IPSEC one static IP with a Dynamic client - NO dyndns service
-
I have searched the forum and if this has been answered I apologize for missing it.
I need an IPSEC tunnel from a remote location back to a clients office. The remote location is DSL with a dynamic address. This was working fine with an older Cisco at the head end. I replaced the Cisco with pfSense and cannot find a way to allow a dynamic client to attach short of using DYNdns which is not an option in this case. The cisco had 0.0.0.0 for the remote gate way. I tried this in the pfSense box withous success -
Is what I am asking just not possible with pfsense?
-
Yes it is possible.
I have a site with a static IP and my home broadband service at home which is virgin media and that is dymanic.
In pfsense on the one at home with the changing Public IP, I add in the dyndns service and put in all my details in. So now the pfsense can communicate with DYNDNS. And im sure you have worked out how to do that??
Then you need to go into IPSEC and when you configure the VPN in Phase one, you need to select in the drop down list "My Identifier" This options needs to be set to distinguished name. In there type in the DYNDNS domain name ie. adam.homeip.net
So now when you configure the site with the static IP you need to do the reverse. So peer identifier would be site to distinguished name and then type in the dyndns address.
I think this is what you need. But i must say works for me, and is floorless! Hope this helps!
-
the router/firewall does not support DYN dns properly as it is stuck behind a Telmex DSL modem
So I need a solution like I use with Cisco and Sonic wall which support a dynamic client without DYN DNSI LOVE pfsense there has to be a way to make this work
-
You can set it up as a mobile client the same way as the 0.0.0.0/0 remote but that's less than ideal in general (whether on Cisco or anything else). I'd fix the remote end so you can use dyndns properly.
-
Thanks cmb
I will try setting it as a mobile, and I agree it is not ideal. But in Mexico a static IP is spendy so the client said no to doing this properly