Page 1 of 4 123 ... LastLast
Results 1 to 10 of 33
  1. #1
    Untanglit
    Join Date
    Apr 2016
    Posts
    17

    Default IPSec VPN following WAN address

    Hi,

    We are evaluating Untangle 12 as our Sophos contract is expiring soon and its always worth checking out the competiters

    Anyway, all seems to work well except one thing: I cannot work out how to get the IPSec listen address to follow the WAN address when it changes.

    Background: we have a lot of satellite offices that use 3G/4G for internet access. These are DHCP WAN and the address changes a lot - this is set by the supplier cell modem and something we have no control over.
    Our remote sales staff are equipped with iPads that run the sales support software and connect to their home branch using the built-in Apple IPSec/L2TP client.
    When the WAN IP address changes, Untangle 12 updates the dynamic DNS fine, but it seems the IPSec listen address doesnt follow it.

    I'm limited to the Apple client as company policy will not allow OpenVPN or PP2P (insecure), so I need to work out if I'm doing something silly, or if this isn't possible in Untangle 12.

    This works fine in Sophos UTM, so I know its possible...

    Many thanks

    Harry

  2. #2
    Master Untangler
    Join Date
    May 2016
    Location
    Singapore
    Posts
    101

    Default

    I actually just run into the same problem as Harry!

    I am using Untangle at home and my ISP doesn't give me a static IP address. No issue as I have a DynDNS account and use the Dynamic DNS Service Configuration under Configuration -> Network to update the public hostname of the untangle server whenever the IP updates. VPN works until the IP changes.

    The problem is with the IPSec VPN app that under "VPN Config" tab only allows you to set an IP address as the "Server Listen Address". Even though I can add an address from the Add button called "External - 1.2.3.4" (Untangle knows this is the external IP) when the external IP changes Untangle does not update the configured IP and the VPN connection fails. You have to manually update the config to the new IP.

    Is it not possible to instruct the IPSec VPN app to listen on whatever the external IP address is or update the listen address dynamically if it changes?
    Last edited by anschmid; 05-23-2016 at 02:06 AM.

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    Untangle IPsec does not support dynamic IPs.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Master Untangler
    Join Date
    May 2016
    Location
    Singapore
    Posts
    101

    Default

    Quote Originally Posted by jcoffin View Post
    Untangle IPsec does not support dynamic IPs.
    Him, according to the Untangle IPSec VPN Wiki it's recommend to use a static IP but if you can't it should "technically" work:

    Can I use IPsec on a server that uses DHCP to get its external address?
    It is generally recommended to use IPsec VPN only on Untangle servers configured with static IPs. However, technically it can work with DHCP, but you will need to reconfigure the tunnel whenever the IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily.
    Source: https://wiki.untangle.com/index.php/IPsec_VPN

    Guess the question here is more why can't we configure the IPSec VPN app to listen on "WAN" and update the IP to whatever the WAN IP is or when it changes? This should be "technically" possible to do and supported?

    I have done this with pfSense and IPFire before with no issue. Maybe this is because Untangle coming from a corporate environment but if you're moving into home networks you'll need to deal with typical home setups that include non-static IPs.

  5. #5
    Master Untangler
    Join Date
    May 2016
    Location
    Singapore
    Posts
    101

    Default

    Just to be sure I just connect my pfSense box again and indeed they bind the IPSec Server to the interface, not the IP. Meaning the IPSec server is configured to listen on "WAN" (the interface) and doesn't really care what the WAN's interfaces IP address is. (Guess that's one of the reason you configure "interfaces" in the first place.)

    In fact, when I replaced the Untangle box with the pfSense box of course I had to reboot and that changed my public IP but because I have Dynamic DNS setup I was able to VPN into the pfSense box no problem. When I put the Untangle box back and IP changed again I have to manually go in and change it to the new public IP to make it work.

    So there is no technical issue in supporting this but it's of course a matter of "this is how we do thing around here" vs a more open mindset.

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    Let me clarify, dynamic IPs will works with Untangle IPsec but if the IP changes you will have to manually update the IPsec configuration. I use IPsec at home with a dynamic IP address. Even though it's dynamic, I have not seen a change in 8 months so it's fine.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Master Untangler
    Join Date
    May 2016
    Location
    Singapore
    Posts
    101

    Default

    Having to manually update the IPSec VPN every time my IP changes is not realistic because most of the time don't even know when this happens. The reason for IPSec sever is so I can VPN in when I am away. So if the IP changes while I am away I am locked out until I am back home and can "manually" update the IP.

    Untangle released a "Home subscription license" and you'll find that many homes are using dynamic IPs. So just to say our IPSec VPN doesn't work automatically with dynamic IPs is a bit counter productive if you really want to offer a home solution.

  8. #8
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    Homes rarely use IPsec.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Master Untangler
    Join Date
    May 2016
    Location
    Singapore
    Posts
    101

    Default

    Quote Originally Posted by jcoffin View Post
    Homes rarely use IPsec.
    I am a home user, I want to use IPSec VPN and probably so does every other person who buys Untangle for home use. Also Harry who started this threat is probably not a home user yet has the same problem.

    Also I wonder if home users rarely use VPN why would every consumer router manufacturer from D-Link, Netgear and Asus but a VPN server in their high-end products. They are just providing users with features that rarely anybody uses for fun?
    Last edited by anschmid; 05-28-2016 at 12:52 AM.

  10. #10
    Master Untangler TirsoJRP's Avatar
    Join Date
    Oct 2010
    Posts
    468

    Default

    Those features are ignored by most users. I bet less than a 10% of the buyers of high end consumer products use those features.
    They just want good WiFi, some might use storage, torrent client, access control... the eye catching stuff. The rest is for the advanced users who will also recommend those routers to the less tech savvy.

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2