IPsec is the backbone of a lot of corporate and enterprise VPN networks. However, most IPsec implementations require the public IP address to be on the interface that IPsec is running from.
For VDSL and fibre networks this is fine. However in 4G and Starlink setups this often isn’t possible as they use carrier nat systems.
While some providers offer full public IPs on sim cards, there can be two restrictions with this:
- The sim provides a full public IP but it sits on the 4G router – not on the firewall interface. Not all firewalls support 4G connections directly.
- Public IP sim cards can come with expensive tariffs where the data volume is around what would be considered a reasonable monthly data volume of ~50GB.
In the case of Starlink while it is really fast there is no option for a full public IP that you can apply to your firewall interface.
In the diagram below, we show how an i-ctrl from Netcelero, using any sim or Starlink connection, can provide a full public IP on the firewall to run an IPsec tunnel from it.
The i-ctrl can also be used to provide a single full public IP that uses the VDSL or fibre as the primary and then the Starlink or 4G as backup. This allows the IPsec tunnel to be configured to operate with just one Public IP. The i-ctrl handles the failover and failback of the primary and back up connection.