Tunnel between two dynamic sites



  • Is there any way to setup IPSEC tunnel between two sites with dynamic IPs (ADSL pppoe on wan) useing pfsense 1.2.3 RC3.



  • You could try DynDNS - http://www.dyndns.com/

    Then you just set the vpn endpoint to the DNS name and the DNS is updated dynamically. I haven't tried it so I can't confirm if it works in this situation though.



  • Well off course I understand that but I have red somewhere that pfsense doesn’t support IPSEC VPN tunnel between 2 sites with dynamic address. Is this true.



  • Here is copy & paste of VPN Remote Gateway field explanation from official pfSense documentation:

    "Remote Gateway: This is the IP Address for the router to which the tunnel will be established. This is most likely the WAN IP of the remote system. As of pfSense 1.2.3, a hostname may also be used in this field. By entering a dyndns hostname, a tunnel can be defined between two systems that both have dynamic IPs."

    I haven't tried it personally, but it is clearly stated that it is possible. If someone has tried it, it'll be good to share the experience.


  • Rebel Alliance Developer Netgate

    Using a dyndns hostname for IPsec works great. I haven't used it on both ends but I use it for client sites all the time. If it works for one, it'll work for both.



  • I found this post: http://forum.pfsense.org/index.php/topic,2841.0.html

    (Re: Connecting to Remote (Dynamic IP Address) Gateway
    « Reply #1 on: November 20, 2006, 02:38:48 am »

    –------------------------------------------------------------------------------

    You need a static IP-Address at at least one location. I have a setup between 12 locations where only one location has a static IP. See http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/ for a howto. OpenVPN should work between dynamic endpoints afaik. You might consider using this then instead of IPSEC (see http://pfsense.com/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf ).

    I think I saw some explanation in documentation in section "limitation" but I can’t find it anymore.
    And it seems that this is still a problem cose I still can’t get it work. Is there anyone who manages to get it work.



  • pppoe DSL connections tend to change IPs daily.  If you have that situation on both ends, I don't think you will be happy with the reliability of either IPsec or OpenVPN.  With one end static and the remote end DHCP, I have found OpenVPN site-site to be very reliable. Much more reliable than IPsec under the same conditions.  I have not tried OpenVPN site-site with unstable IPs on both ends but I'm guessing that will have reliability problems as well.  If for no other reason than the time it takes to propagate dynamic DNS changes.

    Roy…


  • Rebel Alliance Developer Netgate

    @Piplfox:

    I found this post: http://forum.pfsense.org/index.php/topic,2841.0.html
    [snip]
    I think I saw some explanation in documentation in section "limitation" but I can’t find it anymore.
    And it seems that this is still a problem cose I still can’t get it work. Is there anyone who manages to get it work.

    It works now. That is a very old post. It was fixed in 1.2.3. You do not use mobile tunnels, just a normal site-to-site IPsec tunnel. You just put in the dyndns hostname for the peer address on both ends. If that doesn't work, make sure both sites are actually updating dyndns like they should.



  • Thx guys i ll give shot with IPSec and post the results.



  • I can confirm that IPsec tunnel between two dynamic sites works very well, using the pfSense 1.2.3. and DynDNS. There is no outage on PPPoE IP address change, and DynDNS record updates 20 sec after the IP address change.

    The only wierd thing that I have found out that you can not choose choose "Dynamic DNS" as "My identifier" at tunnel configuration, you have to choose the "Domain name" option.


  • Rebel Alliance Developer Netgate

    I believe you can leave the "my identifier" setting on "my IP address" since that does get updated on both sides from DNS also.



  • Heres my working config:

    local subnet is the local subnet on the fw your on
    remote is the subnet you want to access at the other end
    for remote gateway put in a ddns
    identifier is my ip address, leave blank
    do a pre-shared key, must be the same on both fw's
    keep alive-set this to the fw at the other end
    all other options: set them the same at both ends


Locked