Dynamic DNS ON BOTH ENDPOINTS

linuxman

I want to setup an always up IPSEC tunnel between two PFSENSE gateways that have dynamic IP addresses (cable modem and dsl modem). I know that this can be easily done on IPCOP, however, PFSENSE seems to be light years ahead of IPCOP when it comes to configuration. Is PFSENSE capable of this natively?

Thanks,
Linuxman

linuxman

PS: The above scenario is very common to small-sized or mid-sized business environments.

Thanks in advance for your reply.

Linuxman

carboncopy

@linuxman:

I want to setup an always up IPSEC tunnel between two PFSENSE gateways that have dynamic IP addresses (cable modem and dsl modem). I know that this can be easily done on IPCOP, however, PFSENSE seems to be light years ahead of IPCOP when it comes to configuration. Is PFSENSE capable of this natively?

Thanks,
Linuxman

I also wondered this. However, as far as I know PF would require the IP address of the gateway/gateways. This would really be defeating the purpose of using of dynamic IP addresses in the IPsec config area. But I guess it depends on how tight you want to make your rules. In theory if your PF rules were less restrictive I think it could work. I haven't tested this theory myself, but I would like to try!

hoba

For your Information: this has been discussed at the Support ML: http://www.mail-archive.com/support@pfsense.com/msg03172.html

carboncopy

@hoba:

For your Information: this has been discussed at the Support ML: http://www.mail-archive.com/support@pfsense.com/msg03172.html

I don't sub to the ML. MLs seem old school… But thanks for the info.

rds_correia

OT
Well, sometimes you gotta go "old school" if you want to get something fixed.
See, there was an issue, it was reported both on the MLs and here @ the forum.
But it was the MLs that pushed sullrich enough for him to start working on a fix ;).
I don't mind MLs, but if you ask me, every major project should have a forum instead of an ML…
/OT
So, now the $1.000.000 question is, has this been fixed in 0.95Alphas or is it still being fixed?
Major kudos to the devs for taking care of this issue.
If only you could do the same with OpenVPN and the OPTs issue... ;)
Cheers

sullrich

Huh? I said don't depend on the issue being fixed anytime soon. Please reread the last post on the ML from me.

@rds_correia:

OT
Well, sometimes you gotta go "old school" if you want to get something fixed.
See, there was an issue, it was reported both on the MLs and here @ the forum.
But it was the MLs that pushed sullrich enough for him to start working on a fix ;).
I don't mind MLs, but if you ask me, every major project should have a forum instead of an ML…
/OT
So, now the $1.000.000 question is, has this been fixed in 0.95Alphas or is it still being fixed?
Major kudos to the devs for taking care of this issue.
If only you could do the same with OpenVPN and the OPTs issue... ;)
Cheers

rds_correia

As far as I'm aware, this is your last post.
@sullrich:

Wed, 23 Nov 2005 15:19:15 -0800

I will add a feature for it to automatically talk to the 2nd firewall
and for it to tell the 2nd to reload its ipsec configuration. This
will solve all these problems.

Only stipulation is that both endpoints will need to be pfSense, but
thats not really something I'm concerned with as you should only be
using pfSense :P

And here you don't actually say if the issue will be solved soon or not.
Or maybe I'm wrong and I didn't search the ML correctly?
Cheers

sullrich

Not sure. It will magically appear so don't depend on it as of yet./info@cilient.com /sullrich@gmail.com

rds_correia

What?
You mean you sent that but it doesn't show up on the ML archive?
That's why I'm not a fan of MLs ;D.
Cheers

sullrich

@rds_correia:

What?
You mean you sent that but it doesn't show up on the ML archive?
That's why I'm not a fan of MLs ;D.
Cheers

I don't know what to tell you. I can find any message I need in 2 seconds with my gmail account + the mailing list.

And for the record, I prefer mailing lists over forums. It cuts down on the BS.

rds_correia

@sullrich:

And for the record, I prefer mailing lists over forums. It cuts down on the BS.

There you have a point…
But I still prefer forums lol
Heck with so many posts you and I exchanged today I tell you what I prefer: SIP softphones.
But then there wouldn't be any BD with stored info.
But it sure would have made things easier today ;).
Cheers

sullrich

Yet another place we differ. I hate the phone.

:P

rds_correia

No, sir.
I'm not a big fan of phones.
But then we would have done this in 5 minutes instead of 2 hours ;).
BTW a bit of BS: where do I get that avatar of yours but bigger?
I simply love it :P
Cheers man

MrMoo

Does this mean IPSEC in pfSense has the same problem with DHCP IP address changes as m0n0wall?

i.e. if a dynamic endpoint has an IP address change it will not reconnect until the phase lifetime expires, or IPSEC is manually restarted.

This is why I use the ovpn builds in m0n0wall for OpenVPN support. I'm very tempted to change for Carp & IPSEC compression otherwise.

And if this is so can you slap it in big letters in the FAQ and elsewhere to make it more widely known.

dynamix

Quote from: sullrich
Wed, 23 Nov 2005 15:19:15 -0800

I will add a feature for it to automatically talk to the 2nd firewall
and for it to tell the 2nd to reload its ipsec configuration. This
will solve all these problems.

More than half of year has past since then; any progress on this, Sullrich?
All I want is the option ho have a Dynamic DNS address allowed in Remote Gateway field.
Automatic detection of address changes and remote party notification are improvements you cand develop later… :)
I don't mind to manualy reeestablish the connection.... for the beginning ;)

sullrich

No progress has been made. 1.0 is being released without this support.