IPSec VPN Multiple Peer IPs
-
One side of the tunnel has a failover IP that is used when the primary connection goes down. I've successfully established an IPSec tunnel with a Cisco ASA device, by adding both IPs as peers on the ASA side. Is this possible on pfSense?
-
Not directly, no. But if the side with multiple IP addresses can setup a dyndns entry that will change based on the "active" IP for the tunnel it can switch that way.
-
Not directly, no. But if the side with multiple IP addresses can setup a dyndns entry that will change based on the "active" IP for the tunnel it can switch that way.
Do you know what the implications with regards to caching of this lookup are? Is it looked up on every connection attempt or does the TTL of the record affect it?
-
It works similarly to how lookups are handled for aliases. It's checked every few minutes and if the DNS entry has changed, /etc/rc.newipsecdns is run. I believe it's also checked when the tunnel settings are synchronized so that the IP address may be written into the ipsec configuration.