1
General Discussion / IPsec site2site VPN with dynamic IPs on both sides
« on: May 10, 2019, 10:20:04 am »
Hi All!
I have a problem with our home2home IPsec VPN tunnel (site2site mode). I know IPsec with dynamic IPs on both ends do not play well (even not supposed to), but we cannot get static public IPs from out ISP. Above this, we must use IPsec, because the other end have a Mikrotik router, wich supports IPsec AES hardware accelerationm but do not support OpenVPN hardware acceleration. Because this "limitation", with IPsec, we have about 280-300 Mbps throughput (on 1000/300 Mbit internet connections both sides), with OpenVPN, only 3-5 Mbps available, which is not enough for us.
I'm running OPNsense 19.1.7 at home (on a Xeon E3, AES-NI capable CPU), with a PPPoE internet connection, which has dynamic public IPv4 address, with DynDNS refresh service enabled, which changes about 3 days (ISP session timneout).
The other end have a Mikrotik HEX (RB750Gr3), with AES hardware acceleration support on IPsec. That connection is the same, PPPoE dynamic IPv4 address with DynDNS.
The problem is, when the other end (the Mikrotik's) IPv4 address changes, my side did not recognise this (DPD activated both sides), and does not update/reinit/restart the IPsec stack to refresh the IP address associated with the FQDN I used in the configuration. This happen even I switch on the "Dynamic gateway" options in phase 1 settings. The config page suggests that the other end's address refreshed on startup/update, but this only happens when I press Save on the page (even without any changes) and the press Apply at the top. FQDN to address never ever updated any other ways (automatically).
At the other end, I wrote a little script for the MT router, which checks the tunnel availability, and if no answer received, it refreshes the IP addresses in IPsec configuration on the MT. This way, when my IP address changes, the other end reconnects in a minute automatically.
Are there any (semi)official solution exists or planned like this on OPNsense side, or I must start to write a cron-managed script for my side, that works like the MT side one?
I can't restart IPsec on a timely basis (for ex. at night), because the IP address changes do not happen at the same time.
Do any body have any solution on this?
I have a problem with our home2home IPsec VPN tunnel (site2site mode). I know IPsec with dynamic IPs on both ends do not play well (even not supposed to), but we cannot get static public IPs from out ISP. Above this, we must use IPsec, because the other end have a Mikrotik router, wich supports IPsec AES hardware accelerationm but do not support OpenVPN hardware acceleration. Because this "limitation", with IPsec, we have about 280-300 Mbps throughput (on 1000/300 Mbit internet connections both sides), with OpenVPN, only 3-5 Mbps available, which is not enough for us.
I'm running OPNsense 19.1.7 at home (on a Xeon E3, AES-NI capable CPU), with a PPPoE internet connection, which has dynamic public IPv4 address, with DynDNS refresh service enabled, which changes about 3 days (ISP session timneout).
The other end have a Mikrotik HEX (RB750Gr3), with AES hardware acceleration support on IPsec. That connection is the same, PPPoE dynamic IPv4 address with DynDNS.
The problem is, when the other end (the Mikrotik's) IPv4 address changes, my side did not recognise this (DPD activated both sides), and does not update/reinit/restart the IPsec stack to refresh the IP address associated with the FQDN I used in the configuration. This happen even I switch on the "Dynamic gateway" options in phase 1 settings. The config page suggests that the other end's address refreshed on startup/update, but this only happens when I press Save on the page (even without any changes) and the press Apply at the top. FQDN to address never ever updated any other ways (automatically).
At the other end, I wrote a little script for the MT router, which checks the tunnel availability, and if no answer received, it refreshes the IP addresses in IPsec configuration on the MT. This way, when my IP address changes, the other end reconnects in a minute automatically.
Are there any (semi)official solution exists or planned like this on OPNsense side, or I must start to write a cron-managed script for my side, that works like the MT side one?
I can't restart IPsec on a timely basis (for ex. at night), because the IP address changes do not happen at the same time.
Do any body have any solution on this?