Static to dynamic
-
Hi all
I have a pfsense 1.2 box at the main office with static ip and I would like to connect remote offices that have adsl lines with dynamic ips.
Remote offices are connected with cisco 877 routers.
Tunnels with the temporary ip (cisco side) works.
I noticed that I cannot use dynamic dns fqdn in the pfsense config.Is there some trick to solve this problem ?
Can I use mobile client function to connect routers instead single pc ?thanks
Giacomo
-
Until verison 1.3 that supports DYN names in the IPSEC setup I do the following. I use a Dynamic DNS client on a server or client at the other end. In my description I put the Dynamic DNS name.
I monitor the endpoint connections and because the dsl connections seems keep a IP address for several days. I then update any end points that have changed. The connection comes backup and I have no real issues with this solution.
RC
-
Can I use mobile client function to connect routers instead single pc ?
The static side with pfsense 1.2 and enabled mobile option. The other side with a pfsense 1.2 could connect in an aggressive to the static side. The works as it should. All Clients behind the dynamic pfsense can connect the other side.
Regards
heiko -
Until verison 1.3 that supports DYN names in the IPSEC setup I do the following. I use a Dynamic DNS client on a server or client at the other end. In my description I put the Dynamic DNS name.
I monitor the endpoint connections and because the dsl connections seems keep a IP address for several days. I then update any end points that have changed. The connection comes backup and I have no real issues with this solution.
RC
I upgraded to 1.3-alpha and now I can use dyndns hostname in the tunnel config, and with the dyndns client installed on a pc behind the remote routers I refresh the ip.
It is working.
The only problem now is that the vpn comes up only when It is started from the remote site (dynamic ip, cisco router).thanks
Giacomo
-
from racoon logs I can see this warning:
10-05-2008 12:15:38 System3.Info 192.168.1.254 Oct 5 12:16:07 racoon: WARNING: ignore RESPONDER-LIFETIME notification.When a remote peer change ip, sometimes pfsense keep the old Security Association and I must press save in vpn -> ipsec.
(the Prefer older IPsec SAs is disabled)Giacomo
-
1.3 is alpha release. it's not stable and not meant for production use. however, you may want to head over to the 1.3 forum and post this issue for help.
-
1.3 is alpha release. it's not stable and not meant for production use. however, you may want to head over to the 1.3 forum and post this issue for help.
isn't a version problem, that warning is a racoon-cisco issue, I can see the 'racoon: WARNING: ignore RESPONDER-LIFETIME notification.' also in 1.2 logs
and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peersGiacomo
-
and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peers
GiacomoNot true. 5 sites with dynamic IP only, site-to-site tunnels, pfS 1.2 with help of little custom script and crone job, up-time 7 months 20 days. So, it is possible but someone need to put some extra effort to make it work.
Sasa