Feature #9768
closed
IPsec for site-to-site scenario where one side has dynamic ip
0%
Description
In practice really many sys admins have a need to configure IPsec tunnel for the situation as in subject.
I have seen similar issues:- https://redmine.pfsense.org/issues/7410
- https://forum.netgate.com/topic/88618/ipsec-pfsense-2-2-4-multiple-remote-system-with-dynamic-ip/3
pfSense team has ignored this IPsec scenario. But iplementation of the scenario is very easy.
For example:
right = %any
...
rightid = fqdn:side-b.example.com
You must look into strongSwan docs:
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection#leftright-End-Parameters
Updated by Jim Pingle about 5 years ago
- Category set to IPsec
- Priority changed from Normal to Very Low
- Target version set to Future
We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.
Updated by Vladimir Dzhivsanov about 5 years ago
Jim Pingle wrote:
We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.
But 0.0.0.0 can be used only for one ipsec tunnel.
strongSwan support this:
conn 1:
right = %any
...
rightid = fqdn:side-b.example.com
conn 2:
right = %any
...
rightid = fqdn:side-c.example.com
conn 3:
right = %any
...
rightid = fqdn:side-d.example.com
Updated by Jim Pingle about 5 years ago
Yes, hence "Room for improvement".
The subject and description imply it isn't possible at all. No mention of multiples.
Updated by Vladimir Dzhivsanov about 5 years ago
Why you don't want implement it ?
Updated by Jim Pingle about 5 years ago
Where did I say that? It might be nice to have eventually. This is still open, not rejected. But it's not as simple as you imply due to other areas that make assumptions on the contents of the remote peer. It could be done, just not right this moment.
Updated by Vladimir Dzhivsanov about 5 years ago
IPsec settings of pfSense is only wrapper for the strongSwan.
You need only generate correct ipsec.conf from webform.
What difficulties do you mean ?
Updated by Jim Pingle about 5 years ago
Other areas of pfSense assume things about that address, like making static routes for the peer, setting up DNS monitoring for hostnames, etc. It's nowhere near as simple as you imply.
Updated by lama lord about 5 years ago
Jim Pingle wrote:
We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.
do you mean that DynDNS hostname is only able to be used for one peer (in an environment where there are multiple ipsec site to site tunnels)?
Because i never got it working to set up 3+ site to site ipsec tunnels using DynDNS hostname as remote gateway.... my pfsense acts strange and it crashes after a while
Updated by Jim Pingle about 5 years ago
It can be used for any number of tunnels. If you have support questions, please take them to the forum or pfSense subreddit.
Updated by Viktor Gurov about 4 years ago
- Status changed from New to Closed
Updated by Jim Pingle about 4 years ago
- Target version changed from Future to 2.5.0
Updated by Jim Pingle about 4 years ago
- Status changed from Closed to Duplicate
- Target version deleted (
2.5.0)