VPN links using dynamic IPs

I have a hub and spoke configured gateway<>gateway VPN WAN where each spoke
end connects to the hub via Win Server 2003 RRAS and ISA erver 2001 packet
filters. If the hub goes down, the spokes can't talk to each other becuase
the ISA VPN wizard requires fixed IPs to setup the connection.

Is there any way to hard wire them with fixed routes to their FQDNs? I'm
using dynamic DNS to resolve the FQDNs.

Thanks for ANY assistance.

I don't think I understand the question. In a hub & spoke setup, if you
lose the hub, then you lose everything, that is just the way it is....it
doesn't really have anything to do with VPN wizards, DNS or FQDNs. The hub
is the "single point of failure".

We have the same VPN based Hub & Spoke setup with about 20+ sites from all
over the US. If the central "hub" (our Corp HQ) goes down, then the story is
simply over. They way we avoid trouble is to just not depend on the Hub for
everything. Our DNS, WINS, Internet connection, Mail Server (Exchange), Web
Server are are handled independently by us. Every site is pretty much
autonomous, we only use the "Hub" for things specific to what we need the HQ
for. If they are down, we just wait till they pick up the pieces and get
going again. We'll survive without them until they do. Communication between
sites in the form of Email still works because each site has thier own
locally maintained Mail Server and Internet Connection and so email never
depended on the "hub" to start with.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"SizzleMaster" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have a hub and spoke configured gateway<>gateway VPN WAN where each
spoke
> end connects to the hub via Win Server 2003 RRAS and ISA erver 2001 packet
> filters. If the hub goes down, the spokes can't talk to each other
becuase
> the ISA VPN wizard requires fixed IPs to setup the connection.
>
> Is there any way to hard wire them with fixed routes to their FQDNs? I'm
> using dynamic DNS to resolve the FQDNs.
>
> Thanks for ANY assistance.
>
>

Good point. I shouldn't have even put the whole hub and spoke setup part
into this posting and just put forward my question of how to connect two
servers via RRAS and ISA if they have dynamic IPs. Is this possible?

The reason that I need this is that I'm running a portal farm with three
servers, 2 acting as front end web servers and the 3rd as the index server,
if the hub goes down the portal is still up but the indexing thus search is
unavailable.

Thank you for your reply.

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> I don't think I understand the question. In a hub & spoke setup, if you
> lose the hub, then you lose everything, that is just the way it is....it
> doesn't really have anything to do with VPN wizards, DNS or FQDNs. The
hub
> is the "single point of failure".
>
> We have the same VPN based Hub & Spoke setup with about 20+ sites from all
> over the US. If the central "hub" (our Corp HQ) goes down, then the story
is
> simply over. They way we avoid trouble is to just not depend on the Hub
for
> everything. Our DNS, WINS, Internet connection, Mail Server (Exchange),
Web
> Server are are handled independently by us. Every site is pretty much
> autonomous, we only use the "Hub" for things specific to what we need the
HQ
> for. If they are down, we just wait till they pick up the pieces and get
> going again. We'll survive without them until they do. Communication
between
> sites in the form of Email still works because each site has thier own
> locally maintained Mail Server and Internet Connection and so email never
> depended on the "hub" to start with.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "SizzleMaster" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I have a hub and spoke configured gateway<>gateway VPN WAN where each
> spoke
> > end connects to the hub via Win Server 2003 RRAS and ISA erver 2001
packet
> > filters. If the hub goes down, the spokes can't talk to each other
> becuase
> > the ISA VPN wizard requires fixed IPs to setup the connection.
> >
> > Is there any way to hard wire them with fixed routes to their FQDNs?
I'm
> > using dynamic DNS to resolve the FQDNs.
> >
> > Thanks for ANY assistance.
> >
> >
>
>

Ok, well in VPN there is always a "Caller" side and "Host" side. Which ever
side is initiating the call (caller side) can be dynamic without a problem
because thier IP# is irrelevant, they recieve a new IP# based on the VPN
when the connection is established and that is the one actually used for the
VPN traffic inside the tunnel.

However the side receiving the call (host side) must be a statically
assigned address since the IP# is used as a "phone number" for the
connection. Now if the Host is registered with either DNS or WINS and the
data entry is always assured accurate even when the IP# changes then you may
get away with it if you can use the host name (WINS) or the FQDN (DNS) from
the Caller to make the connection. But I have never tried this and don't
know how successful it will be. I have always used the IP# to make the
connection and never worried about what the Host's name was.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"SizzleMaster" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Good point. I shouldn't have even put the whole hub and spoke setup part
> into this posting and just put forward my question of how to connect two
> servers via RRAS and ISA if they have dynamic IPs. Is this possible?
>
> The reason that I need this is that I'm running a portal farm with three
> servers, 2 acting as front end web servers and the 3rd as the index
server,
> if the hub goes down the portal is still up but the indexing thus search
is
> unavailable.
>
> Thank you for your reply.
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
> > I don't think I understand the question. In a hub & spoke setup, if you
> > lose the hub, then you lose everything, that is just the way it is....it
> > doesn't really have anything to do with VPN wizards, DNS or FQDNs. The
> hub
> > is the "single point of failure".
> >
> > We have the same VPN based Hub & Spoke setup with about 20+ sites from
all
> > over the US. If the central "hub" (our Corp HQ) goes down, then the
story
> is
> > simply over. They way we avoid trouble is to just not depend on the Hub
> for
> > everything. Our DNS, WINS, Internet connection, Mail Server (Exchange),
> Web
> > Server are are handled independently by us. Every site is pretty much
> > autonomous, we only use the "Hub" for things specific to what we need
the
> HQ
> > for. If they are down, we just wait till they pick up the pieces and get
> > going again. We'll survive without them until they do. Communication
> between
> > sites in the form of Email still works because each site has thier own
> > locally maintained Mail Server and Internet Connection and so email
never
> > depended on the "hub" to start with.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> > "SizzleMaster" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > I have a hub and spoke configured gateway<>gateway VPN WAN where each
> > spoke
> > > end connects to the hub via Win Server 2003 RRAS and ISA erver 2001
> packet
> > > filters. If the hub goes down, the spokes can't talk to each other
> > becuase
> > > the ISA VPN wizard requires fixed IPs to setup the connection.
> > >
> > > Is there any way to hard wire them with fixed routes to their FQDNs?
> I'm
> > > using dynamic DNS to resolve the FQDNs.
> > >
> > > Thanks for ANY assistance.
> > >
> > >
> >
> >
>
>

One note, probably off topic, but what the hey - rather than RRAS/Windows
VPN, you can do what you wish with a lot of firewall appliances - check out
www.sonicwall.com - then you can use a dynamic DNS service such as
www.dyndns.org (there are plenty of others) to create
"domainsite1.dyndns.org" and "domainsite2.dyndns.org", with each server
running update software to make sure the correct IP is set (I use direct
update for this). I think in the newer sonicwalls *both* sides can have
dynamic IPs and just connect using the host name.

Just a thought.

SizzleMaster wrote:
> Good point. I shouldn't have even put the whole hub and spoke setup
> part into this posting and just put forward my question of how to
> connect two servers via RRAS and ISA if they have dynamic IPs. Is
> this possible?
>
> The reason that I need this is that I'm running a portal farm with
> three servers, 2 acting as front end web servers and the 3rd as the
> index server, if the hub goes down the portal is still up but the
> indexing thus search is unavailable.
>
> Thank you for your reply.
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
>> I don't think I understand the question. In a hub & spoke setup, if
>> you lose the hub, then you lose everything, that is just the way it
>> is....it doesn't really have anything to do with VPN wizards, DNS or
>> FQDNs. The hub is the "single point of failure".
>>
>> We have the same VPN based Hub & Spoke setup with about 20+ sites
>> from all over the US. If the central "hub" (our Corp HQ) goes down,
>> then the story is simply over. They way we avoid trouble is to just
>> not depend on the Hub for everything. Our DNS, WINS, Internet
>> connection, Mail Server (Exchange), Web Server are are handled
>> independently by us. Every site is pretty much autonomous, we only
>> use the "Hub" for things specific to what we need the HQ for. If
>> they are down, we just wait till they pick up the pieces and get
>> going again. We'll survive without them until they do. Communication
>> between sites in the form of Email still works because each site has
>> thier own locally maintained Mail Server and Internet Connection and
>> so email never depended on the "hub" to start with.
>>
>> --
>>
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>>
>> "SizzleMaster" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> I have a hub and spoke configured gateway<>gateway VPN WAN where
>>> each spoke end connects to the hub via Win Server 2003 RRAS and ISA
>>> erver 2001 packet filters. If the hub goes down, the spokes can't
>>> talk to each other becuase the ISA VPN wizard requires fixed IPs to
>>> setup the connection.
>>>
>>> Is there any way to hard wire them with fixed routes to their FQDNs?
> I'm
>>> using dynamic DNS to resolve the FQDNs.
>>>
>>> Thanks for ANY assistance.