Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[dbonetti]

Is it possibile to configure two dfl-210 with dns:server.example.com as remote gateway for the ipsec tunnel?
Or how could I create a vpn tunnel between two offices without static ip address
I made it with two dfl-200 but I can't with two dfl-210 with firmware 2.25.01
best regards
Daniele

[Fatman]

Yes, it is possible.  Depending on the firmware version you will either need to make an IP Address object with dns:FQDN as the address or fill in the field in the tunnel object directly with dns:FQDN.

Please ensure the DFL-210's have valid DNS servers listed for themselves.

[dbonetti]

I've firmware 2.25.01 downloaded yesterday but this kind of configuration doesn't work. It seems that the dns address of the remote gateway ip doesn't resolve.
I've set the dns1 correctly.
if I put the remote gw address in numeric format all its fine
something else to check?

many thanks.
Daniele

[Fatman]

When you use that DNS server on say a PC does the DNS name resolve?

It allows you to enter it into the field without errors?

Do you get errors when you save and activate?

[dbonetti]

when I use that dns the pc resolves well (I tried 2 or tree different services)
when I enter the value dns:myser.dyndns.org I get no error in the validation of the field and in the save and activate.

[Fatman]

Do you get a log entry saying that is can't resolve that DNS name?

And just to be clear you did attempt to route out to the VPN from both sides during your testing right?

[dbonetti]

In the log entry I didn't see any kind of dns error
Yes from both side I tried to start the vpn

this is the log of the vpn error:

2009-10-20
00:08:38    Info    IPSEC
1800317          
   
   
   peer_is_dead
IPsec_tunnel_disabled
peer=192.168.1.1
2009-10-20
00:08:38    Info    IPSEC
1802708          
   
   
   ike_sa_destroyed
ike_sa_killed
ike_sa=" Initiator SPI ESP=0xd3f5a32f, AH=0x177868da Responder SPI "
2009-10-20
00:08:38    Warning    IPSEC
1802022          
   
   
   ike_sa_failed
no_ike_sa
statusmsg="Timeout" local_peer="127.0.0.1 ID No Id" remote_peer="192.168.1.1 ID No Id" initiator_spi="ESP=0xd3f5a32f, AH=0x177868da"
2009-10-20
00:08:38    Warning    IPSEC
1802715          
   
   
   event_on_ike_sa
side=Initiator msg="failed" int_severity=6

[Fatman]

Your problem isn't DNS, look over your IKE settings real closely, the problem will almost certainly lie on that tab.

[Fatman]

Though I would personally set the IPsec IDs on these machines to their DNS values to make the logs more meaningful, and because I am annoying like that.

[dbonetti]

If I put in the remotegw the ip address of the remote machine the vpn came up in a second
If I put dns:myserver.dyndns.org I get the errors
What kind of settings should I try in IKE configuration

[Fatman]

In that case my second suggestion (changing the IPsec ID value to your DNS values) should be your meal ticket.

Did you only have to enter in 1 IP manually, or both?

[dbonetti]

I tried with the dns in the ID and it doesn't work leaving the gateway in numeric format
I also tried with one IP and one dns and both dns but nothing
I need to set both as FQDN but if necessary I could have one static ip address

[Fatman]

If you use 1 static and one FQDN does that work? That really should be no problem, but your network is teaching me not to make such statements.  It sounds like you have some additional issue(s) if changing the IPsec ID effected your tunnel in that way.

It really would be easier if you call in so a tech here can just take a look at your config, wave their magic wand, and make all the problems go away.

[fiffens]

Did you find a solution? I have exactly the same problem. It works when I use the static ip address. Not dns:my.domain.com

I'm on firmware 2.26.01.

[danilovav]

What you see in logs?