Jump to content


Photo

Dynamic IP Addresses and IKEv1 VPNs


  • Please log in to reply
1 reply to this topic

#1 bpoindexter

bpoindexter
  • Members
  • 4 posts

Posted 15 January 2019 - 09:40 AM

I have two sites that need a VPN tunnel between them.  Site 1 has an F380 firewall and the ISP serving Site 1 issues static public IP addresses.  Site 2 has a third party firewall and the ISP issues dynamic public IP addresses.

 

I know that with an IPSec / IKEv2 vpn tunnel, if I make Site 2 the caller, I can tell Site 1 that the caller has a dynamic public ip address and the tunnel will connect properly (this is done by specifying, in Site 1, that the IPSec / IKEv2 tunnel has a remote IP address of 0.0.0.0/0).  This works, and works well, but I would prefer to have these VPN tunnels managed in GTI Editor.  GTI Editor deals only in IPSec / IKEv1 and TINA.  TINA is out since Site 2 is not a Barracuda NG firewall.  I'm finding that IPSec / IKEv1 does not react well to specifying 0.0.0.0/0 as the remote gateway in Site 1, being unable to find a matching proposal being the gist of the error messages I get.  The exact same IKEv1 config works if I specify the current IP address of Site 2 in Site 1's VPN tunnel definition.

 

Maybe this is a limitation of IKEv1 and there's no way to make it behave like IKEv2 and play nice with a dynamically addressed remote gateway.  I wanted to put that exact question to this forum however.  Can an IKEv1 / IPSec tunnel defined on an NG firewall be made to work as a passive tunnel  / responder only, when the caller has dynamic IP addresses?

 

If the answer to that is no, are there any plans in the future to make GTI Editor compatible with IPSec / IKEv2?



#2 Michael Zoller

Michael Zoller
  • Barracuda Team Members
  • 202 posts

Posted 17 January 2019 - 04:46 AM

For configuring IKEv1 tunnels with dynamic IP addresses please check out this article on Barracuda Campus:

 

https://campus.barra...m/doc/73719165/