Related Questions About Branch Office VPN Set Up

Do I Need a Static External Address?

BOVPN endpoint devices can have static or dynamic external addresses. Regardless of whether addresses are static or dynamic, devices must know how to find each other to make a VPN connection.

Static Address

A static address does not change. For example, if a Firebox has the static IP address 203.0.113.1, a BOVPN endpoint device at another site can always make a VPN connection to that IP address.

Dynamic Address

A dynamic IP address can change. For example, if your ISP assigns dynamic addresses, the external IP address of your Firebox might change at some point.

If the external IP address of a BOVPN endpoint changes, connections between the BOVPN endpoint devices cannot be made unless the two devices know how to find each other. If you have a dynamic address, you can configure dynamic DNS and specify a domain name in your BOVPN configuration. Dynamic DNS makes sure that the IP address attached to your domain name changes when your ISP gives your Firebox a new IP address.

For more information about dynamic DNS, see About the Dynamic DNS Service.

How do I Get a Static External IP Address?

You get the external IP address for your computer or network from your ISP or a network administrator. Many ISPs use dynamic IP addresses to make their networks easier to configure and use with many users. Most ISPs can give you a static IP address as an option.

How do I Troubleshoot the Connection?

If you can send a ping to the trusted interface of the remote Firebox and to the computers on the remote network, the VPN tunnel is up. The configuration of the network software or the software applications are possible causes of other problems.

For information about VPN troubleshooting tools and strategies, see Monitor and Troubleshoot BOVPN Tunnels.

Why is Ping not Working?

If you cannot send a ping to the local interface IP address of the remote Firebox, use these steps:

  1. Ping the external address of the remote Firebox.

For example, at Site A, ping the IP address of Site B. If you do not receive a response, make sure the external network settings of Site B are correct. Site B must be configured to respond to ping requests on that interface. If the settings are correct, make sure that the computers at Site B have a connection to the Internet. If the computers at site B cannot connect, speak to your ISP or network administrator.

  1. If you can ping the external address of each Firebox, try to ping a local address in the remote network.

From a computer at Site A, ping the internal interface IP address of the remote Firebox. If the VPN tunnel is up, the remote Firebox sends the ping back. If you do not receive a response, make sure the local configuration is correct. Make sure that the local DHCP address ranges for the two networks connected by the VPN tunnel do not use any of the same IP addresses. The two networks connected by the tunnel must not use the same IP addresses.