pfSense

Jim Pingle wrote:

We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.

But 0.0.0.0 can be used only for one ipsec tunnel.

strongSwan support this:

conn 1:
right = %any
...
rightid = fqdn:side-b.example.com

conn 2:
right = %any
...
rightid = fqdn:side-c.example.com

conn 3:
right = %any
...
rightid = fqdn:side-d.example.com

Yes, hence "Room for improvement".

The subject and description imply it isn't possible at all. No mention of multiples.

Why you don't want implement it ?

Where did I say that? It might be nice to have eventually. This is still open, not rejected. But it's not as simple as you imply due to other areas that make assumptions on the contents of the remote peer. It could be done, just not right this moment.

IPsec settings of pfSense is only wrapper for the strongSwan.
You need only generate correct ipsec.conf from webform.
What difficulties do you mean ?

Other areas of pfSense assume things about that address, like making static routes for the peer, setting up DNS monitoring for hostnames, etc. It's nowhere near as simple as you imply.

Jim Pingle wrote:

We have not ignored this. You can already do this now. Use DynDNS hostname for the peer, or other methods like using 0.0.0.0 for the remote peer address. There may be some room for improvement, though.

do you mean that DynDNS hostname is only able to be used for one peer (in an environment where there are multiple ipsec site to site tunnels)?

Because i never got it working to set up 3+ site to site ipsec tunnels using DynDNS hostname as remote gateway.... my pfsense acts strange and it crashes after a while

It can be used for any number of tunnels. If you have support questions, please take them to the forum or pfSense subreddit.