Pfsense Ipsec connections to router with DynDNS address - DNS not resolving
-
I have an IPsec tunnel connected between two Pfsense routers/sites. These routers are only permanently accessible via DynDNS as the Upstream service on both has dynamic IP addressing. Therefore the site may be addressed by the form ipsec1.xxx.com with a Cloudflare Dyndns program running on the pfsense box maintaining the public ip address of the router with a proper CNAM DNS A record entry for the domain name "ipsec1.xxx.com". It all works fine until one of the ip addresses gets changed to a new one. All of the pfsense boxes with the Cloudflare DynDns app running update immediately to show the new IP address. DNS even resolves it properly. However, the IPsec Tunnel which uses the subdomain name ipsec1.xxx.com suddenly stops responding and will NOT resolve the new IP address.
Can anyone explain how to ensure the ipsec tunnels can maintain the proper ip address of the ipsec.xxx.com subdomain after an ip address change from the provider without having to manually reset them one by one with the actual IP address ? Everything in pfsense can resolve the new IP address without any difficulty except the active Ipsec tunnels.
thanks for any assistance on this matter. -
afaik when you enter a hostname in ipsec config it will be converted to an IP and that will be used.
the best solution would be to have at least one of the side with a static ip
maybe you can try to create a cron job to restart it -
I guess it could work, but I need an if then else type of cron job...if the tunnel goes down, restart, but I am not certain the DNS entry for the host name actually resolves in ipsec....
-
try
pfSsh.php playback restartipsec
and maybe you don't lose connectivity
or
pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec
maybe you can build a script with the help of
ipsec status
-
@kiokoman Sounds like a good solution. I would still like to know where the ipsec app gets the IP address from when the FQDN dns is resolved. The Dyndns system (Cloudflare app) running inside pfsense is flawless and resloves instantly on all pfsense boxes involved in the ipsec routes/network. But as I mentioned when the Ip address changes, nothing is updated inside ipsec...
-
if you check with
cat /var/etc/ipsec/ipsec.conf
you will see that ipsec have converted your host name onto an ip
rightid = xxx.xxx.xxx.xxx
if your host name change ip, ipsec does not care because it's using the previusly resolved ip and not the hostname, so you need to restart it to let it know of the change
-
Not true.
right =
is the address being connected to/from
rightid =
is the identifier the other side is expected to presentIf an FQDN is used in the Remote Gateway of a connection, the FQDN is used as
right = that.fqdn.tld
Strongswan says this:
If an FQDN is assigned it is resolved every time a configuration lookup is done. If DNS resolution times out, the lookup is delayed for that time.
The rightid could be
pleasemakemyipsecwork
as long as both sides agree.In dyndns situations it is usually necessary to set a specific identifier in My identifier (usually something like the dyndns host name of that side) on the side or sides that are suffering with dynamic addressing with a matching Remote identifier on the other side.