Retired > 2.2.5 Snapshot Feedback and Issues

VPN: IPsec gateway will not connect when using Dynamic DNS

(1/3) > >>

Tacoma:
I have a working configuration that I make one change to (moving from fixed IP to dyndns), and it stops working.
This is either a bug, or admittedly I might be doing something wrong.


Currently testing with:

2.2.5-DEVELOPMENT (amd64)
built on Sat Jul 25 19:57:37 CDT 2015
FreeBSD 10.1-RELEASE-p15

Note, I originally tested with 2.2.4 with the same results, then applied the gitsync update to move from 2.2.4 to 2.2.5

This pfsense router sits behind another WAN router with tcp ports open that allows the VNP to function.  I have a working configuration that has My Identifier configured as the IP address with the public IP address of the WAN router (see config images below).

The configuration used is a working ipsec IKE V2 with P2 ESP.
The second image shows a configuration one with a single change to the working configuration, setting My Identifier to Dynamic DNS, which does not work.   Some of the confidential configuration settings have been changed to generic values, but you will get the idea looking at the images.

The first configuration works.


This second configuration using Dynamic DNS does NOT work.

Tacoma:
Here are some of the errors shown in the IPsec logs:

Oct 16 08:46:23    charon: 09[CFG] <bypasslan|554> constraint requires public key authentication, but pre-shared key was used
Oct 16 08:46:23    charon: 09[CFG] <bypasslan|554> selected peer config 'bypasslan' inacceptable: non-matching authentication done
Oct 16 08:46:23    charon: 09[CFG] <bypasslan|554> no alternative config found
Oct 16 08:46:23    charon: 09[IKE] <bypasslan|554> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 16 08:46:23    charon: 09[IKE] <bypasslan|554> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 16 08:46:23    charon: 09[ENC] <bypasslan|554> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Tacoma:
So far it is all quiet on this one.
Did I put this in the right topic?
If not, could a moderator move it to the correct topic? to see if anyone has any idea?

David_W:
It seems that once you change your identifier to Dynamic DNS, you have to use PKI, not a pre-shared key.

I would set up a CA in the Certificate Manager, issue the appropriate server and client certificates, then reconfigure accordingly.

shadowset:

--- Quote from: David_W on October 24, 2015, 02:33:49 pm ---It seems that once you change your identifier to Dynamic DNS, you have to use PKI, not a pre-shared key.

I would set up a CA in the Certificate Manager, issue the appropriate server and client certificates, then reconfigure accordingly.

--- End quote ---

That would be a workaround. There's no reason why using Dynamic DNS as your identifier still shouldn't work.

Navigation

[0] Message Index

[#] Next page

Go to full version