Dynamic IP and remote locations
-
I'm attempting to create a site-to-site VPN using IPSEC with two pfsense routers. Each site has dynamic public IP addresses. I'm using fully qualified host names as addresses for the gateways. Name resolution for these hostnames is provided by Dyndns.
I'm able to successfully create a tunnel. BUT when an IP changes on one side of the tunnel, I can only reestablish it by reconnecting from the side whose IP DIDN'T change.
In other words, if I have a site-to-site vpn connection and the IP address of the site I am physically at changes, I need someone at the remote site to reestablish the connection (or alternatively access the firewall myself over the public network).
Is this the expected IPSEC behavior? If it is, how can I maintain connections with remote locations?
Or am I just doing something wrong?
Here is my setup on one of the servers (I replaced my DynDNS hostname with "example.com")
Internet Protocol: IPv4
Interface: WAN
Remote gateway: one.example.comAuthentication method: Mutual PSK
Negotiation mode: aggressive
My identifier User distinguished name one@example.com
Peer identifier User distinguished name two@example.com
Pre-Shared Key xxxxx
Policy Generation Default
Proposal Checking Default
Encryption algorithm AES 256 bits
Hash algorithm SHA1
DH key group 1 (768 bit)
Lifetime seconds 86400Advanced Options
NAT Traversal Enable
Enable DPD
10 seconds
Delay between requesting peer acknowledgement.5 retries
Number of consecutive failures allowed before disconnect. -
Things got worse. Racoon failed to even attempt to connect. Specifically, hitting the connect icon returned immediately and there was no record of any connection attempt in the log. Deleted the phase one and phase two entries, and re-entering them. Seems to be working now.
Must have been some sort of corruption in the configuration.