The tunnel would drop on both sides guaranteed, no way around that. (Also because your ip will never change while connected.) The pfsense box comes back up and gets a new ip. Now it updates the dynamic dns name. Your tunnel parner now knows your new IP via Dynamic DNS updates.
You also would have to use something other than ip address for identifier. Thanks John -----Original Message----- From: Angelo Turetta [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 23, 2005 3:27 PM To: [email protected] Subject: Re: [pfSense Support] Dynamic DNS ON BOTH ENDPOINTS > On 11/23/05, Angelo Turetta <[EMAIL PROTECTED]> wrote: >> > This is probably not an incredibly difficult thing to fix. >> >> If I understand correctly, IPSEC tunnels can only be specified by mean of their actual endpoints inside the SPD tables. >> >> Angelo. > > Here's how it works. When the ip changes dhclient kicks off a script which then reconfigures the tunnel. This should work now. Yes, fine. And who's gonna tell your tunnel partner your address has changed and their SPD must be changed? Do you have a protocol for doing that in a standard way? What if you have a Cisco router on the other side? That's why I say it's not going to work. The tunnel definition on BOTH endpoints must be synced before the tunnel can be re-established. IPSEC tunnel mode can only be established (without external software) between fixed addresses. That's why Cisco & MS use L2TP, which is actually PPTP over Host Mode ESP. Angelo. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
