Build a site to site VPN without static address?

Eric Vyncke evyncke at cisco.com
Wed Sep 8 16:14:29 EDT 1999


Laurent,

More and more products are on the market that support fairly dynamic
IPSec VPN:
- that uses strong authentication based on X.509 certificates for IKE
- or that uses weaker authentication based on pre-shared keys for IKE
- or that uses weaker and unknown authentication for IKE
- that relies on an IETF draft called 'mode config' to allocate dynamic
  parameter to the remote party (very similar to IPCP for PPP connection),
  hence no more need for L2TP and IPSec combination for dynamic config
  of the client

It's being late here, so, I'm perhaps too succint and unclear. Feel free
to ask for further info

Just my biased 0.01 EUR ;-)

-eric

At 09:39 08/09/1999 -0400, Laurent Hebert wrote:
>I am looking for VPN architecture (products) that could be implemented on
>an ISP (cable modem) network for which IP addresses are assigned by DHCP. 
>Most of the products I see on the market are using static IP addresses to
>build reliable VPN.  There are less products using DHCP.
>
>So far, I have think about the following solutions:
>
>1- Use PPTP (or eventually L2TP) with a S/W client that could handle DHCP
>and update a DDNS server that could be installed with a dedicated
>connection to the Internet. My problem with this solution is the on-going
>support.  I do not think that it is robust enough to address the Business
>market.  On top of that, it does not follow the IPsec (unless we use IPsec
>within L2TP for which I believe it is not mature).
>
>2- Use a central VPN Hub concept for which all client sites would use a VPN
>access device that support DHCP.  These access devices would then establish
>a VPN session with a central VPN hub.  At that VPN hub, we would be able to
>"interconnect" the various VPN sessions together to create a site to site
>Intranet.  Different companies would then be able to share this VPN hub and
>we (the ISP) would be able to offer other IP services (behind the VPN Hub)
>using this architecture.  I know that 3COM offer products that seems to do
>that kind of job (Tunel Switch) but I do not know other products and I do
>not know what are the draw backs of that solution.
>
>Is there other alternatives that could be used that are robust and
>manageable?
>
>Another aspect of the problem is to find a solution that support the client
>to site.  On that side, most of the VPN client are not well integrated with
>the NT or Novell Security and Authentification tools.  Any recommendations?
>
>Laurent Hebert
>Consultant at Netesys
>
>
>
>
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties.  If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************

Eric Vyncke                        
Consulting Engineer                Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list