Creating VPN, How many real IPs required?

CSCO11068191 · ‎07-28-2013

Greatings everyone,

I have three sites, one head quarter and two branches.

I want to make a Crypto isakmp policy to create a vpn connection between headquarter and each branch.

Do I require three real IPs or one is enough??

If one is enough would I use private IP addresses or how would the policy be??

Thanks a lot

Peter Paluch · ‎07-28-2013

Hi Abdulrahman,

You need to have three public IP addresses. The HQ is going to send encrypted packets to both branches, and the branches will either communicate back to HQ or even directly to each other - but this communication requires you to use at least a single IP address on each of your locations.

I assume that the HQ and branches are interconnected using a common internet access (i.e. no MPLS VPN or some other kind of pre-existing private interconnection).

Best regards,

Peter

Richard Burts · ‎07-28-2013

While the response from my colleague Peter does represent the common solution to the question of how to configure an HQ and two spoke routers, I must take exception with his suggestion that 3 public addresses are required. Using dynamic VTI tunnels I believe that it is quite possible to implement this with 1 public IP for HQ and with private IP used at the spoke. This will introduce a requirement that the tunnel will be initiated from the spoke to HQ and HQ will not have the ability to initiate the tunnels.

HTH

Rick

HTH

Rick

Peter Paluch · ‎07-28-2013

Hi Rick,

Thanks for joining!

Using dynamic VTI tunnels I believe that it is quite possible to  implement this with 1 public IP for HQ and with private IP used at the  spoke

I have actually thought of doing some kind of DMVPN with spokes dynamically registering their current public IP with the HQ routers. Nevertheless, this setup still requires 3 public IPs, even though only one of them has to be stable - the one on the HQ. Branch routers may be using dynamically assigned public IPs. Perhaps I was looking on the problem in a too definitoric way - that regardless of whether there is a static or dynamic public IP address, each site has to hide itself behind one

In any case, Rick, thank you for pointing this out. While in the end, there will be three public IP addresses communicating to each other after the VPN is configured, only one of them has to be stable and static. The others may not even be known to the branch offices.

Best regards,

Peter

CSCO11068191 · ‎07-28-2013

Thank you lots both of you guys for your kind replies

I guess I am gonna go with using three static public IPs to keep my configs basic since it's a small company

Anyway is it required in this case to have three IP addresses on the same subnet?

I guess not but I'm asking just to be sure

Peter Paluch · ‎07-28-2013

Hello Abdulrahman,

Anyway is it required in this case to have three IP addresses on the same subnet?

No, certainly not. You can have any valid public IP addresses.

Best regards,

Peter

Richard Burts · ‎07-28-2013

Peter

I was reacting to my assumption that we were talking about needing the public IP configured on the router interface. And with VTI that is not a requirement (I have a customer with a couple of sites doing VTI where the address on the remote router interface is in 10 address space). But your response helps set me straight and to realize that in the perspective of the question in the original post my response was a bit off the mark. You are quite correct that he will need to have at least one public IP provisioned for each of the locations.

HTH

Rick

HTH

Rick