On 2015-12-01, Marko Cupać <marko.cu...@mimar.rs> wrote: > Hi, > > I am trying to setup IPsec VPN between fixed-ip central location and > dynamic-ip branch office. It works well once established, but when > public ip of branch office changes, it never re-establishes again. I > guess I misunderstood "dead peer detection" mechanism, which I hoped > will take care of realising the other side is dead, and try to > re-negotiate. > > Is my ipsec.conf below optimal for such setup? Is it ok to use > "dynamic" on both sides or should i use "passive" in central office? > Should I go for "agressive" instead of "main" in branch office?
Do not use aggressive mode. > I can re-establish VPN by restarting no-ip2 on branch host, manually > restarting isakmpd, flushing SAs and reloading ipsec.conf with > ipsecctl after both hosts become aware that gate.noip.me points > to a new address. Should I script this with some pinger, or is there a > better way to accomplish my goal? > > Thank you in advance. > > ipsec.conf: > # central config > lan_central = "192.168.33.0/24" > lan_branche = "10.30.8.0/22" > gw_central = "vpn.example.org" # <--- static > gw_branche = "gate.noip.me" # <--- noip dynamic dns > > > ike dynamic esp from $gw_central to $gw_branche \ > main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ > quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ > psk "hackme" > > ike dynamic esp from $lan_central to $lan_branche peer $gw_branche \ > main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ > quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ > psk "hackme" Neither isakmpd nor iked tracks DNS changes. On the central side use "passive" not "dynamic". Remove the "peer $gw_branche" to set this for the 'default peer' (i.e. to avoid matching on IP address). Do you really need the first flow? It will simplify things if you can restrict yourself to $lan_branche addresses and just have the second flow. (Otherwise because you want to use the 'default peer' you'll need to collapse these into a single rule with "to any"). It might be easier to get the basic setup working with psk first, but when you have that up and running, see the PUBLIC KEY AUTHENTICATION section in isakmpd(8) and get that setup, it is pretty simple to use and much safer than psk. > # branch config > lan_central = "192.168.33.0/24" > lan_branche = "10.30.8.0/22" > gw_central = "vpn.example.org" # <--- static > gw_branche = "pppoe0" > > > ike dynamic esp from $gw_branche to $gw_central \ > main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ > quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ > psk "hackme" See above "Do you really need the first flow?". (If you do, you're going to need to at least monitor addresses on pppoe0 on the client side and restart; it won't track changes automatically). The aim is to avoid having anything in config files which references the dynamic address. > ike dynamic esp from $lan_branche to $lan_central peer $gw_central \ > main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ > quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \ > psk "hackme"
