Static to dynamic



  • Hi all

    I have a pfsense 1.2 box at the main office with static ip and I would like to connect remote offices that have adsl lines with dynamic ips.
    Remote offices are connected with cisco 877 routers.
    Tunnels with the temporary ip (cisco side) works.
    I noticed that I cannot use dynamic dns fqdn in the pfsense config.

    Is there some trick to solve this problem ?
    Can I use mobile client function to connect routers instead single pc ?

    thanks

    Giacomo



  • Until verison 1.3 that supports DYN names in the IPSEC setup I do the following.  I use a Dynamic DNS client on a server or client at the other end.  In my description I put the Dynamic DNS name.

    I monitor the endpoint connections and because the dsl connections seems keep a IP address for several days.  I then update any end points that have changed.  The connection comes backup and I have no real issues with this solution.

    RC



  • @capitangiaco:

    Can I use mobile client function to connect routers instead single pc ?

    The static side with pfsense 1.2 and enabled mobile option. The other side with a pfsense 1.2 could connect in an aggressive to the static side. The works as it should. All Clients behind the dynamic pfsense can connect the other side.

    Regards
    heiko



  • @fastcon68:

    Until verison 1.3 that supports DYN names in the IPSEC setup I do the following.  I use a Dynamic DNS client on a server or client at the other end.  In my description I put the Dynamic DNS name.

    I monitor the endpoint connections and because the dsl connections seems keep a IP address for several days.  I then update any end points that have changed.  The connection comes backup and I have no real issues with this solution.

    RC

    I upgraded to 1.3-alpha and now I can use dyndns hostname in the tunnel config, and with the dyndns client installed on a pc behind the remote routers I refresh the ip.
    It is working.
    The only problem now is that the vpn comes up only when It is started from the remote site (dynamic ip, cisco router).

    thanks

    Giacomo



  • from racoon logs I can see this warning:
    10-05-2008 12:15:38 System3.Info 192.168.1.254 Oct  5 12:16:07 racoon: WARNING: ignore RESPONDER-LIFETIME notification.

    When a remote peer change ip, sometimes pfsense keep the old Security Association and I must press save in vpn -> ipsec.
    (the Prefer older IPsec SAs is disabled)

    Giacomo



  • 1.3 is alpha release. it's not stable and not meant for production use. however, you may want to head over to the 1.3 forum and post this issue for help.



  • @phospher:

    1.3 is alpha release. it's not stable and not meant for production use. however, you may want to head over to the 1.3 forum and post this issue for help.

    isn't a version problem, that warning is a racoon-cisco issue, I can see the 'racoon: WARNING: ignore RESPONDER-LIFETIME notification.' also in 1.2 logs
    and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peers

    Giacomo



  • @capitangiaco:

    and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peers
    Giacomo

    Not true. 5 sites with dynamic IP only, site-to-site tunnels, pfS 1.2 with help of little custom script and crone job, up-time 7 months 20 days. So, it is possible but someone need to put some extra effort to make it work.

    Sasa


Log in to reply