Project

General

Profile

Feature #9768

IPsec for site-to-site scenario where one side has dynamic ip

Added by Vladimir Dzhivsanov about 1 month ago. Updated 28 days ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
IPsec
Target version:
Start date:
09/16/2019
Due date:
% Done:

0%

Estimated time:

Description

In practice really many sys admins have a need to configure IPsec tunnel for the situation as in subject.

I have seen similar issues:

pfSense team has ignored this IPsec scenario. But iplementation of the scenario is very easy.

For example:
right = %any
...
rightid = fqdn:side-b.example.com

You must look into strongSwan docs:
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection#leftright-End-Parameters

History

#1 Updated by Jim Pingle about 1 month ago

  • Category set to IPsec
  • Priority changed from Normal to Very Low
  • Target version set to Future

We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.

#2 Updated by Vladimir Dzhivsanov about 1 month ago

Jim Pingle wrote:

We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.

But 0.0.0.0 can be used only for one ipsec tunnel.

strongSwan support this:

conn 1:
right = %any
...
rightid = fqdn:side-b.example.com

conn 2:
right = %any
...
rightid = fqdn:side-c.example.com

conn 3:
right = %any
...
rightid = fqdn:side-d.example.com

#3 Updated by Jim Pingle about 1 month ago

Yes, hence "Room for improvement".

The subject and description imply it isn't possible at all. No mention of multiples.

#4 Updated by Vladimir Dzhivsanov about 1 month ago

Why you don't want implement it ?

#5 Updated by Jim Pingle about 1 month ago

Where did I say that? It might be nice to have eventually. This is still open, not rejected. But it's not as simple as you imply due to other areas that make assumptions on the contents of the remote peer. It could be done, just not right this moment.

#6 Updated by Vladimir Dzhivsanov about 1 month ago

IPsec settings of pfSense is only wrapper for the strongSwan.
You need only generate correct ipsec.conf from webform.
What difficulties do you mean ?

#7 Updated by Jim Pingle about 1 month ago

Other areas of pfSense assume things about that address, like making static routes for the peer, setting up DNS monitoring for hostnames, etc. It's nowhere near as simple as you imply.

#8 Updated by lama lord 28 days ago

Jim Pingle wrote:

We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.

do you mean that DynDNS hostname is only able to be used for one peer (in an environment where there are multiple ipsec site to site tunnels)?

Because i never got it working to set up 3+ site to site ipsec tunnels using DynDNS hostname as remote gateway.... my pfsense acts strange and it crashes after a while

#9 Updated by Jim Pingle 28 days ago

It can be used for any number of tunnels. If you have support questions, please take them to the forum or pfSense subreddit.

Also available in: Atom PDF