We've had a request from a business partner to create a site to site ipsec VPN. This is not unusual. What is unusual is that they absolutely reject the idea of allowing our private IP addresses into their network and vice versa. They insist that we use a public IP addresses and NAT our server to that address over the ipsec tunnel.
Problem is that we don't lease any public ipv4 addresses. We've never had the need for public ip addresses for anything other than our Internet connections, so we just get our ISPs to give us a /28 or /29 at each location. In the rare event we set a VPN up and our internal addresses collide with a business partner's, we both just agree on some other mutually unused private ip addresses and NAT to those.
I had a thought: what if we "borrowed" an address from a different location's public /28 or /29 (as provided by the ISP) and used that internally to NAT the server in question? The partner would simply use a static route to get the traffic over the VPN.
At first, I thought this was crazy, but the more I thought about it, I couldn't really see a problem doing this. It would obviously lock us to that ISP, but it isn't like we change ISPs often.
The location where we borrow an ISP's ip address from would never need to communicate over the business partner's VPN, so that's not an issue. The borrowed ip address would otherwise just sit unused on the public Internet.
This doesn't feel right, but I can't see any technical reason to not do this.
Anyone ever done this?
Thoughts?
Anyone ever have a business partner refuse to work with private ip addresses when creating a VPN?
Oh, and they refuse to use ipv6.
No comments:
Post a Comment