IPSec tunnel and dinamic IP



  • I know that for now it is not working thing but I would like to play with that option. Question is what I nead to make my pfsense to parse gateway FQDN properly instead of this:

    racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    racoon: ERROR: getaddrinfo(viola,500): hostname nor servname provided, or not known
    racoon: ERROR: fatal parse failure.

    Do I nead to setup FreeBSD machine for compiling packets or ???

    I am using now NORTEL and D-link firewalls for tunnels with both dynamic ends but I would prefere pfsense.

    Sasa



  • IPSec only supports fixed IP adresses until now…

    that's the matter



  • Ok.

    I am not happy but … eventualy ...

    Sasa



  • Try OpenVPN.



  • @sullrich:

    Try OpenVPN.

    Yes, that’s an option, but I would like to stay with IPSec.
    Please, don't think that I am only stubborn, some time I just like
    to know why some thing doesn’t work on one system but on
    other systems work well or good enough.

    Sasa



  • IPSec has not the ability to engage a tunnel between 2 dynamic IPs by design. Routers, who do that, have proprietary extensions to handle that.

    Its not impossible, some scripts when IP changes … somebody want's to implement such a feature in pfsense, but unfortunaly nobody replies:

    http://forum.pfsense.org/index.php/topic,4670.0.html



  • @EmL:

    Its not impossible, some scripts when IP changes … somebody want's to implement such a feature in pfsense, but unfortunaly nobody replies:
    http://forum.pfsense.org/index.php/topic,4670.0.html

    Ok then! Let's find out can we do something with it. First thing first, lern about witch script is for starting/restarting/killing IPSec VPN… Maybe there is a chance, maybe not, but I like the chalenge.

    I have Friend who is wiz with FreeBSD and I can ask him for some help. I am much beter with Linux.



  • I wrote this quick little hack and added it to crontab. It seems to work but can someone more familiar with pfsense coding take a look at it real quick?

    
    require_once("config.inc");
    require_once("functions.inc");
    
    $conf = &$config['ipsec']['tunnel'];
    $newip = gethostbyname('my-dynamic-dns-host-name');
    
    if( $conf[0]['remote-gateway'] != $newip ) {
            $conf[0]['remote-gateway'] = $newip;
            write_config();
            vpn_ipsec_configure();
    }
    ?>
    
    


  • @ullbergm:

    I wrote this quick little hack and added it to crontab. It seems to work but can someone more familiar with pfsense coding take a look at it real quick?

    I will try it at my home pfS. But on question is unanswered, how to get this to work:
    racoon: ERROR: getaddrinfo(viola,500): hostname nor servname provided, or not known
    It is not resolving in the first place. I have found some point in orig script but …

    Sasa



  • @ssbaksa:

    @ullbergm:

    I wrote this quick little hack and added it to crontab. It seems to work but can someone more familiar with pfsense coding take a look at it real quick?

    I will try it at my home pfS. But on question is unanswered, how to get this to work:
    racoon: ERROR: getaddrinfo(viola,500): hostname nor servname provided, or not known
    It is not resolving in the first place. I have found some point in orig script but …

    Sasa

    Can you ping the hostname of the server that you are trying to connect to?
    If so, did you replace "my-dynamic-dns-host-name" in the script with the correct host?
    Check the ID of your tunned, the script is hardcoded to update the tunnel with ID #0. If your ID is different change the number 0 in the script to match your tunnel ID.



  • @ullbergm:

    Can you ping the hostname of the server that you are trying to connect to?
    If so, did you replace "my-dynamic-dns-host-name" in the script with the correct host?
    Check the ID of your tunned, the script is hardcoded to update the tunnel with ID #0. If your ID is different change the number 0 in the script to match your tunnel ID.

    It is all OK with ping. And it is not problem with your script. It is not resolving remote-gateway in original IPSec script. When I put DynDNS name in tunnel config page it is showing only hostname without domain so if FQDN is viola.dyndns.org it shows only "getaddrinfo(viola,500)" . It is not resolving at all. I have found place in script where it should be but I didn't have time to try. If you wish we can move this conversation to e-mail.



  • @ssbaksa:

    @ullbergm:

    Can you ping the hostname of the server that you are trying to connect to?
    If so, did you replace "my-dynamic-dns-host-name" in the script with the correct host?
    Check the ID of your tunned, the script is hardcoded to update the tunnel with ID #0. If your ID is different change the number 0 in the script to match your tunnel ID.

    It is all OK with ping. And it is not problem with your script. It is not resolving remote-gateway in original IPSec script. When I put DynDNS name in tunnel config page it is showing only hostname without domain so if FQDN is viola.dyndns.org it shows only "getaddrinfo(viola,500)" . It is not resolving at all. I have found place in script where it should be but I didn't have time to try. If you wish we can move this conversation to e-mail.

    The problem is that IPSEC does not support dns names when you set up tunnels. All my script does is to do a DNS lookup and update the remote host in the tunnel with ID=0 with the current ip of the remote host. So if the script worked you won't see the dns name in the pfsense web interface anymore, you will see the ip of the remote host.

    Verify what your tunnel ID is and make sure that it matches what is in the script, also replace "my-dynamic-dns-host-name" with "viola.dyndns.org" (assuming that it is the correct dns name).
    When you run php -q updateIPSEC.php (or whatever you saved the script as) it should update your tunnel with the current ip off the remote host.



  • @ullbergm:

    The problem is that IPSEC does not support dns names when you set up tunnels. All my script does is to do a DNS lookup and update the remote host in the tunnel with ID=0 with the current ip of the remote host. So if the script worked you won't see the dns name in the pfsense web interface anymore, you will see the ip of the remote host.

    Verify what your tunnel ID is and make sure that it matches what is in the script, also replace "my-dynamic-dns-host-name" with "viola.dyndns.org" (assuming that it is the correct dns name).
    When you run php -q updateIPSEC.php (or whatever you saved the script as) it should update your tunnel with the current ip off the remote host.

    Ok! I will try it tomorow morning.



  • I would love to know the status of this request?  If this works I would love to implement it.  I have serveral customers that have dynamic dns and would love to be able to setup up the this for them.
    rc



  • @fastcon68:

    I would love to know the status of this request?  If this works I would love to implement it.  I have serveral customers that have dynamic dns and would love to be able to setup up the this for them.
    rc

    Script is working good. Now whole idea nead some reworking. How to implement this for more than one tunnel, maybe some changes to IPSec seting page (check box for dynamic tunnel or different dynamic gateway input field) and some other question. Ideas?

    Sasa



  • @ssbaksa:

    Script is working good. Now whole idea nead some reworking. How to implement this for more than one tunnel, maybe some changes to IPSec seting page (check box for dynamic tunnel or different dynamic gateway input field) and some other question. Ideas?

    How about something like this:
    /root/ipsecUpdate.php

    
    require_once("config.inc");
    require_once("functions.inc");
    
    $conf = &$config['ipsec']['tunnel'];
    
    $reload = 0;
    
    for ($i = 0; $i < count($conf); $i++) {
            if( $conf[$i]['remote-gateway-hostname'] <> "" ) {
                    $newip = gethostbyname($conf[$i]['remote-gateway-hostname']);
    
                    if( $conf[$i]['remote-gateway'] != $newip ) {
                            $conf[$i]['remote-gateway'] = $newip;
                            $reload = 1;
                    }
            }
    }
    
    if( $reload == 1 ) {
            write_config();
            vpn_ipsec_configure();
    }
    ?>
    
    

    Edit /usr/local/www/vpn_ipsec_edit.php

    After this line:

    $pconfig['remotegw'] = $a_ipsec[$id]['remote-gateway'];
    

    add

    $pconfig['remotegwhost'] = $a_ipsec[$id]['remote-gateway-hostname'];
    

    Not 100% sure about this one, i'm making it up as i go :)
    After this:

            if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']))) {
                    if(is_domain($_POST['remotegw']) == false)
                            $input_errors[] = "A valid remote gateway address must be specified.";
            }
    
    

    add

            if (($_POST['remotegwhost'] && is_domain($_POST['remotegwhost']) == false)) {
                            $input_errors[] = "A valid remote gateway hostname must be specified.";
            }
    
    

    Another one:

    $ipsecent['remote-gateway'] = $_POST['remotegw'];
    

    Add

    $ipsecent['remote-gateway-hostname'] = $_POST['remotegwhost'];
    

    This one needs more work but this will at least add a box to enter the information.
    Change

    
                        Enter the public IP address of the remote gateway
    
    

    to

    
                        IP: 
    
                        And/or Hostname: 
    
    


  • I'm sure that there are several good reasons that IPSEC doesn't do this already so by doing something like this we are probably bypassing the security that the developers built in, but if you trust the DNS servers this should work for you.

    Btw, the code came from pfSense-1.2-RC3 and it is untested so you may have to tweak it a little bit to get it to work. I'm still running my old code (see earlier in the thread), it works, no reason for me to change yet… :)

    Also, dont forget to add this:

    run "crontab -e" and add:

    * * * * * /usr/local/bin/php -q /root/ipsecUpdate.php >> /dev/null
    


  • If you can turn this into GUI code with a checkbox to enable dynamic ipsec, I will commit.

    Send diff's to coreteam@pfsense.com

    Thanks for your work so far!



  • @sullrich:

    If you can turn this into GUI code with a checkbox to enable dynamic ipsec, I will commit.

    Send diff's to coreteam@pfsense.com

    Thanks for your work so far!

    I can do that, a couple of questions for you.

    So from a pfsense project perspective the preferred look would be to add a checkbox next to the remote host textbox and when that is checked the input should be a hostname instead of a ip address.

    Is a diff against 1.2-RC2 ok?

    Any preference on where the cron job script should be stored and how to specify how i want it to run (say every 15 minutes)?



  • @ullbergm:

    I can do that, a couple of questions for you.

    So from a pfsense project perspective the preferred look would be to add a checkbox next to the remote host textbox and when that is checked the input should be a hostname instead of a ip address.

    Is a diff against 1.2-RC2 ok?

    Any preference on where the cron job script should be stored and how to specify how i want it to run (say every 15 minutes)?

    #1 Yeah, a checkbox would be fine.
    #2 I would prefer a diff against HEAD and RELENG1.  This will not make it into 1.2 as we are frozen.
    #3 Use minicron which is included.  You can tell minicron to launch a script every X minutes.  However, we should only launch this minicron process when we detect someone is using a dynamic hostname to avoid unnecessary process startups every 15 minutes when we do not need to.  Also, a shell script to deterimine changes in the hostname would be ideal and only invoke php when absolutely needed but I would settle for either.

    Thanks for your help on this!  This should be a great addition for folks.



  • @sullrich:

    #1 Yeah, a checkbox would be fine.
    #2 I would prefer a diff against HEAD and RELENG1.  This will not make it into 1.2 as we are frozen.
    #3 Use minicron which is included.  You can tell minicron to launch a script every X minutes.  However, we should only launch this minicron process when we detect someone is using a dynamic hostname to avoid unnecessary process startups every 15 minutes when we do not need to.  Also, a shell script to deterimine changes in the hostname would be ideal and only invoke php when absolutely needed but I would settle for either.

    Thanks for your help on this!  This should be a great addition for folks.

    Ah! I see movement. I am using script (simple one) for some time now and it is working OK.
    This addition with web front end will be much better.

    Any new development?

    Sasa



  • Dyanmic IPSEC support is already in -HEAD and RELENG_1_3; imported from m0n0wall recently.



  • @sullrich:

    Dyanmic IPSEC support is already in -HEAD and RELENG_1_3; imported from m0n0wall recently.

    Cool, no need for the workaround then.



  • @sullrich:

    Dyanmic IPSEC support is already in -HEAD and RELENG_1_3; imported from m0n0wall recently.

    Yupiiiii!!!
    This is great news. No nead to write scripts for that any more then.

    TNX!



  • @sullrich:

    Dyanmic IPSEC support is already in -HEAD and RELENG_1_3; imported from m0n0wall recently.

    And how can I download image with that modifications? I isn't at location usualy allowed to us mortals.
    I know that it is in alpha stage (or near that) but I will like to play with.



  • We currently do not have images for this.  Expect to see some betas/alphas right after 1.2 is released.



  • @sullrich:

    We currently do not have images for this.  Expect to see some betas/alphas right after 1.2 is released.

    OK!
    TNX for info.



  • If a script, or better yet, an update to the web interface would allow this hack to get two dynamic DNS Pfsense boxes to build a IPSEC tunnel, I would be happy to pay a bounty for that.

    Robert



  • @valnar:

    If a script, or better yet, an update to the web interface would allow this hack to get two dynamic DNS Pfsense boxes to build a IPSEC tunnel, I would be happy to pay a bounty for that.

    I don't see any reason why these changes would not work in this case.  It might take a minute or two for the other end to come back up, but in theory it should work.



  • I guess there is no plan to backport the m0n0wall update into the 1.2 branch is there?



  • 1.2 is frozen.


Log in to reply