Dynamic to dynamic IPsec VPN



  • Hi,

    i need some help setting up an IPsec VPN between 2 dynamic dns sites.
    i know it's possible, coz i have done it before, but for the life of me i can't redo it. (sad but true… :()
    i have followed almost every tutorial i can lay my hands on....
    it's between 2.0 beta 3 and 1.2.3

    Thanks


  • Rebel Alliance Developer Netgate

    It works fine, if both firewalls have dynamic DNS hostnames. Just setup a normal IPsec tunnel and use the dyndns hostname for the remote peer.



  • Thanks jimp,

    eventually got it working :)

    Now i have a further question : (don't know if i should start a new thread for this…)

    i have 3 pfsense boxes and 3 dsl lines and 3 modems all on the same subnet and ip range. some of the machines on my network use no1 as gateway, some no2 ect.. now the remote side's machines can only see the machines on the local side that uses the gateway on which th ipsec is setup.

    is there a way to put in a route / configuration so the remote clients can connect to all machines on my local LAN ?

    Thanks


  • Rebel Alliance Developer Netgate

    Should really be in its own thread (but the real answer is that if you want traffic to go over IPsec, it must match a phase 2 entry, so make more that match the traffic you want to go over IPsec that doesn't go now)



  • Hi jimp, thanks, i think i will start a new thread. there i make a schematic of my setup.



  • I have a similar problem with both dynamic IP as gateway.
    One is PFSense 2.0 and one is IPCop 1.4.21

    I don't know why some tutorial tell an empty lifetime for phase 1 to work with IPCop.
    But anyhow, it is better than not connecting completely, and i got below log :

    Oct 12 18:10:38 racoon: []: [113.252.123.75] INFO: Hashing 113.252.123.75[500] with algo #1
    Oct 12 18:10:38 racoon: INFO: NAT-D payload #1 verified
    Oct 12 18:10:38 racoon: INFO: NAT not detected
    Oct 12 18:10:38 racoon: ERROR: Expecting IP address type in main mode, but User_FQDN.
    Oct 12 18:10:38 racoon: []: [113.252.123.75] ERROR: invalid ID payload.

    It seems ok to match at least the hash/algo part but then fail before pre shared key matching.
    I put the two dyn-dns names on those gateway fields originally asking for IPs/hostname.
    Is this ok ?  Or does it means at least one side need to have fixed IP?

    My previous experience is OpenVPN road warrior connect to IPFire, and it works for both dynamic IP.
    Hit the wall for first time site-to-site setup.



  • It finally works as I want to.  Know why people keep trying for days.  There are some key issues missing on faq / doc / tutorial.

    PFSense mobile ipsec vpn setup is somewhat like server and client and it suggest using aggressive mode due to unknown client ip.  But some other doc said aggressive mode does some plaintext communication.  I cannot totally understand but my setting below works in main mode:

    IPCop settings towards the tutorial server side.  It doesn't matter there is no separate setup page for mobile client and pre-shared keys.

    PFSense setting as client.  PSK in tunnel phase 1 page, that is sufficient.

    IPCop's ID example is @domain that is key difference with PFSense that can be user define.  However in PFSense putting @domain with define as dist.name simply cannot save settings.  Username is ok, but racoon/PFsense somewhat looking for IPs when in main mode.  So type define as non-IP is somewhat broken there.  It looks impossible to re-setup the IP/ID  every time as dynamic.  Finally comparing IPCop with PFSense - the ID can be user define like shared keys.  Fixed fake IP address there finally works.

    Pluto/IPCop just send ID field no matter what's in it, but racoon needs IP-like string no matter type is defined in the setup page.

    Some help on web says PFsense need another rules aloow * * for the IPSec tunnel and IPCop automatically fix the route table.  I try deleting that and it still works.


Log in to reply