Project

General

Profile

Feature #9768

IPsec for site-to-site scenario where one side has dynamic ip

Added by Vladimir Dzhivsanov about 1 year ago. Updated about 16 hours ago.

Status:
Duplicate
Priority:
Very Low
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
09/16/2019
Due date:
% Done:

0%

Estimated time:

Description

In practice really many sys admins have a need to configure IPsec tunnel for the situation as in subject.

I have seen similar issues:

pfSense team has ignored this IPsec scenario. But iplementation of the scenario is very easy.

For example:
right = %any
...
rightid = fqdn:side-b.example.com

You must look into strongSwan docs:
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection#leftright-End-Parameters

History

#1 Updated by Jim Pingle about 1 year ago

  • Category set to IPsec
  • Priority changed from Normal to Very Low
  • Target version set to Future

We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.

#2 Updated by Vladimir Dzhivsanov about 1 year ago

Jim Pingle wrote:

We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.

But 0.0.0.0 can be used only for one ipsec tunnel.

strongSwan support this:

conn 1:
right = %any
...
rightid = fqdn:side-b.example.com

conn 2:
right = %any
...
rightid = fqdn:side-c.example.com

conn 3:
right = %any
...
rightid = fqdn:side-d.example.com

#3 Updated by Jim Pingle about 1 year ago

Yes, hence "Room for improvement".

The subject and description imply it isn't possible at all. No mention of multiples.

#4 Updated by Vladimir Dzhivsanov about 1 year ago

Why you don't want implement it ?

#5 Updated by Jim Pingle about 1 year ago

Where did I say that? It might be nice to have eventually. This is still open, not rejected. But it's not as simple as you imply due to other areas that make assumptions on the contents of the remote peer. It could be done, just not right this moment.

#6 Updated by Vladimir Dzhivsanov about 1 year ago

IPsec settings of pfSense is only wrapper for the strongSwan.
You need only generate correct ipsec.conf from webform.
What difficulties do you mean ?

#7 Updated by Jim Pingle about 1 year ago

Other areas of pfSense assume things about that address, like making static routes for the peer, setting up DNS monitoring for hostnames, etc. It's nowhere near as simple as you imply.

#8 Updated by lama lord about 1 year ago

Jim Pingle wrote:

We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.

do you mean that DynDNS hostname is only able to be used for one peer (in an environment where there are multiple ipsec site to site tunnels)?

Because i never got it working to set up 3+ site to site ipsec tunnels using DynDNS hostname as remote gateway.... my pfsense acts strange and it crashes after a while

#9 Updated by Jim Pingle about 1 year ago

It can be used for any number of tunnels. If you have support questions, please take them to the forum or pfSense subreddit.

#10 Updated by Viktor Gurov about 1 month ago

  • Status changed from New to Closed

Implemented in #7095 and #10214

#11 Updated by Jim Pingle 3 days ago

  • Target version changed from Future to 2.5.0

#12 Updated by Jim Pingle about 16 hours ago

  • Status changed from Closed to Duplicate
  • Target version deleted (2.5.0)

Also available in: Atom PDF