IPsec - pfsense 2.2.4 - multiple remote system with dynamic IP
-
Hi,
I have a number of IPsec tunnels where the remote system has a dynamic IP, and is not in a position to use a Dynamic DNS provider. With our existing equipment (SnapGear) we specify a remote IP of 0.0.0.0 and then use the Peer identifier to select the appropriate IPsec Phase 1 (and associated Phase 2).
This appears to work in pfsense 2.2.4, however, there are some interesting wrinkles:
-
The Web interface does not like multiple Phase 1 with 0.0.0.0 as the remote IP. You can avoid this problem by disabling the IPsec links as you create them and then enabling them (click on green icon). As I see things the pfsense UI system appears to restrict IPsec configuration in a way that the underlying IPsec software doesn't.
-
Whether the multiple tunnels 'work' appears to depend on the order the IPsec Phase 1 entries are defined!
This is quite strange, if I have two such entries and they are one way around I get an interesting error in the pfsense System Log.
php-fpm[64779]: /vpn_ipsec.php: The remote gateway 0.0.0.0 already exists on another phase 1 entry
And only one of the IPsec tunnels will establish.
If I arrange the entries the other way around, there is no error in the System Log and both tunnels will establish.
I can switch between the error/no error situation by just moving the IPsec entries around using the 'move selected entries before this' facility.
At this stage I am experimenting and so I only have two tunnels with known remote IP addresses, and two with dynamic remote IP addresses. However, a production implementation has over 100 dynamic endpoints.
So:
A) Is it intended that pfsense (strongswan) support IPsec tunnels with unknown remote IPs (and also no mechanism to look them up in DNS)? Am I correct to do this by using a remote IP of 0.0.0.0?
B) Are there any comments on why the order of the entries in the VPN/IPsec page should have any effect on whether the resulting configuration works?
I suppose that while my test environment appears to 'work', it has only been running for 3 days and may perhaps have a hidden problem. However, at this stage I appear to have reliable IPsec tunnels.
At present my two dynamic IP links have different remote software (one is a SapGear router (using Aggressive mode), the other a Netgear router (using Main mode)), it is possible that this has some effect on the ordering that is required.
Thanks,
Tim -
-
There's validation there to omit what appear to be duplicates as there are possibly circumstances where that will break things. But you can try removing that and see what happens. In /etc/inc/vpn.inc, remove the following 4 lines.
if (array_search($rg, $rgmap)) { log_error("The remote gateway {$rg} already exists on another phase 1 entry"); continue; }Then go to VPN>IPsec, and click Save.
-
Thank you very much for that information.
What is slightly more confusing to me is why the order of the definitions in the ipsec.conf file should affect the operation of the links. I am still investigate this and a few other issues relating to the VPNs and I will report back once I have some solid information. Unfortunately, I only get limited time each week to look into these problems.
- I am observing what is well documented as a memory leak in charon. I am assuming this will eventually be resolved.
- I am observing some strange NAT issues with the VPNs. At this stage I am just working around these problems.
- I am investigating a strange issue where VPN tunnels stop passing traffic and then mysteriously start again when a new TCP session opens via the same tunnel.
- I am investigating the issue with the order of the IPsec definitions and why this should alter the behaviour of the VPN system as a whole.
As I said, thank you for the response it will be very useful. Also thanks for the work on pfsense - it is a great product. If I can get the IPsec working reliably it will be a perfect product!
Tim