Ping, from static endpoint to dynamic endpoint, doesn't wake up tunnel…

XZed · Aug 17, 2009, 10:42 PM

Hello,

For the first time, i'm setting up ipsec vpn between a static endpoint (pfsense) and some dynamic enpoints (netopia).

I tried many different settings but kept faced to the following problem :

When setting up a classic ipsec vpn (static to static), from any site, a simple ping wakes up the tunnel.

But, in this new setting :

if i ping, from the static side, a remote ip address (from the dynamic endpoint lan network) : nothing happens
if i ping, from the dynamic side, a remote ip address (from the static endpoint lan network) : the tunnel wakes up

i don't know how to correct this…

I use "user fqdn" for the dynamic endpoint and "my ip address" for the static endpoint...

Any idea ?

Thank you,

Sincerely,

jimp · Aug 17, 2009, 11:00 PM

Is this with a regular tunnel, or one setup as a Mobile Tunnel?

If it's a mobile tunnel, those cannot be woken up by the static side because they have no way to know what the IP address is for the dynamic endpoint.

If you are using pfSense 1.2.3, you can use dyndns to create a traditional static tunnel when one side has a dynamic IP.

XZed · Aug 18, 2009, 12:00 AM

As you supposed, it's a mobile tunnel.

I understand your explanation…it's obvious but was trying to find a solution : need to manage remote endpoint without waiting that someone, there, creates traffic in order to wake up the tunnel..

Thank you very much.

Sincerely,

jimp · Aug 18, 2009, 12:03 AM

Then you have two possibilities:

#1 Enable keep-alive on the far end (set an IP to ping in its tunnel definition) so that their tunnel is always up or trying to connect

#2 Use dyndns to turn this into a static tunnel and not a mobile tunnel

XZed · Aug 18, 2009, 1:14 AM

I always setup keep alive but, in this case (mobile tunnel), it doesn't help (obviously, i'm pinging from dynamic side to static side)…

But, i'm facing a problem type i already had and that only depends from "experience feedback" :

previously, i already had bugs with netopia/ipsec...

But, in my actual case, once more, something strange appears :

depending on the firmware/shared key lenght : the vpn tunnel will wake immediately alone...or not...

:-X ...going to bed lol...

Thank you,

Sincerely,