solution is about as cheap as you get (assuming tech support labor is a sunk cost or provided by a friend or relative pro bono), but expect interruptions in service.

There is another way to connect two sites that both have dynamic addressing: Have both of them initiate the connection to a third, static, site. This also has pros and cons, of course. The downside is that you potentially have an additional hop that can be a bottleneck and will almost definitely add latency. If you don't already have a static site on the Internet, then it would be an extra expense, too, although not necessarily a large one. You'll also need a routing protocol, where you could previously get by with static routing.

While this isn't typically a problem for the enterprise space, as they usually have numerous data centers with fixed addresses, VPN services and a traffic model where all the clients talk to the centralized servers, it could become an issue if more of the peer-to-peer technologies gain traction. Even then, an internally controlled DDNS would be a preferable solution. But for smaller organizations on a budget, hopping through a known, fixed address can be a compelling alternative.

This was first published in January 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.