Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile Clients w/dynamic IP but FQDN

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cheech
      last edited by

      Greetings!

      I have a VPN router trying to connect to pfsense via IPSEC. The "client" has a dynamic IP but is registered with DDNS.

      a) I see that pfsense will not accept a FQDN in the main IPSEC area.

      b) I try to use the Mobile Client but it is not going through with the ID set to the client's FQDN.

      The VPN router the client is using does not seem to have anywhere to specify the ID and only supports PSK.

      I guess I am SOL?

      Thanks!

      Jun 4 20:31:37 racoon: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
      Jun 4 20:31:37 racoon: INFO: begin Identity Protection mode.
      Jun 4 20:31:37 racoon: WARNING: SPI size isn't zero, but IKE proposal.
      Jun 4 20:31:37 racoon: ERROR: couldn't find the pskey for x.x.x.x.
      Jun 4 20:31:37 racoon: ERROR: failed to process packet.
      Jun 4 20:31:37 racoon: ERROR: phase1 negotiation failed.
      Jun 4 20:32:27 racoon: ERROR: unknown Informational exchange received.

      1 Reply Last reply Reply Quote 0
      • C
        cheech
        last edited by

        Ahhh a bito searching suggests that this must be aggressive mode to work. I will try that. It would be nice to see support for FQDN in non mobile though!

        1 Reply Last reply Reply Quote 0
        • C
          cheech
          last edited by

          I cannot get this working. I have tested some other VPN devices and they do accept the connections using the dynamic DNS FQDN. If I change the identifier to the IP that I know is currently correct the tunnel works. Any thoughts/ideas would be appreciated! Thanks!

          1 Reply Last reply Reply Quote 0
          • C
            cheech
            last edited by

            I am not using pfsense at the remote ends… Using both DLINK and LINKSYS VPN devices they have no option to speficy an indentifier. I guess that that they are sending the current WAN IP and not the dynamic dns FQDN... again any advice appreciated!

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              I don't thin that this will work if the other ends are not able to use other identifiers. An identifier is needed for authentication reasons. As the IPs of these ends are dynamic it's pretty insecure to trust anyone without an identifiert. Replace the other ends with pfSense and it will work. I use a similiar setup at the office.

              Btw, this only applies to mobile endpoints. Tunnels to static endpoints with these devices will work (as you see if you set this up pseudo static which only will work until the IP changes).

              1 Reply Last reply Reply Quote 0
              • C
                cheech
                last edited by

                Most VPN routers do allow the use of a FQDN to identify an endpoint. The domain would have to be hijacked + the key obtained. Is specifying an IP only and not FQDN a "feature" of pfsense security or just something that hasn't been implimented / considered for implimentation? Fortunately my dynamic IP's stay until modem is reset. I might just replace those devices with pfsense boxs anyway…

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.