IKEv2 with NoIP DDNS

  • Is it possible to configure an IKEv2 VPN with pfSense if I have a dynamic IP? I.e. can I bind the certificate to my domain name from NoIP?

    If this is possible, can someone point me towards a good step by step guide geared towards someone with intermediate level networking experience?

  • Rebel Alliance Developer Netgate

    Probably not, since it requires the server certificate to include the IP address in a SAN entry. So unless you can generate a new server cert every time the WAN IP address changes, that is probably not going to be viable.

  • SAN is subject alternative name, so you're saying that the primary 'subject' would be the dynamic DNS hostname, but the cert would need the actual IP as an 'alternative' for some reason? Does this just enable fallback if someone tries to vpn directly to the IP? Or is required for the functionality period?

  • I came to ask the same thing.  I don't have a static IP but really wanted to try out IKEv2 and kept banging my head against the wall with the various guides and not getting anything to work.  Didn't realize having an IP in the SAN was required.

    So for us lowly dynamic guys what are the options for a VPN to our homelabs etc? Is OpenVPN the only way to go?

  • I've managed to get this working, even though I'm not gonna use it anymore. I don't really have a dynamic IP, but a failover situation, in which it might swap between two different static IPs.

    So, I'm using a previously existent, publicly trusted cert from my company. It has no IPs set as SAN (only a wildcard as DNS name), and it has client/server authentication in its EKU.

    I've done so many things to make it work, that I might be forgetting something important, but I remember that importing the server cert into the "computer->personal" (don't ask me why) folder was key to make it work. Probably there's a better way of doing this. One thing though: I've been doing preliminary tests by switching the IP resolution directly in my hosts file. Didn't get to the point of using DDNS.

Log in to reply