Static to dynamic

Reply to Static to dynamic on Fri, 10 Oct 2008 12:43:08 GMT

ssbaksa — Fri, 10 Oct 2008 12:43:08 GMT

and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peers
Giacomo

Not true. 5 sites with dynamic IP only, site-to-site tunnels, pfS 1.2 with help of little custom script and crone job, up-time 7 months 20 days. So, it is possible but someone need to put some extra effort to make it work.

Sasa

Reply to Static to dynamic on Thu, 09 Oct 2008 00:08:36 GMT

capitangiaco — Thu, 09 Oct 2008 00:08:36 GMT

@phospher:

1.3 is alpha release. it's not stable and not meant for production use. however, you may want to head over to the 1.3 forum and post this issue for help.

isn't a version problem, that warning is a racoon-cisco issue, I can see the 'racoon: WARNING: ignore RESPONDER-LIFETIME notification.' also in 1.2 logs
and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peers

Giacomo

Reply to Static to dynamic on Wed, 08 Oct 2008 03:57:06 GMT

phospher — Wed, 08 Oct 2008 03:57:06 GMT

1.3 is alpha release. it's not stable and not meant for production use. however, you may want to head over to the 1.3 forum and post this issue for help.

Reply to Static to dynamic on Sun, 05 Oct 2008 10:54:00 GMT

capitangiaco — Sun, 05 Oct 2008 10:54:00 GMT

from racoon logs I can see this warning:
10-05-2008 12:15:38 System3.Info 192.168.1.254 Oct 5 12:16:07 racoon: WARNING: ignore RESPONDER-LIFETIME notification.

When a remote peer change ip, sometimes pfsense keep the old Security Association and I must press save in vpn -> ipsec.
(the Prefer older IPsec SAs is disabled)

Giacomo

Reply to Static to dynamic on Sun, 14 Sep 2008 12:58:42 GMT

capitangiaco — Sun, 14 Sep 2008 12:58:42 GMT

@fastcon68:

Until verison 1.3 that supports DYN names in the IPSEC setup I do the following. I use a Dynamic DNS client on a server or client at the other end. In my description I put the Dynamic DNS name.

I monitor the endpoint connections and because the dsl connections seems keep a IP address for several days. I then update any end points that have changed. The connection comes backup and I have no real issues with this solution.

RC

I upgraded to 1.3-alpha and now I can use dyndns hostname in the tunnel config, and with the dyndns client installed on a pc behind the remote routers I refresh the ip.
It is working.
The only problem now is that the vpn comes up only when It is started from the remote site (dynamic ip, cisco router).

thanks

Giacomo

Reply to Static to dynamic on Sat, 13 Sep 2008 20:26:37 GMT

heiko — Sat, 13 Sep 2008 20:26:37 GMT

@capitangiaco:

Can I use mobile client function to connect routers instead single pc ?

The static side with pfsense 1.2 and enabled mobile option. The other side with a pfsense 1.2 could connect in an aggressive to the static side. The works as it should. All Clients behind the dynamic pfsense can connect the other side.

Regards
heiko

Reply to Static to dynamic on Sat, 13 Sep 2008 15:39:25 GMT

fastcon68 — Sat, 13 Sep 2008 15:39:25 GMT

Until verison 1.3 that supports DYN names in the IPSEC setup I do the following. I use a Dynamic DNS client on a server or client at the other end. In my description I put the Dynamic DNS name.

I monitor the endpoint connections and because the dsl connections seems keep a IP address for several days. I then update any end points that have changed. The connection comes backup and I have no real issues with this solution.