|
Home > Archive > VPN > September 2006 > Site to Site VPN w/DHCP
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Site to Site VPN w/DHCP
|
|
| amattina 2006-09-18, 1:13 pm |
| Freinds,
I have an intresting task assigned to me that I don't think is possible
but I figured I'd throw it out there at least.
Two sites, one site in USA one in China. USA site has a static
address, China site will have a DHCP from the provider. China office
needs to telnet to USA server to do whatever they do. I need a site to
site VPN from one site to the other so this is all secured as best as
possible. Obviously if the provider in China assigns a fresh DHCP
address, the VPN tunnel will be broken. Is there a way to make this
work? Static to DHCP site to site VPN using cisco PIX equipment. I
don't think there is a way but if there is let me know. cisco seems to
say only static addresses.
"The public IP addresses are specified in the IPsec peers
configuration, and require that the public addresses of the VPN routers
to be static addresses."
Thanks,
Adam
| |
| David Kelly 2006-09-18, 7:16 pm |
| In article <1158602933.708142.289740@e3g2000cwe.googlegroups.com>,
"amattina" <amattina@gmail.com> wrote:
> Two sites, one site in USA one in China. USA site has a static
> address, China site will have a DHCP from the provider. China office
> needs to telnet to USA server to do whatever they do. I need a site to
> site VPN from one site to the other so this is all secured as best as
> possible.
http://www.google.com/search?q=ssh
| |
| Carol Anne 2006-09-19, 1:17 am |
| Hello Adam,
I do this regularly with Dynamic DNS (dyndns.com, among others; Google on
"Dynamic DNS"). I setup a DDNS client (dyndns.com has one for free, but
I like DirectUpdate, 'cause it's more flexible) at the other end on a computer
that's on all the time; it reports the current IP address regularly, and
whenever it changes, to the DDNS provider. So, you end up with a domain
name like ChinaOffice.dyndns.com (but I make 'em more cryptic, to keep my
strategy private to my client). Now, you use ChinaOffice.dyndns.com as the
"other end" address, instead of an IP. When their IP changes, dyndns.com
gets notified within seconds. I virtually never can't make a connection.
Secondary hint: If you have lots of these (as I do), then go to www.woodstone.nu
and download "Servers Alive." Up to ten sites can be monitored for free,
and you pay for a license above that. Now I've got an orange ball in my
system tray that turns to a red "Stop sign" when one or more are inaccessible.
When I know a site remains inaccessible for more than about ten minutes,
I know I've got some admin chores to attend to with folks at that site.
--Carol Anne
> Freinds,
> I have an intresting task assigned to me that I don't think is
> possible
> but I figured I'd throw it out there at least.
> Two sites, one site in USA one in China. USA site has a static
> address, China site will have a DHCP from the provider. China office
> needs to telnet to USA server to do whatever they do. I need a site
> to site VPN from one site to the other so this is all secured as best
> as possible. Obviously if the provider in China assigns a fresh DHCP
> address, the VPN tunnel will be broken. Is there a way to make this
> work? Static to DHCP site to site VPN using cisco PIX equipment. I
> don't think there is a way but if there is let me know. cisco seems
> to say only static addresses.
>
> "The public IP addresses are specified in the IPsec peers
> configuration, and require that the public addresses of the VPN
> routers to be static addresses."
>
> Thanks,
> Adam
| |
| amattina 2006-09-19, 1:14 pm |
| Carol,
Thanks for the tip. I have found through some other avenues a way to
do this natively with some PIXs:
http://www.cisco.com/en/US/products...80.shtml#client
I am working on this now. ServersAlive isn't that bad. I run Nagios
though, which crushes the functionality of SA...but still a good
thought!
SSH: I already suggested this, they want to have the machines on a
Windows domain so we can do corporate antivirus and easy management.
I'm working on getting the VPN going but just having one problem. Here
is a little cross-thread/cross-group action for ya if someone wants to
take a quick peek:
http://groups.google.com/group/comp...f7076a21dd75136
Thanks,
Adam
Carol Anne wrote:[vbcol=seagreen]
> Hello Adam,
>
> I do this regularly with Dynamic DNS (dyndns.com, among others; Google on
> "Dynamic DNS"). I setup a DDNS client (dyndns.com has one for free, but
> I like DirectUpdate, 'cause it's more flexible) at the other end on a computer
> that's on all the time; it reports the current IP address regularly, and
> whenever it changes, to the DDNS provider. So, you end up with a domain
> name like ChinaOffice.dyndns.com (but I make 'em more cryptic, to keep my
> strategy private to my client). Now, you use ChinaOffice.dyndns.com as the
> "other end" address, instead of an IP. When their IP changes, dyndns.com
> gets notified within seconds. I virtually never can't make a connection.
>
> Secondary hint: If you have lots of these (as I do), then go to www.woodstone.nu
> and download "Servers Alive." Up to ten sites can be monitored for free,
> and you pay for a license above that. Now I've got an orange ball in my
> system tray that turns to a red "Stop sign" when one or more are inaccessible.
> When I know a site remains inaccessible for more than about ten minutes,
> I know I've got some admin chores to attend to with folks at that site.
>
> --Carol Anne
>
| |
| David Kelly 2006-09-20, 1:14 am |
| In article <1158677221.622305.114830@e3g2000cwe.googlegroups.com>,
"amattina" <amattina@gmail.com> wrote:
> SSH: I already suggested this, they want to have the machines on a
> Windows domain so we can do corporate antivirus and easy management.
That makes no sense.
You plan on using telnet to reach a machine of some sort which runs a
telnet daemon to listen for such connections. Any such machine capable
of running a telnet daemon is equally capable of running a ssh daemon.
As for the client end of things, thats even easier. Every Unix worth its
electrons ships with ssh, even stock MacOS X. Several choices for
Windows as well, I suggest PuTTY.
Ssh literally is telnet with a built-in VPN. It can tunnel more than the
keyboard/telnet session, but not as easily as a full VPN.
| |
| cwallenstein 2006-09-20, 1:12 pm |
| Indeed, if your only needs are remote console access, you may be far better off simply using SSH instead of telnet.... you know, that whole KISS principle! ;-) | |
| amattina 2006-09-25, 1:20 am |
| Yes. PuTTY. Great. These workstations need antivirus and other
management items. Corporate antivirus upgradng client definitions, RDP
access. All of this is doable via VPN. I know these clients could just
SSH. We need a VPN though. Don't worry, I worked it out.
David Kelly wrote:
> In article <1158677221.622305.114830@e3g2000cwe.googlegroups.com>,
> "amattina" <amattina@gmail.com> wrote:
>
>
> That makes no sense.
>
> You plan on using telnet to reach a machine of some sort which runs a
> telnet daemon to listen for such connections. Any such machine capable
> of running a telnet daemon is equally capable of running a ssh daemon.
>
> As for the client end of things, thats even easier. Every Unix worth its
> electrons ships with ssh, even stock MacOS X. Several choices for
> Windows as well, I suggest PuTTY.
>
> Ssh literally is telnet with a built-in VPN. It can tunnel more than the
> keyboard/telnet session, but not as easily as a full VPN.
| |
| Norvik 2006-09-25, 1:13 pm |
| Hi,
SSH? IPSec? This is CHINA, not USA, they are filtering and blocking
most of traffic on the goverment level, which uses TCP/GRE (IPSec,
Windows VPN).
You need to use some VPN like SSL based (OpenVPN) or ViPNet based
(ViPNet vpn).
try one of them:
ViPNet
www.vpnsoluton.info
Openvpn
www.opevpn.org (free, but it will requre many reconnections)
|
|
|
|
|