pfSense

We should test http://php.net/manual/en/function.dns-get-record.php vs gethostbyname

Use this test program to compare:

#!/usr/local/bin/php

$dns_record = "www.pfsense.org";

echo "gethostbyname = " . gethostbyname($dns_record);
echo "\n";
echo "dns_get_record = " . print_r(dns_get_record($dns_record, DNS_A));

?>

If this is the same issue as the one discussed in the forum thread "VPN IPsec Remote gateway using DDNS doesn't update" (http://forum.pfsense.org/index.php/topic,29903.15.html), I can confirm that this fix does indeed work. I tried changing the IP address 5 times in a row and every time, the tunnel came back up in an average of about 30 seconds. Very nice work Chris!

One thing to note is that the old SAD entries for the old IP addresses don't seem to get cleared up -- at least not right away. I assume they'll expire after one of the Phase X lifetimes expires (don't know which one). I'm not sure if this is a big deal or not but I thought I should mention it anyway in case the old SAD entries are actually supposed to be cleaned up right away when the tunnel is reloaded with the new address.

Joe - the second issue you noticed requires DPD to function, see my post on the 2.0 board on the forum re: ipsec-tools 0.8.0, it fixes that.