IPSec tunnel and dinamic IP
-
@EmL:
Its not impossible, some scripts when IP changes … somebody want's to implement such a feature in pfsense, but unfortunaly nobody replies:
http://forum.pfsense.org/index.php/topic,4670.0.htmlOk then! Let's find out can we do something with it. First thing first, lern about witch script is for starting/restarting/killing IPSec VPN… Maybe there is a chance, maybe not, but I like the chalenge.
I have Friend who is wiz with FreeBSD and I can ask him for some help. I am much beter with Linux.
-
I wrote this quick little hack and added it to crontab. It seems to work but can someone more familiar with pfsense coding take a look at it real quick?
require_once("config.inc"); require_once("functions.inc"); $conf = &$config['ipsec']['tunnel']; $newip = gethostbyname('my-dynamic-dns-host-name'); if( $conf[0]['remote-gateway'] != $newip ) { $conf[0]['remote-gateway'] = $newip; write_config(); vpn_ipsec_configure(); } ?> -
I wrote this quick little hack and added it to crontab. It seems to work but can someone more familiar with pfsense coding take a look at it real quick?
I will try it at my home pfS. But on question is unanswered, how to get this to work:
racoon: ERROR: getaddrinfo(viola,500): hostname nor servname provided, or not known
It is not resolving in the first place. I have found some point in orig script but …Sasa
-
I wrote this quick little hack and added it to crontab. It seems to work but can someone more familiar with pfsense coding take a look at it real quick?
I will try it at my home pfS. But on question is unanswered, how to get this to work:
racoon: ERROR: getaddrinfo(viola,500): hostname nor servname provided, or not known
It is not resolving in the first place. I have found some point in orig script but …Sasa
Can you ping the hostname of the server that you are trying to connect to?
If so, did you replace "my-dynamic-dns-host-name" in the script with the correct host?
Check the ID of your tunned, the script is hardcoded to update the tunnel with ID #0. If your ID is different change the number 0 in the script to match your tunnel ID. -
Can you ping the hostname of the server that you are trying to connect to?
If so, did you replace "my-dynamic-dns-host-name" in the script with the correct host?
Check the ID of your tunned, the script is hardcoded to update the tunnel with ID #0. If your ID is different change the number 0 in the script to match your tunnel ID.It is all OK with ping. And it is not problem with your script. It is not resolving remote-gateway in original IPSec script. When I put DynDNS name in tunnel config page it is showing only hostname without domain so if FQDN is viola.dyndns.org it shows only "getaddrinfo(viola,500)" . It is not resolving at all. I have found place in script where it should be but I didn't have time to try. If you wish we can move this conversation to e-mail.
-
Can you ping the hostname of the server that you are trying to connect to?
If so, did you replace "my-dynamic-dns-host-name" in the script with the correct host?
Check the ID of your tunned, the script is hardcoded to update the tunnel with ID #0. If your ID is different change the number 0 in the script to match your tunnel ID.It is all OK with ping. And it is not problem with your script. It is not resolving remote-gateway in original IPSec script. When I put DynDNS name in tunnel config page it is showing only hostname without domain so if FQDN is viola.dyndns.org it shows only "getaddrinfo(viola,500)" . It is not resolving at all. I have found place in script where it should be but I didn't have time to try. If you wish we can move this conversation to e-mail.
The problem is that IPSEC does not support dns names when you set up tunnels. All my script does is to do a DNS lookup and update the remote host in the tunnel with ID=0 with the current ip of the remote host. So if the script worked you won't see the dns name in the pfsense web interface anymore, you will see the ip of the remote host.
Verify what your tunnel ID is and make sure that it matches what is in the script, also replace "my-dynamic-dns-host-name" with "viola.dyndns.org" (assuming that it is the correct dns name).
When you run php -q updateIPSEC.php (or whatever you saved the script as) it should update your tunnel with the current ip off the remote host. -
The problem is that IPSEC does not support dns names when you set up tunnels. All my script does is to do a DNS lookup and update the remote host in the tunnel with ID=0 with the current ip of the remote host. So if the script worked you won't see the dns name in the pfsense web interface anymore, you will see the ip of the remote host.
Verify what your tunnel ID is and make sure that it matches what is in the script, also replace "my-dynamic-dns-host-name" with "viola.dyndns.org" (assuming that it is the correct dns name).
When you run php -q updateIPSEC.php (or whatever you saved the script as) it should update your tunnel with the current ip off the remote host.Ok! I will try it tomorow morning.
-
I would love to know the status of this request? If this works I would love to implement it. I have serveral customers that have dynamic dns and would love to be able to setup up the this for them.
rc -
I would love to know the status of this request? If this works I would love to implement it. I have serveral customers that have dynamic dns and would love to be able to setup up the this for them.
rcScript is working good. Now whole idea nead some reworking. How to implement this for more than one tunnel, maybe some changes to IPSec seting page (check box for dynamic tunnel or different dynamic gateway input field) and some other question. Ideas?
Sasa
-
Script is working good. Now whole idea nead some reworking. How to implement this for more than one tunnel, maybe some changes to IPSec seting page (check box for dynamic tunnel or different dynamic gateway input field) and some other question. Ideas?
How about something like this:
/root/ipsecUpdate.phprequire_once("config.inc"); require_once("functions.inc"); $conf = &$config['ipsec']['tunnel']; $reload = 0; for ($i = 0; $i < count($conf); $i++) { if( $conf[$i]['remote-gateway-hostname'] <> "" ) { $newip = gethostbyname($conf[$i]['remote-gateway-hostname']); if( $conf[$i]['remote-gateway'] != $newip ) { $conf[$i]['remote-gateway'] = $newip; $reload = 1; } } } if( $reload == 1 ) { write_config(); vpn_ipsec_configure(); } ?>Edit /usr/local/www/vpn_ipsec_edit.php
After this line:
$pconfig['remotegw'] = $a_ipsec[$id]['remote-gateway'];add
$pconfig['remotegwhost'] = $a_ipsec[$id]['remote-gateway-hostname'];Not 100% sure about this one, i'm making it up as i go :)
After this:if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']))) { if(is_domain($_POST['remotegw']) == false) $input_errors[] = "A valid remote gateway address must be specified."; }add
if (($_POST['remotegwhost'] && is_domain($_POST['remotegwhost']) == false)) { $input_errors[] = "A valid remote gateway hostname must be specified."; }Another one:
$ipsecent['remote-gateway'] = $_POST['remotegw'];Add
$ipsecent['remote-gateway-hostname'] = $_POST['remotegwhost'];This one needs more work but this will at least add a box to enter the information.
ChangeEnter the public IP address of the remote gatewayto
IP: And/or Hostname: -
I'm sure that there are several good reasons that IPSEC doesn't do this already so by doing something like this we are probably bypassing the security that the developers built in, but if you trust the DNS servers this should work for you.
Btw, the code came from pfSense-1.2-RC3 and it is untested so you may have to tweak it a little bit to get it to work. I'm still running my old code (see earlier in the thread), it works, no reason for me to change yet… :)
Also, dont forget to add this:
run "crontab -e" and add:
* * * * * /usr/local/bin/php -q /root/ipsecUpdate.php >> /dev/null -
If you can turn this into GUI code with a checkbox to enable dynamic ipsec, I will commit.
Send diff's to coreteam@pfsense.com
Thanks for your work so far!
-
If you can turn this into GUI code with a checkbox to enable dynamic ipsec, I will commit.
Send diff's to coreteam@pfsense.com
Thanks for your work so far!
I can do that, a couple of questions for you.
So from a pfsense project perspective the preferred look would be to add a checkbox next to the remote host textbox and when that is checked the input should be a hostname instead of a ip address.
Is a diff against 1.2-RC2 ok?
Any preference on where the cron job script should be stored and how to specify how i want it to run (say every 15 minutes)?
-
I can do that, a couple of questions for you.
So from a pfsense project perspective the preferred look would be to add a checkbox next to the remote host textbox and when that is checked the input should be a hostname instead of a ip address.
Is a diff against 1.2-RC2 ok?
Any preference on where the cron job script should be stored and how to specify how i want it to run (say every 15 minutes)?
#1 Yeah, a checkbox would be fine.
#2 I would prefer a diff against HEAD and RELENG1. This will not make it into 1.2 as we are frozen.
#3 Use minicron which is included. You can tell minicron to launch a script every X minutes. However, we should only launch this minicron process when we detect someone is using a dynamic hostname to avoid unnecessary process startups every 15 minutes when we do not need to. Also, a shell script to deterimine changes in the hostname would be ideal and only invoke php when absolutely needed but I would settle for either.Thanks for your help on this! This should be a great addition for folks.
-
#1 Yeah, a checkbox would be fine.
#2 I would prefer a diff against HEAD and RELENG1. This will not make it into 1.2 as we are frozen.
#3 Use minicron which is included. You can tell minicron to launch a script every X minutes. However, we should only launch this minicron process when we detect someone is using a dynamic hostname to avoid unnecessary process startups every 15 minutes when we do not need to. Also, a shell script to deterimine changes in the hostname would be ideal and only invoke php when absolutely needed but I would settle for either.Thanks for your help on this! This should be a great addition for folks.
Ah! I see movement. I am using script (simple one) for some time now and it is working OK.
This addition with web front end will be much better.Any new development?
Sasa
-
Dyanmic IPSEC support is already in -HEAD and RELENG_1_3; imported from m0n0wall recently.
-
Dyanmic IPSEC support is already in -HEAD and RELENG_1_3; imported from m0n0wall recently.
Cool, no need for the workaround then.
-
Dyanmic IPSEC support is already in -HEAD and RELENG_1_3; imported from m0n0wall recently.
Yupiiiii!!!
This is great news. No nead to write scripts for that any more then.TNX!
-
Dyanmic IPSEC support is already in -HEAD and RELENG_1_3; imported from m0n0wall recently.
And how can I download image with that modifications? I isn't at location usualy allowed to us mortals.
I know that it is in alpha stage (or near that) but I will like to play with. -
We currently do not have images for this. Expect to see some betas/alphas right after 1.2 is released.