We have multiple remote offices (RO) (5) and a handful of users who connect to our home office (HO) via VPN, based on our static IP. We have two static IP addresses from two different ISPs, with the secondary one used as failover only. We don't want to load balance.
When ISP 1 dies, our router automatically switches us to ISP 2, and thus our IP changes. I'm investigating the best way to signal the remote offices that we have a new IP to use for the VPN connections.
What is everyone's recommendation or thoughts? I'm a networking newcomer by way of necessity.
Currently we have both HO static IPs set in the VPN settings of each RO Watchguard unit. This seems to work fine, however I'm wondering if a dynamic method would be better or isn't a nightmare to setup. We are using Watchguard units, namely the XTM5.
Hypothetically what if our HO had 4 static IPs and we had 50 ROs which each had 3 static IPs, etc etc. No one wants to keep up with all of those IPs in each configuration.
I've looked into:
- Updating an A NAME record with a short TTL, although I know this is not recommended, via rackspace (our hosting company)
- Using round robin DNS with the above method
- Third-party service like noip.com, and point the VPN to a hostname instead of IP
I don't know how our Watchguard unit handles VPN gateways when they are domain names... does it cache the IP somewhere? If A record has multiple IPs (round robin), does it maintain order and if so does it automatically select the next one?
I also don't know if the Watchguard has the ability to use any DDNS service when WAN failover occurs. I know it can for individual external connections.
I will call them later today but was curious if anyone had any initial thoughts.
THANK YOU!