Dynamic IP changes

maynarja · Jan 27, 2007, 1:34 PM

Curious

pfSense is dynamic and intiates the VPN
PIX is Static

pfSense –----- INTERNET ------- PIX

If the IP changes does pfsense clear the ipsec connection and intiated a new one?

Why I am asking is once the IP changed the tunnel is broken which makes sense but it does not establish a new tunnel.

On the PIX it is indicating that esp payload is coming from the new dynamic IP but is being dropped.

Is the pfSense trying the establish the original tunnel and PIX sees that the remotes IP has changed so it denies the connection?

And is there a fix to implement on the pfSense side (preferrably) or if not then on the PIX side.
:-\

hoba · Jan 27, 2007, 6:51 PM

I think this is a problem on the pix. I have this scenario between seceral pfSense systems (dynamic to static) and the tunnel is reestablished just fine immediately.

maynarja · Jan 29, 2007, 3:13 PM

The tunnel will come up immediately if I reboot.

Is there a setting I can change on the pfSense to renegotiate the SAs after a denial from the other end?

Or any other setting that may help re-establishing the tunnel or recreating a new one with having to restart.

hoba · Jan 29, 2007, 3:46 PM

try "Prefer old IPsec SAs " from system>advanced and see if this has a positive effect on reestablishing the link.