VPN ipsec with one end using dynamic ip changing every 12hours



  • Hi, is it possible to use dynamic vpn in pfsense?
    With one end using dynamic ip changing every 12hours, the pfsense box will have static ip.
    i have heard about using dyndns but this is for 500 end points so dyndns is out.


  • Banned

    What's "end point"?



  • its 500 peers :)


  • Banned

    That did not help! What's "peers"? There's mobile IPsec, so I completely fail to see what's the deal with changing IPs here, unless you are connecting 500 sites that change their IPs every 12 hours.



  • a peer is a remote gateway, what i mean is that the cisco routers have public ip addresses that change every 12 hours.
    using ipsec lan-to-lan not mobile ipsec.
    Doing some testing i found i can configure 0.0.0.0 as the remote gateway and 0.0.0.0/0 as the remote network so its working now.


  • Banned

    Good luck with this "setup".



  • I have had IPsec site to site running with dynamic IPs at each end with RSA certificate authentication for testing but I prefer to have the hub site on a static IP. I use dynamic dns hostnames and put a reference to that host name in the cert as a 'DNS:' entry.

    I am intrigued on your architecture for supporting 500 VPN tunnels. How many concentrators are you deploying? I am using two hardware crypto accelerators in each pfSense endpoint for a theoretical 1Gbps throughput but the reality is that VPN's put a lot of load on PC based hardware solutions.



  • Well, 500 VPN tunnels probably not a huge impact on a server with Xenon or some high end quad processors if the peers are single users.  I am running OpenVPN AS on a VM running average 75 users without breaking a sweat.

    Site to Site VPN supporting large offices would make huge difference in performance so hardware crypto is a must.  I'd imagine AES-NI in the CPU would help.

    It boils down how much traffic is being sent and received at the hub sever.



  • hi sorry for the delay, the pfense will be deployed under ESX on a DualXeonE5-2630V3 64GB RAM, the server will also contain 2 vm's for media delivery and proxy.
    I was thinking on only one concentrator,  didnt know of the existence of hardware crypto accelerators.
    100mbps of throughput is required over vpn. will this hardware suffice?
    Server specs:
    https://secure.iweb.com/en/classicServerFlex/classicServerFlex/?id=38d2233b4574e196403bbacfcf533339

    The peers are cisco using vpn ipsec lan-to-lan with x.509 certificates.

    edit: read about AES-NI, will this boost even if using 3des/sha?