• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

VPN ipsec with one end using dynamic ip changing every 12hours

Scheduled Pinned Locked Moved IPsec
9 Posts 4 Posters 2.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Z
    zenkovac
    last edited by Jun 26, 2015, 12:50 AM

    Hi, is it possible to use dynamic vpn in pfsense?
    With one end using dynamic ip changing every 12hours, the pfsense box will have static ip.
    i have heard about using dyndns but this is for 500 end points so dyndns is out.

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by Jun 26, 2015, 6:58 AM

      What's "end point"?

      1 Reply Last reply Reply Quote 0
      • Z
        zenkovac
        last edited by Jun 26, 2015, 12:31 PM

        its 500 peers :)

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by Jun 26, 2015, 2:42 PM

          That did not help! What's "peers"? There's mobile IPsec, so I completely fail to see what's the deal with changing IPs here, unless you are connecting 500 sites that change their IPs every 12 hours.

          1 Reply Last reply Reply Quote 0
          • Z
            zenkovac
            last edited by Jun 26, 2015, 4:59 PM

            a peer is a remote gateway, what i mean is that the cisco routers have public ip addresses that change every 12 hours.
            using ipsec lan-to-lan not mobile ipsec.
            Doing some testing i found i can configure 0.0.0.0 as the remote gateway and 0.0.0.0/0 as the remote network so its working now.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by Jun 26, 2015, 5:02 PM

              Good luck with this "setup".

              1 Reply Last reply Reply Quote 0
              • V
                vbentley
                last edited by Jun 26, 2015, 11:30 PM

                I have had IPsec site to site running with dynamic IPs at each end with RSA certificate authentication for testing but I prefer to have the hub site on a static IP. I use dynamic dns hostnames and put a reference to that host name in the cert as a 'DNS:' entry.

                I am intrigued on your architecture for supporting 500 VPN tunnels. How many concentrators are you deploying? I am using two hardware crypto accelerators in each pfSense endpoint for a theoretical 1Gbps throughput but the reality is that VPN's put a lot of load on PC based hardware solutions.

                Trademark Attribution and Credit
                pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

                1 Reply Last reply Reply Quote 0
                • D
                  Darkk
                  last edited by Jun 28, 2015, 12:27 AM

                  Well, 500 VPN tunnels probably not a huge impact on a server with Xenon or some high end quad processors if the peers are single users.  I am running OpenVPN AS on a VM running average 75 users without breaking a sweat.

                  Site to Site VPN supporting large offices would make huge difference in performance so hardware crypto is a must.  I'd imagine AES-NI in the CPU would help.

                  It boils down how much traffic is being sent and received at the hub sever.

                  1 Reply Last reply Reply Quote 0
                  • Z
                    zenkovac
                    last edited by Jul 1, 2015, 12:51 PM Jul 1, 2015, 2:50 AM

                    hi sorry for the delay, the pfense will be deployed under ESX on a DualXeonE5-2630V3 64GB RAM, the server will also contain 2 vm's for media delivery and proxy.
                    I was thinking on only one concentrator,  didnt know of the existence of hardware crypto accelerators.
                    100mbps of throughput is required over vpn. will this hardware suffice?
                    Server specs:
                    https://secure.iweb.com/en/classicServerFlex/classicServerFlex/?id=38d2233b4574e196403bbacfcf533339

                    The peers are cisco using vpn ipsec lan-to-lan with x.509 certificates.

                    edit: read about AES-NI, will this boost even if using 3des/sha?

                    1 Reply Last reply Reply Quote 0
                    1 out of 9
                    • First post
                      1/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received