OPNsense Forum

English Forums => 19.1 Legacy Series => Topic started by: Androxin on April 08, 2019, 08:51:10 pm

Title: IPSec site-to-site with dynamic IPs
Post by: Androxin on April 08, 2019, 08:51:10 pm
Hey,

I'm just desperate for the following assignment.

I need an IPsec VPN tunnel to connect two sites.

In the office is a normal DSL connection with a dynamic IP.  There I have a dyndns domain.

In the LAN are several VLANs/networks (172.17.10.0/24, 172.17.20.0/24, ...) available.

There, opnSense is used as a firewall/router/DHCP.


On the other site, I have a MikroTik LTE router.  Of course, this router also gets a dynamic IP from the provider.

There is the LAN 172.18.1.0/24 configured.



Actually I wanted to use openVPN.  Since opnSense has problems with the routing entries, I gave up sometime and tried IPSec.

But now I got stuck as well.


Basically the connection seems to work.  In phase 1 the remote peer is 0.0.0.0.
Authentication via FQDN.

However, the tunnel is not completely built.

In the log of the opnSense it says that no virtual IP could be found.



Apr 6 23:06:53 charon: 09[IKE] <con1|556> failed to establish CHILD_SA, keeping IKE_SA

Apr 6 23:06:53 charon: 09[IKE] <con1|556> configuration payload negotiation failed, no CHILD_SA built

Apr 6 23:06:53 charon: 09[IKE] <con1|556> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE

Apr 6 23:06:53 charon: 09[IKE] <con1|556> no virtual IP found for %any requested by 'remote.de'

Apr 6 23:06:53 charon: 09[IKE] <con1|556> peer requested virtual IP %any


Can someone tell me what the message is about and how to fix it?
Title: Re: IPSec site-to-site with dynamic IPs
Post by: franco on April 09, 2019, 08:44:48 am
Are you trying to build mobile peer? It doesn't look like site-to-site.

19.1.5 has an option for normal Phase 1 entries to mark them "dynamic" and you would have to use it both phase 1 entries on both sides.


Cheers,
Franco