D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: dbonetti on October 19, 2009, 04:31:57 AM

Title: dfl-210 vpn dynamic ip
Post by: dbonetti on October 19, 2009, 04:31:57 AM

Is it possibile to configure two dfl-210 with dns:server.example.com as remote gateway for the ipsec tunnel?
Or how could I create a vpn tunnel between two offices without static ip address
I made it with two dfl-200 but I can't with two dfl-210 with firmware 2.25.01
best regards
Daniele

Title: Re: dfl-210 vpn dynamic ip
Post by: Fatman on October 19, 2009, 08:52:49 AM

Yes, it is possible.  Depending on the firmware version you will either need to make an IP Address object with dns:FQDN as the address or fill in the field in the tunnel object directly with dns:FQDN.

Please ensure the DFL-210's have valid DNS servers listed for themselves.

Title: Re: dfl-210 vpn dynamic ip
Post by: dbonetti on October 19, 2009, 10:07:17 AM

I've firmware 2.25.01 downloaded yesterday but this kind of configuration doesn't work. It seems that the dns address of the remote gateway ip doesn't resolve.
I've set the dns1 correctly.
if I put the remote gw address in numeric format all its fine
something else to check?

many thanks.
Daniele

Title: Re: dfl-210 vpn dynamic ip
Post by: Fatman on October 19, 2009, 10:15:57 AM

When you use that DNS server on say a PC does the DNS name resolve?

It allows you to enter it into the field without errors?

Do you get errors when you save and activate?

Title: Re: dfl-210 vpn dynamic ip
Post by: dbonetti on October 19, 2009, 12:55:51 PM

when I use that dns the pc resolves well (I tried 2 or tree different services)
when I enter the value dns:myser.dyndns.org I get no error in the validation of the field and in the save and activate.

Title: Re: dfl-210 vpn dynamic ip
Post by: Fatman on October 19, 2009, 01:13:58 PM

Do you get a log entry saying that is can't resolve that DNS name?

And just to be clear you did attempt to route out to the VPN from both sides during your testing right?

Title: Re: dfl-210 vpn dynamic ip
Post by: dbonetti on October 19, 2009, 02:04:36 PM

In the log entry I didn't see any kind of dns error
Yes from both side I tried to start the vpn

this is the log of the vpn error:

2009-10-20
00:08:38    Info    IPSEC
1800317          
   
   
   peer_is_dead
IPsec_tunnel_disabled
peer=192.168.1.1
2009-10-20
00:08:38    Info    IPSEC
1802708          
   
   
   ike_sa_destroyed
ike_sa_killed
ike_sa=" Initiator SPI ESP=0xd3f5a32f, AH=0x177868da Responder SPI "
2009-10-20
00:08:38    Warning    IPSEC
1802022          
   
   
   ike_sa_failed
no_ike_sa
statusmsg="Timeout" local_peer="127.0.0.1 ID No Id" remote_peer="192.168.1.1 ID No Id" initiator_spi="ESP=0xd3f5a32f, AH=0x177868da"
2009-10-20
00:08:38    Warning    IPSEC
1802715          
   
   
   event_on_ike_sa
side=Initiator msg="failed" int_severity=6

Title: Re: dfl-210 vpn dynamic ip
Post by: Fatman on October 19, 2009, 04:45:05 PM

Your problem isn't DNS, look over your IKE settings real closely, the problem will almost certainly lie on that tab.

Title: Re: dfl-210 vpn dynamic ip
Post by: Fatman on October 19, 2009, 04:45:48 PM

Though I would personally set the IPsec IDs on these machines to their DNS values to make the logs more meaningful, and because I am annoying like that.

Title: Re: dfl-210 vpn dynamic ip
Post by: dbonetti on October 20, 2009, 01:38:58 PM

If I put in the remotegw the ip address of the remote machine the vpn came up in a second
If I put dns:myserver.dyndns.org I get the errors
What kind of settings should I try in IKE configuration

Title: Re: dfl-210 vpn dynamic ip
Post by: Fatman on October 20, 2009, 02:02:43 PM

In that case my second suggestion (changing the IPsec ID value to your DNS values) should be your meal ticket.

Did you only have to enter in 1 IP manually, or both?

Title: Re: dfl-210 vpn dynamic ip
Post by: dbonetti on October 21, 2009, 05:26:08 AM

I tried with the dns in the ID and it doesn't work leaving the gateway in numeric format
I also tried with one IP and one dns and both dns but nothing
I need to set both as FQDN but if necessary I could have one static ip address

Title: Re: dfl-210 vpn dynamic ip
Post by: Fatman on October 22, 2009, 08:45:42 AM

If you use 1 static and one FQDN does that work? That really should be no problem, but your network is teaching me not to make such statements.  It sounds like you have some additional issue(s) if changing the IPsec ID effected your tunnel in that way.

It really would be easier if you call in so a tech here can just take a look at your config, wave their magic wand, and make all the problems go away.

Title: Re: dfl-210 vpn dynamic ip
Post by: fiffens on May 29, 2010, 07:53:41 AM

Did you find a solution? I have exactly the same problem. It works when I use the static ip address. Not dns:my.domain.com

I'm on firmware 2.26.01.

Title: Re: dfl-210 vpn dynamic ip
Post by: danilovav on May 29, 2010, 01:32:18 PM

What you see in logs?

Title: Re: dfl-210 vpn dynamic ip
Post by: fiffens on May 31, 2010, 11:15:59 AM

I see the same as dbonetti.


LOG:

2010-05-31
19:04:53    Info    IPSEC
1800317          
   
   
   peer_is_dead
IPsec_tunnel_disabled
peer=192.168.1.3
2010-05-31
19:04:53    Info    IPSEC
1802708          
   
   
   ike_sa_destroyed
ike_sa_killed
ike_sa=" Initiator SPI ESP=0xd0ea4930, AH=0xb7a0dabd Responder SPI "
2010-05-31
19:04:53    Warning    IPSEC
1802022          
   
   
   ike_sa_failed
no_ike_sa
statusmsg="Timeout" local_peer="127.0.0.1 ID No Id" remote_peer="192.168.1.3 ID No Id" initiator_spi="ESP=0xd0ea4930, AH=0xb7a0dabd"
2010-05-31
19:04:53    Warning    IPSEC
1802715          
   
   
   event_on_ike_sa
side=Initiator msg="failed" int_severity=6

Title: Re: dfl-210 vpn dynamic ip
Post by: fiffens on May 31, 2010, 01:19:27 PM

Looks like I found a solution to my problem. Instead of having the dns address of the remote endpoint in the address book, I entered the dns address directly in the config of the IPSec tunnel. Seems like a bug to me.