Hi everyone,

I am seeking some advice on best practices for VPN network design. My current set-up for VPN is such that VPN traffic enters the network via a Internet Router, passes through a firewall and gets forwarded to a VPN Router. The VPN Router does all the authentication via TACACS and then an internal VPN ip is issued which is able to access the internal network. This setup was designed such that there were access public IP to allow for a VPN IP address. However, the future situation is such that i would be having only 1 public IP.

So, i was thinking of ways to work around this. I could maintain the current setup by tweaking the Internet Router to perform policy based routing to forward VPN traffic to the firewall and the firewall to the VPN Router. Everything should work the same.

But i was also contemplating on merging the VPN router into the Internet Router. This would save on the need to manage an additional router. But i am uncertain is there would be any security implications. Currently the TACACS is not available/connected to the Internet Router. I would assume it's for security reasons. So what happens if my Internet Router also has VPN capabilities, would there be a problem? I am curious about the loading and security concerns of this setup.

I hope someone would be able to shed some light on this or guide me to some best practices documentation on VPN network design.

Thank You.