Ipsec site to site dynamic peer addres
-
Hi guys ,
I have one question. It is possible setup IPSEC VPN site to site when peer gatway has dynamic ip address ?
I dont want use DDNS or something else.
Thx
-
No. Both endpoints should have static addresses, otherwise the tunnel will break when the peer's address changes.
-
I thought exactly for that case there is DPD??? It's possible with other firewalls. Is it just not possible with pfsense?
-
From what I can see, DPD is for re-establishing a connection to a remote peer when the remote connection is lost. If the address of the remote connection changes then simply having the system re-try the link won't work unless you also change the remote IP address in the VPN tunnel config to match the newly assigned dynamic address.
To the best of my knowledge, I know of no VPN/firewall system that can establish a permanent VPN tunnel across two sites where at least one external address is dynamic. You can estabilsh a tunnel in the short-term, yes, but only for as long as both IPs remain unchanged at each end.
-
I didn't read the "I don't want to use DDNS". Without DDNS it's of course not possible to establish a permanent tunnel with dynamic ips.
-
Sorry to resurrect an old thread,
but what the OP was asking has been available for a long time with other products.
AFAIK these routers allows it:
-the now defunct Snapgear/Cyberguard (using the same IPSec libraries pfSense 2.1 use)- Fortinet
- Cisco (see this 8 years old paper http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/63876-pix-dyntostat-ipsec-nat.html)
Always been curious to know why pfSense does not implement it.
-
It's possible in Strongswan, that's how mobile IPSec works, but the GUI will not let you configure a dynamic endpoint. There is a feature request in to expose all the options Strongswan supports in the GUI, but there has been no comment or activity on the feature request. It can be done with a bit of hacking if you are willing to venture there.
-
You can specify 0.0.0.0 as the remote, which translates to "any", and do that. It's always preferable to have a FQDN as the remote since either side can initiate in that case.
-
Yet ironically, some other vendors won't support fqdn on ipsec tunnels, even though they will support a dynamic endpoint. [glares at Palo Alto]
It's incredibly annoying as it means you are forced to run aggressive mode, which strongswan doesn't like (for understandable reason).
I can't wait until I can get my PAs on v7, which finally adds IKEv2.
