OPNsense Forum
English Forums => Virtual private networks => Topic started by: anomaly0617 on March 04, 2022, 03:20:05 am
-
I've set up hundreds of PPTP, IPSec, L2TP, and OpenVPN connections over the years, so I wouldn't consider myself a NEWB on this topic. But this is the first time I've set one up where the internet has the potential to be this spotty.
I need a "site-to-site" connection between a stationary, physical location with fiber and (get this) a charter bus.
The charter bus has two cellular routers, one each from the leading carriers. Those come into a micro-firewall running OpnSense. And the charter bus is on the highway more often than not, so it's almost always near at least 1 or more cellular towers. But that's where the stability ends. The cellular providers both have agreed (for more money) to give us an APN that doesn't use C-NAT (Carrier-based NAT), so the IP address we see in each router is the IP address that OpnSense sees. This is a big deal because without this change, C-NAT is the default on cellular, and the cellular router has an IP address that google's "What Is My IP" does not confirm. They also firewall off the traffic to the cellular router directly, so the IP address that you see on the cellular router isn't accessible.... which means Dynamic DNS is worthless.
So, here's my question: Assuming I need bidirectional communication as much as possible, what are everyone's thoughts on setting the P1 Key Lifetime very low, like 30-600 seconds kind of low?
The present issue is that if I set that P1 key lifetime to anything normal (say, 3600-28800) and the bus goes through an area with no cellular signal, the VPN tunnel won't reconnect when it acquires cellular service again without me having to remote into both firewalls, disable the VPN tunnels on each one and Apply, then re-enable each one and Apply again. At 2 in the morning, this is really, really annoying.
Is there a precedent for this with strongswan and OpnSense?
Thanks, in advance!