I work for a bank and am will be implementing some new security settings soon via a VPN device...

What I'm wondering - from a security standpoint...is this....

The scenario is as follows - from our internal IP address scheme - the vpn device will be told which IP addresses will be allowed to send traffic to the other end...

From our vpn - it will travel to our host provider - to their firewall/router - and out to the internet where it gets assigned an external IP address. The other end requires us to provide them with that external IP address so that on their end, they will only accept traffic from that external IP address.

My question is this...

could someone setup a vpn at their house (no matter how costly it may be), and spoof both our internal IP address scheme so that it would leave their network - AND spoof the external IP address to match that of our host providers?

My impression was that there are no two external IP addresses that are the same and that the external IP addresses could not be spoofed - but Lord knows I've been wrong before....

If there woudl be another way to compromise this strategy, let me know - we are assuming that the bank's network itself is secure in that someone couldn't "hack" into it to gain access to the real external IP address.