Site-to-Site VPN: accept shared key for any IP



  • Hi

    Disclaimer: I know the setup is problematic, but I can't change it at time.

    I have a 3rd party device behind NAT connecting to my pfSense instance for a site-to-site VPN.
    The public IP associated with that device keeps changing due to a flappy internet connection.
    Because the device is behind NAT it does not immediately update the DynDNS record.

    Knowing the security issues, how can I configure pfSense to accept an IPSec tunnel from any IP (if the peer identifier and of course the PreShared-Key matches)?
    At the moment pfSense doesn't find a matching key once the IP changed (and the DynDNS record has not yet been updated)

    Thank you



  • Hi.

    You are requesting to configure a dynamic endpoint. You should be able to achieve this by using 0.0.0.0 as the IP of the remote endpoint. This should allow ANY remote IP to connect.

    Anyway with this value the tunnel will only be able to be started from the remote side because we (the local side) do not know where to talk to. The VPN will be down until traffic from the remote side fires the VPN up.

    Cheers.



  • @mikee:

    Hi.

    You are requesting to configure a dynamic endpoint. You should be able to achieve this by using 0.0.0.0 as the IP of the remote endpoint. This should allow ANY remote IP to connect.

    Anyway with this value the tunnel will only be able to be started from the remote side because we (the local side) do not know where to talk to. The VPN will be down until traffic from the remote side fires the VPN up.

    Cheers.

    How could I miss that, thank you very much!


Log in to reply