Added by Chris Buechler about 13 years ago. Updated about 13 years ago.
0%
Description
/etc/rc.newipsecdns does not reload dynamic tunnels as it should.
Updated by Scott Ullrich about 13 years ago
We should test http://php.net/manual/en/function.dns-get-record.php vs gethostbyname
Updated by Scott Ullrich about 13 years ago
Use this test program to compare:
#!/usr/local/bin/php
$dns_record = "www.pfsense.org";
echo "gethostbyname = " . gethostbyname($dns_record);
echo "\n";
echo "dns_get_record = " . print_r(dns_get_record($dns_record, DNS_A));
?>
Updated by Chris Buechler about 13 years ago
updated ticket to actual problem, it appears actually that there is no caching at all in gethostbyname, it issues a DNS query every single time it's run regardless of TTL, at least when run via CLI in /etc/rc.newipsecdns. The problem was missing the $config array when running the vpn_ipsec* functions which made them fail. confirmed working now.
Updated by Joe Kelly about 13 years ago
If this is the same issue as the one discussed in the forum thread "VPN IPsec Remote gateway using DDNS doesn't update" (http://forum.pfsense.org/index.php/topic,29903.15.html), I can confirm that this fix does indeed work. I tried changing the IP address 5 times in a row and every time, the tunnel came back up in an average of about 30 seconds. Very nice work Chris!
One thing to note is that the old SAD entries for the old IP addresses don't seem to get cleared up -- at least not right away. I assume they'll expire after one of the Phase X lifetimes expires (don't know which one). I'm not sure if this is a big deal or not but I thought I should mention it anyway in case the old SAD entries are actually supposed to be cleaned up right away when the tunnel is reloaded with the new address.
Updated by Chris Buechler about 13 years ago
Joe - the second issue you noticed requires DPD to function, see my post on the 2.0 board on the forum re: ipsec-tools 0.8.0, it fixes that.