Re: Creating VPN with (hidden) endpoint.

mpdavies · ‎02-07-2003

Hello

We are trying to create a VPN tunnel between routers. The only problem being that the ISP at one site does not advertise the external interface ip address of the router. This apparently is standard practice for some ISPs. The problem being that if we cannot see the outside interface of the router, then the endpoint for the VPN cannot be reached.

Is ther any way i can get around this problem ?

Many thanks.

gfullage · ‎02-09-2003

Not really, each endpoint needs to contact the other side to build the tunnel.

I presume the inside users behind this router are not using NAT/PAT, so does that mean they have valid global addresses on their inside network (and on the inside interface of the router)?

If so, you can build a tunnel to this inside interface assuming the other router can reach that. Just set the peer address on the other router to the inside IP address of this router, then on this router use the command:

> crypto map local-address

Then it'll source all its crypto packets from the inside address rather than the outgoing address.

mpdavies · ‎02-10-2003

Thanks for the reply.

The users on the inside of the router will be on a private address space, say 10.1.0.0. / 16

The router will need to provide NAT to a couple of internal machines, 10.1.0.10 & 10.1.0.11/ 16 for PROXY and EMAIL access. All other traffic will be local or passing down the VPN tunnel to the 10.2.0.0 /16 network.

I have a number of global ip addresses to use for internet access (NAT) and to create my VPN tunnel.

The internal router interface (clients default gateway) will be 10.1.0.1 /16

Can I also give this interface a secondary ip address using one of my global ip addresses (say 193.123.252.10) and use this secondary ip address on the internal interface as my VPN endpoint ?

Thanks Again. Martin