Problem solve Get help with specific problems with your technologies, process and projects.

VPNs with dynamic IP

It can be a challenging problem to connect two sites across the Internet when both of them have a dynamic IP address. Tom Lancaster explores three different methods of tackling the problem in this tip.

An ITKnowledgeExchange user recently asked a question I hear fairly often, which is: "How do you connect sites across the Internet when their public IP address changes fairly often?"

Most of the VPN protocols in use have evolved to accommodate the very common scenario where one side of the tunnel is dynamically addressed, and usually Network Address Translated (NAT). However, when both sides are dynamic, or behind NAT, it presents a challenging problem.

The typical answer I hear was repeated on the forum several times, which is to use a third-party service that acts like DNS, resolving IP addresses -- except that it provides a way to keep track of dynamic addresses for people who don't actually own the address (it's owned by their ISP, which prohibits them from using a legitimate DNS domain and regular DDNS). There are several of these services mentioned, and depending on your organization and what your budget is, and support requirements, and tolerance for risk, this can be a good option. However, it's not typically something that would be well-received in an enterprise environment.

More on this topic

Static vs. dynamic IP address: defined on

Crash Course: VPNs

Browse more VPN tips

Browse Routing & Switching tips

Another option (but one I'd steer clear of) is recognizing that cable modem ISPs don't actually change their leases all that often, even though they're technically dynamically assigned. So you could just configure your VPN boxes using a dynamic remote end, and manually change it when necessary, hoping it's not all that often. Again, there's a tradeoff between downtime and price, and this solution is about as cheap as you get (assuming tech support labor is a sunk cost or provided by a friend or relative pro bono), but expect interruptions in service.

There is another way to connect two sites that both have dynamic addressing: Have both of them initiate the connection to a third, static, site. This also has pros and cons, of course. The downside is that you potentially have an additional hop that can be a bottleneck and will almost definitely add latency. If you don't already have a static site on the Internet, then it would be an extra expense, too, although not necessarily a large one. You'll also need a routing protocol, where you could previously get by with static routing.

While this isn't typically a problem for the enterprise space, as they usually have numerous data centers with fixed addresses, VPN services and a traffic model where all the clients talk to the centralized servers, it could become an issue if more of the peer-to-peer technologies gain traction. Even then, an internally controlled DDNS would be a preferable solution. But for smaller organizations on a budget, hopping through a known, fixed address can be a compelling alternative.

This was last published in January 2006

Dig Deeper on WAN technologies and services