IPSec tunnel and dinamic IP
-
I know that for now it is not working thing but I would like to play with that option. Question is what I nead to make my pfsense to parse gateway FQDN properly instead of this:
racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
racoon: ERROR: getaddrinfo(viola,500): hostname nor servname provided, or not known
racoon: ERROR: fatal parse failure.Do I nead to setup FreeBSD machine for compiling packets or ???
I am using now NORTEL and D-link firewalls for tunnels with both dynamic ends but I would prefere pfsense.
Sasa
-
IPSec only supports fixed IP adresses until now…
that's the matter
-
Ok.
I am not happy but … eventualy ...
Sasa
-
Try OpenVPN.
-
Try OpenVPN.
Yes, that’s an option, but I would like to stay with IPSec.
Please, don't think that I am only stubborn, some time I just like
to know why some thing doesn’t work on one system but on
other systems work well or good enough.Sasa
-
IPSec has not the ability to engage a tunnel between 2 dynamic IPs by design. Routers, who do that, have proprietary extensions to handle that.
Its not impossible, some scripts when IP changes … somebody want's to implement such a feature in pfsense, but unfortunaly nobody replies:
http://forum.pfsense.org/index.php/topic,4670.0.html
-
@EmL:
Its not impossible, some scripts when IP changes … somebody want's to implement such a feature in pfsense, but unfortunaly nobody replies:
http://forum.pfsense.org/index.php/topic,4670.0.htmlOk then! Let's find out can we do something with it. First thing first, lern about witch script is for starting/restarting/killing IPSec VPN… Maybe there is a chance, maybe not, but I like the chalenge.
I have Friend who is wiz with FreeBSD and I can ask him for some help. I am much beter with Linux.
-
I wrote this quick little hack and added it to crontab. It seems to work but can someone more familiar with pfsense coding take a look at it real quick?
require_once("config.inc"); require_once("functions.inc"); $conf = &$config['ipsec']['tunnel']; $newip = gethostbyname('my-dynamic-dns-host-name'); if( $conf[0]['remote-gateway'] != $newip ) { $conf[0]['remote-gateway'] = $newip; write_config(); vpn_ipsec_configure(); } ?> -
I wrote this quick little hack and added it to crontab. It seems to work but can someone more familiar with pfsense coding take a look at it real quick?
I will try it at my home pfS. But on question is unanswered, how to get this to work:
racoon: ERROR: getaddrinfo(viola,500): hostname nor servname provided, or not known
It is not resolving in the first place. I have found some point in orig script but …Sasa
-
I wrote this quick little hack and added it to crontab. It seems to work but can someone more familiar with pfsense coding take a look at it real quick?
I will try it at my home pfS. But on question is unanswered, how to get this to work:
racoon: ERROR: getaddrinfo(viola,500): hostname nor servname provided, or not known
It is not resolving in the first place. I have found some point in orig script but …Sasa
Can you ping the hostname of the server that you are trying to connect to?
If so, did you replace "my-dynamic-dns-host-name" in the script with the correct host?
Check the ID of your tunned, the script is hardcoded to update the tunnel with ID #0. If your ID is different change the number 0 in the script to match your tunnel ID. -
Can you ping the hostname of the server that you are trying to connect to?
If so, did you replace "my-dynamic-dns-host-name" in the script with the correct host?
Check the ID of your tunned, the script is hardcoded to update the tunnel with ID #0. If your ID is different change the number 0 in the script to match your tunnel ID.It is all OK with ping. And it is not problem with your script. It is not resolving remote-gateway in original IPSec script. When I put DynDNS name in tunnel config page it is showing only hostname without domain so if FQDN is viola.dyndns.org it shows only "getaddrinfo(viola,500)" . It is not resolving at all. I have found place in script where it should be but I didn't have time to try. If you wish we can move this conversation to e-mail.
-
Can you ping the hostname of the server that you are trying to connect to?
If so, did you replace "my-dynamic-dns-host-name" in the script with the correct host?
Check the ID of your tunned, the script is hardcoded to update the tunnel with ID #0. If your ID is different change the number 0 in the script to match your tunnel ID.It is all OK with ping. And it is not problem with your script. It is not resolving remote-gateway in original IPSec script. When I put DynDNS name in tunnel config page it is showing only hostname without domain so if FQDN is viola.dyndns.org it shows only "getaddrinfo(viola,500)" . It is not resolving at all. I have found place in script where it should be but I didn't have time to try. If you wish we can move this conversation to e-mail.
The problem is that IPSEC does not support dns names when you set up tunnels. All my script does is to do a DNS lookup and update the remote host in the tunnel with ID=0 with the current ip of the remote host. So if the script worked you won't see the dns name in the pfsense web interface anymore, you will see the ip of the remote host.
Verify what your tunnel ID is and make sure that it matches what is in the script, also replace "my-dynamic-dns-host-name" with "viola.dyndns.org" (assuming that it is the correct dns name).
When you run php -q updateIPSEC.php (or whatever you saved the script as) it should update your tunnel with the current ip off the remote host. -
The problem is that IPSEC does not support dns names when you set up tunnels. All my script does is to do a DNS lookup and update the remote host in the tunnel with ID=0 with the current ip of the remote host. So if the script worked you won't see the dns name in the pfsense web interface anymore, you will see the ip of the remote host.
Verify what your tunnel ID is and make sure that it matches what is in the script, also replace "my-dynamic-dns-host-name" with "viola.dyndns.org" (assuming that it is the correct dns name).
When you run php -q updateIPSEC.php (or whatever you saved the script as) it should update your tunnel with the current ip off the remote host.Ok! I will try it tomorow morning.
-
I would love to know the status of this request? If this works I would love to implement it. I have serveral customers that have dynamic dns and would love to be able to setup up the this for them.
rc -
I would love to know the status of this request? If this works I would love to implement it. I have serveral customers that have dynamic dns and would love to be able to setup up the this for them.
rcScript is working good. Now whole idea nead some reworking. How to implement this for more than one tunnel, maybe some changes to IPSec seting page (check box for dynamic tunnel or different dynamic gateway input field) and some other question. Ideas?
Sasa
-
Script is working good. Now whole idea nead some reworking. How to implement this for more than one tunnel, maybe some changes to IPSec seting page (check box for dynamic tunnel or different dynamic gateway input field) and some other question. Ideas?
How about something like this:
/root/ipsecUpdate.phprequire_once("config.inc"); require_once("functions.inc"); $conf = &$config['ipsec']['tunnel']; $reload = 0; for ($i = 0; $i < count($conf); $i++) { if( $conf[$i]['remote-gateway-hostname'] <> "" ) { $newip = gethostbyname($conf[$i]['remote-gateway-hostname']); if( $conf[$i]['remote-gateway'] != $newip ) { $conf[$i]['remote-gateway'] = $newip; $reload = 1; } } } if( $reload == 1 ) { write_config(); vpn_ipsec_configure(); } ?>Edit /usr/local/www/vpn_ipsec_edit.php
After this line:
$pconfig['remotegw'] = $a_ipsec[$id]['remote-gateway'];add
$pconfig['remotegwhost'] = $a_ipsec[$id]['remote-gateway-hostname'];Not 100% sure about this one, i'm making it up as i go :)
After this:if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']))) { if(is_domain($_POST['remotegw']) == false) $input_errors[] = "A valid remote gateway address must be specified."; }add
if (($_POST['remotegwhost'] && is_domain($_POST['remotegwhost']) == false)) { $input_errors[] = "A valid remote gateway hostname must be specified."; }Another one:
$ipsecent['remote-gateway'] = $_POST['remotegw'];Add
$ipsecent['remote-gateway-hostname'] = $_POST['remotegwhost'];This one needs more work but this will at least add a box to enter the information.
ChangeEnter the public IP address of the remote gatewayto
IP: And/or Hostname: -
I'm sure that there are several good reasons that IPSEC doesn't do this already so by doing something like this we are probably bypassing the security that the developers built in, but if you trust the DNS servers this should work for you.
Btw, the code came from pfSense-1.2-RC3 and it is untested so you may have to tweak it a little bit to get it to work. I'm still running my old code (see earlier in the thread), it works, no reason for me to change yet… :)
Also, dont forget to add this:
run "crontab -e" and add:
* * * * * /usr/local/bin/php -q /root/ipsecUpdate.php >> /dev/null -
If you can turn this into GUI code with a checkbox to enable dynamic ipsec, I will commit.
Send diff's to coreteam@pfsense.com
Thanks for your work so far!
-
If you can turn this into GUI code with a checkbox to enable dynamic ipsec, I will commit.
Send diff's to coreteam@pfsense.com
Thanks for your work so far!
I can do that, a couple of questions for you.
So from a pfsense project perspective the preferred look would be to add a checkbox next to the remote host textbox and when that is checked the input should be a hostname instead of a ip address.
Is a diff against 1.2-RC2 ok?
Any preference on where the cron job script should be stored and how to specify how i want it to run (say every 15 minutes)?
-
I can do that, a couple of questions for you.
So from a pfsense project perspective the preferred look would be to add a checkbox next to the remote host textbox and when that is checked the input should be a hostname instead of a ip address.
Is a diff against 1.2-RC2 ok?
Any preference on where the cron job script should be stored and how to specify how i want it to run (say every 15 minutes)?
#1 Yeah, a checkbox would be fine.
#2 I would prefer a diff against HEAD and RELENG1. This will not make it into 1.2 as we are frozen.
#3 Use minicron which is included. You can tell minicron to launch a script every X minutes. However, we should only launch this minicron process when we detect someone is using a dynamic hostname to avoid unnecessary process startups every 15 minutes when we do not need to. Also, a shell script to deterimine changes in the hostname would be ideal and only invoke php when absolutely needed but I would settle for either.Thanks for your help on this! This should be a great addition for folks.