Hi, I am trying to setup IPsec VPN between fixed-ip central location and dynamic-ip branch office. It works well once established, but when public ip of branch office changes, it never re-establishes again. I guess I misunderstood "dead peer detection" mechanism, which I hoped will take care of realising the other side is dead, and try to re-negotiate.
Is my ipsec.conf below optimal for such setup? Is it ok to use "dynamic" on both sides or should i use "passive" in central office? Should I go for "agressive" instead of "main" in branch office? I can re-establish VPN by restarting no-ip2 on branch host, manually restarting isakmpd, flushing SAs and reloading ipsec.conf with ipsecctl after both hosts become aware that gate.noip.me points to a new address. Should I script this with some pinger, or is there a better way to accomplish my goal? Thank you in advance. ipsec.conf: # central config lan_central = "192.168.33.0/24" lan_branche = "10.30.8.0/22" gw_central = "vpn.example.org" # <--- static gw_branche = "gate.noip.me" # <--- noip dynamic dns ike dynamic esp from $gw_central to $gw_branche \ main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ psk "hackme" ike dynamic esp from $lan_central to $lan_branche peer $gw_branche \ main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ psk "hackme" # branch config lan_central = "192.168.33.0/24" lan_branche = "10.30.8.0/22" gw_central = "vpn.example.org" # <--- static gw_branche = "pppoe0" ike dynamic esp from $gw_branche to $gw_central \ main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ psk "hackme" ike dynamic esp from $lan_branche to $lan_central peer $gw_central \ main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ psk "hackme" -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
