Branch Office VPN Using Starlink On One End

I have a customer that wants to use Starlink as their internet provider. They have a T-20 and want to create and BOVPN to an existing T-35 that has a traditional ISP internet service with a static IP address.

We have set up many BOVPNs with T-15s and T-20s with the T-35 but in each case we had static IP addresses.

Is this possible?

Comments

  • Normally I'd say in theory - yes this is possible if you use on the Starlink (T20) end a BOVPN interface config that specifies a userid@domain identifier as the local gateway (as I believe Starlink issues a CGNAT address by default).
    [I've been doing this for 4G connections without issue so far].
    The remote (T35) end in your case has the static IP address which is fine.

    However, you would have to test this as we have a client who is apparently using a Starlink connection and can't connect from their laptop to their corporate mobile IKEv2 endpoint which is a FireboxV.
    The ISP documentation they've given us suggests that the CGNAT implementation may not like some IPsec type connections, which if so would be a problem for your setup.

    Unfortunately I don't have a Starlink setup to test this on so can only go on what I've been given/told.

  • Only thought of this now, but another option for the Starlink T20 to connect to the T35 if all else fails is a BOVPN over TLS setup, however this does come with some changes on the T35 end which may conflict if you have an existing [mobile] SSL VPN setup.

    In some quick testing I do notice you can't use this setup with any SDWAN rules unlike how you can specify a BOVPN interface in a SDWAN rule (it's more similar to a policy based VPN in how traffic is handled if I have it right).

  • Sure you can. Setup the external interface as DHCP (duh).

    When you create your VPN tunnel in VPN->Branch Office Gateway you simply tell it that your side (or the other) is DHCP and enter in a 'domain' name (this can be anything you want, it does not need AD or anything behind it).

    As long as the DHCP side knows the IP address of the other side and the rest of the exchange matches - it will connect.

    .

  • I am attempting > @TestingTester said:

    Sure you can. Setup the external interface as DHCP (duh).

    When you create your VPN tunnel in VPN->Branch Office Gateway you simply tell it that your side (or the other) is DHCP and enter in a 'domain' name (this can be anything you want, it does not need AD or anything behind it).

    As long as the DHCP side knows the IP address of the other side and the rest of the exchange matches - it will connect.

    .

    I am attempting this setup now with two fireboxes. I tried setting it up as you mentioned and it will not connect. I have starlink connect to an external interface set to dhcp and gave it a domain name of test. it still wont connect.

    should I need to put the starlink router in bridge mode

Sign In to comment.