Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 with NoIP DDNS

    IPsec
    4
    5
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newparadigm
      last edited by

      Is it possible to configure an IKEv2 VPN with pfSense if I have a dynamic IP? I.e. can I bind the certificate to my domain name from NoIP?

      If this is possible, can someone point me towards a good step by step guide geared towards someone with intermediate level networking experience?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Probably not, since it requires the server certificate to include the IP address in a SAN entry. So unless you can generate a new server cert every time the WAN IP address changes, that is probably not going to be viable.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          newparadigm
          last edited by

          SAN is subject alternative name, so you're saying that the primary 'subject' would be the dynamic DNS hostname, but the cert would need the actual IP as an 'alternative' for some reason? Does this just enable fallback if someone tries to vpn directly to the IP? Or is required for the functionality period?

          1 Reply Last reply Reply Quote 0
          • luckman212L
            luckman212 LAYER 8
            last edited by

            I came to ask the same thing.  I don't have a static IP but really wanted to try out IKEv2 and kept banging my head against the wall with the various guides and not getting anything to work.  Didn't realize having an IP in the SAN was required.

            So for us lowly dynamic guys what are the options for a VPN to our homelabs etc? Is OpenVPN the only way to go?

            1 Reply Last reply Reply Quote 0
            • R
              reinaldo.gomes
              last edited by

              I've managed to get this working, even though I'm not gonna use it anymore. I don't really have a dynamic IP, but a failover situation, in which it might swap between two different static IPs.

              So, I'm using a previously existent, publicly trusted cert from my company. It has no IPs set as SAN (only a wildcard as DNS name), and it has client/server authentication in its EKU.

              I've done so many things to make it work, that I might be forgetting something important, but I remember that importing the server cert into the "computer->personal" (don't ask me why) folder was key to make it work. Probably there's a better way of doing this. One thing though: I've been doing preliminary tests by switching the IP resolution directly in my hosts file. Didn't get to the point of using DDNS.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.