Mobile Clients w/dynamic IP but FQDN

  • Greetings!

    I have a VPN router trying to connect to pfsense via IPSEC. The "client" has a dynamic IP but is registered with DDNS.

    a) I see that pfsense will not accept a FQDN in the main IPSEC area.

    b) I try to use the Mobile Client but it is not going through with the ID set to the client's FQDN.

    The VPN router the client is using does not seem to have anywhere to specify the ID and only supports PSK.

    I guess I am SOL?


    Jun 4 20:31:37 racoon: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
    Jun 4 20:31:37 racoon: INFO: begin Identity Protection mode.
    Jun 4 20:31:37 racoon: WARNING: SPI size isn't zero, but IKE proposal.
    Jun 4 20:31:37 racoon: ERROR: couldn't find the pskey for x.x.x.x.
    Jun 4 20:31:37 racoon: ERROR: failed to process packet.
    Jun 4 20:31:37 racoon: ERROR: phase1 negotiation failed.
    Jun 4 20:32:27 racoon: ERROR: unknown Informational exchange received.

  • Ahhh a bito searching suggests that this must be aggressive mode to work. I will try that. It would be nice to see support for FQDN in non mobile though!

  • I cannot get this working. I have tested some other VPN devices and they do accept the connections using the dynamic DNS FQDN. If I change the identifier to the IP that I know is currently correct the tunnel works. Any thoughts/ideas would be appreciated! Thanks!

  • I am not using pfsense at the remote ends… Using both DLINK and LINKSYS VPN devices they have no option to speficy an indentifier. I guess that that they are sending the current WAN IP and not the dynamic dns FQDN... again any advice appreciated!

  • I don't thin that this will work if the other ends are not able to use other identifiers. An identifier is needed for authentication reasons. As the IPs of these ends are dynamic it's pretty insecure to trust anyone without an identifiert. Replace the other ends with pfSense and it will work. I use a similiar setup at the office.

    Btw, this only applies to mobile endpoints. Tunnels to static endpoints with these devices will work (as you see if you set this up pseudo static which only will work until the IP changes).

  • Most VPN routers do allow the use of a FQDN to identify an endpoint. The domain would have to be hijacked + the key obtained. Is specifying an IP only and not FQDN a "feature" of pfsense security or just something that hasn't been implimented / considered for implimentation? Fortunately my dynamic IP's stay until modem is reset. I might just replace those devices with pfsense boxs anyway…

Log in to reply