VPN with Dynamic IP

I have an M270 hardware with Fireware v12.7 configured in Mixed routing mode. I'm using a static external IPv4 address and have the VPN IKEv2 configured with that static IPv4.

The company will be moving soon to different location. At this time I don't know what or who the ISP will be at the new place. My question is if I have a dynamic IP at the new location, will it be possible to continue using IKEv2 VPN with dynamic IP? I understand M270 needs to be reconfigured but is it possible at all to use a dynamic IP? Would it be easier to pay extra for static IPs?

Comments

  • You can use a Dynamic DNS name for this connection type.
    This works for me.
    I'm using a free one - freeddns.org

    About the Dynamic DNS Service
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/dyndns_about_c.html

  • How about IKEv2 Networking configuration setting? Under "Specify the Firebox domain names or IP addresses for client connections" I don't see an option to specify dynamic IPs. How do VPN clients establish a connection?

  • You specify the Dynamic DNS name, which is a domain name.

  • Got it. So clients' VPN contacts the domain name (dynamic dns) and it responds with the current IP assigned to it, correct?

  • Yes. There is a DNS lookup of the domain name, which resolves to an IP addr, which is then accessed, just as is done for any other domain name access, such as with a web browser. It just happens to be a dynamic IP addr that is resolved to instead of a static one

    Also, one can edit the current client, for example the one already installed on Windows, and modify the "Server name or address" field and enter the new IP addr or domain name, without having to re-run the IKEv2 client install all over again as the firewall certs will not have changed.

  • I have my VPN target in my domain's public DNS as (an example) vpn.greggspublicdomain.net and "vpn" is actually a CNAME in my domain's public DNS. I have DynDNS as my dynamic DNS handler. The "vpn" CNAME points to the DynDNS FQDN that I use for my Firebox. I use "vpn.greggspublicdomain.net" as my target and I connect.

    If my dynamic IP changes, the Firebox tells DynDNS the new IP, and everyone using "vpn.greggspublicdomain.net" for a target never knows anything changed. If I were to get a static public IP address, I could leave everything as-is, or I could change my public DNS "vpn" from a CNAME to an A record.

    Gregg Hill

  • @Bruce_Briggs said:

    Also, one can edit the current client, for example the one already installed on Windows, and modify the "Server name or address" field and enter the new IP addr or domain name, without having to re-run the IKEv2 client install all over again as the firewall certs will not have changed.

    I'm using Firebox generated certificate. There's an option that says "Specify the server names or IP addresses for client connections. This information will be included in the Firebox certificate."

    I thought the certificate has to match the VPN target (IP or domain names), in my case it is the static external IP address where the clients connect to.

    If I change it to domain name, won't that trigger mismatch warning? It's like using a certificate issued for google.com but I'm accessing it through its IP address. That'll trigger a cert warning.

  • I can connect with either my domain name or the current IP addr of my firewall.
    No cert warning.
    I works. Stop worrying

  • ok. Thanks again.

Sign In to comment.