Dynamic IP changes

  • Curious

    pfSense is dynamic and intiates the VPN
    PIX is Static

    pfSense –----- INTERNET ------- PIX

    If the IP changes does pfsense clear the ipsec connection and intiated a new one?

    Why I am asking is once the IP changed the tunnel is broken which makes sense but it does not establish a new tunnel.

    On the PIX it is indicating that esp payload is coming from the new dynamic IP but is being dropped.

    Is the pfSense trying the establish the original tunnel and PIX sees that the remotes IP has changed so it denies the connection?

    And is there a fix to implement on the pfSense side (preferrably) or if not then on the PIX side.

  • I think this is a problem on the pix. I have this scenario between seceral pfSense systems (dynamic to static) and the tunnel is reestablished just fine immediately.

  • The tunnel will come up immediately if I reboot.

    Is there a setting I can change on the pfSense to renegotiate the SAs after a denial from the other end?

    Or any other setting that may help re-establishing the tunnel or recreating a new one with having to restart.

  • try "Prefer old IPsec SAs  " from system>advanced and see if this has a positive effect on reestablishing the link.

Log in to reply