Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static to dynamic

    IPsec
    5
    8
    4.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      capitangiaco
      last edited by

      Hi all

      I have a pfsense 1.2 box at the main office with static ip and I would like to connect remote offices that have adsl lines with dynamic ips.
      Remote offices are connected with cisco 877 routers.
      Tunnels with the temporary ip (cisco side) works.
      I noticed that I cannot use dynamic dns fqdn in the pfsense config.

      Is there some trick to solve this problem ?
      Can I use mobile client function to connect routers instead single pc ?

      thanks

      Giacomo

      1 Reply Last reply Reply Quote 0
      • F
        fastcon68
        last edited by

        Until verison 1.3 that supports DYN names in the IPSEC setup I do the following.  I use a Dynamic DNS client on a server or client at the other end.  In my description I put the Dynamic DNS name.

        I monitor the endpoint connections and because the dsl connections seems keep a IP address for several days.  I then update any end points that have changed.  The connection comes backup and I have no real issues with this solution.

        RC

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          @capitangiaco:

          Can I use mobile client function to connect routers instead single pc ?

          The static side with pfsense 1.2 and enabled mobile option. The other side with a pfsense 1.2 could connect in an aggressive to the static side. The works as it should. All Clients behind the dynamic pfsense can connect the other side.

          Regards
          heiko

          1 Reply Last reply Reply Quote 0
          • C
            capitangiaco
            last edited by

            @fastcon68:

            Until verison 1.3 that supports DYN names in the IPSEC setup I do the following.  I use a Dynamic DNS client on a server or client at the other end.  In my description I put the Dynamic DNS name.

            I monitor the endpoint connections and because the dsl connections seems keep a IP address for several days.  I then update any end points that have changed.  The connection comes backup and I have no real issues with this solution.

            RC

            I upgraded to 1.3-alpha and now I can use dyndns hostname in the tunnel config, and with the dyndns client installed on a pc behind the remote routers I refresh the ip.
            It is working.
            The only problem now is that the vpn comes up only when It is started from the remote site (dynamic ip, cisco router).

            thanks

            Giacomo

            1 Reply Last reply Reply Quote 0
            • C
              capitangiaco
              last edited by

              from racoon logs I can see this warning:
              10-05-2008 12:15:38 System3.Info 192.168.1.254 Oct  5 12:16:07 racoon: WARNING: ignore RESPONDER-LIFETIME notification.

              When a remote peer change ip, sometimes pfsense keep the old Security Association and I must press save in vpn -> ipsec.
              (the Prefer older IPsec SAs is disabled)

              Giacomo

              1 Reply Last reply Reply Quote 0
              • P
                phospher
                last edited by

                1.3 is alpha release. it's not stable and not meant for production use. however, you may want to head over to the 1.3 forum and post this issue for help.

                1 Reply Last reply Reply Quote 0
                • C
                  capitangiaco
                  last edited by

                  @phospher:

                  1.3 is alpha release. it's not stable and not meant for production use. however, you may want to head over to the 1.3 forum and post this issue for help.

                  isn't a version problem, that warning is a racoon-cisco issue, I can see the 'racoon: WARNING: ignore RESPONDER-LIFETIME notification.' also in 1.2 logs
                  and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peers

                  Giacomo

                  1 Reply Last reply Reply Quote 0
                  • S
                    ssbaksa
                    last edited by

                    @capitangiaco:

                    and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peers
                    Giacomo

                    Not true. 5 sites with dynamic IP only, site-to-site tunnels, pfS 1.2 with help of little custom script and crone job, up-time 7 months 20 days. So, it is possible but someone need to put some extra effort to make it work.

                    Sasa

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.