Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Dynamic to dynamic IPsec VPN

    IPsec
    3
    7
    5998
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      riaano last edited by

      Hi,

      i need some help setting up an IPsec VPN between 2 dynamic dns sites.
      i know it's possible, coz i have done it before, but for the life of me i can't redo it. (sad but true… :()
      i have followed almost every tutorial i can lay my hands on....
      it's between 2.0 beta 3 and 1.2.3

      Thanks

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        It works fine, if both firewalls have dynamic DNS hostnames. Just setup a normal IPsec tunnel and use the dyndns hostname for the remote peer.

        1 Reply Last reply Reply Quote 0
        • R
          riaano last edited by

          Thanks jimp,

          eventually got it working :)

          Now i have a further question : (don't know if i should start a new thread for this…)

          i have 3 pfsense boxes and 3 dsl lines and 3 modems all on the same subnet and ip range. some of the machines on my network use no1 as gateway, some no2 ect.. now the remote side's machines can only see the machines on the local side that uses the gateway on which th ipsec is setup.

          is there a way to put in a route / configuration so the remote clients can connect to all machines on my local LAN ?

          Thanks

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Should really be in its own thread (but the real answer is that if you want traffic to go over IPsec, it must match a phase 2 entry, so make more that match the traffic you want to go over IPsec that doesn't go now)

            1 Reply Last reply Reply Quote 0
            • R
              riaano last edited by

              Hi jimp, thanks, i think i will start a new thread. there i make a schematic of my setup.

              1 Reply Last reply Reply Quote 0
              • M
                micro3bsd last edited by

                I have a similar problem with both dynamic IP as gateway.
                One is PFSense 2.0 and one is IPCop 1.4.21

                I don't know why some tutorial tell an empty lifetime for phase 1 to work with IPCop.
                But anyhow, it is better than not connecting completely, and i got below log :

                Oct 12 18:10:38 racoon: []: [113.252.123.75] INFO: Hashing 113.252.123.75[500] with algo #1
                Oct 12 18:10:38 racoon: INFO: NAT-D payload #1 verified
                Oct 12 18:10:38 racoon: INFO: NAT not detected
                Oct 12 18:10:38 racoon: ERROR: Expecting IP address type in main mode, but User_FQDN.
                Oct 12 18:10:38 racoon: []: [113.252.123.75] ERROR: invalid ID payload.

                It seems ok to match at least the hash/algo part but then fail before pre shared key matching.
                I put the two dyn-dns names on those gateway fields originally asking for IPs/hostname.
                Is this ok ?  Or does it means at least one side need to have fixed IP?

                My previous experience is OpenVPN road warrior connect to IPFire, and it works for both dynamic IP.
                Hit the wall for first time site-to-site setup.

                1 Reply Last reply Reply Quote 0
                • M
                  micro3bsd last edited by

                  It finally works as I want to.  Know why people keep trying for days.  There are some key issues missing on faq / doc / tutorial.

                  PFSense mobile ipsec vpn setup is somewhat like server and client and it suggest using aggressive mode due to unknown client ip.  But some other doc said aggressive mode does some plaintext communication.  I cannot totally understand but my setting below works in main mode:

                  IPCop settings towards the tutorial server side.  It doesn't matter there is no separate setup page for mobile client and pre-shared keys.

                  PFSense setting as client.  PSK in tunnel phase 1 page, that is sufficient.

                  IPCop's ID example is @domain that is key difference with PFSense that can be user define.  However in PFSense putting @domain with define as dist.name simply cannot save settings.  Username is ok, but racoon/PFsense somewhat looking for IPs when in main mode.  So type define as non-IP is somewhat broken there.  It looks impossible to re-setup the IP/ID  every time as dynamic.  Finally comparing IPCop with PFSense - the ID can be user define like shared keys.  Fixed fake IP address there finally works.

                  Pluto/IPCop just send ID field no matter what's in it, but racoon needs IP-like string no matter type is defined in the setup page.

                  Some help on web says PFsense need another rules aloow * * for the IPSec tunnel and IPCop automatically fix the route table.  I try deleting that and it still works.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy