Pre-trial question on IPfire's IPsec implementation - Dynamic IP remote firewalls

Hey all,

I was trying out OPNsense and ran into a major stumbling block…

Apparently the IPsec implementation requires an IP address (either static of DNS resolved for dynamic) to create a gateway entry.

I have a bunch of VPN tunnels where the remote end is defined merely by the HostID and the mode for the tunnel is “aggressive”.

Setting up Dynamic DNS is not an option for most of those other firewalls.

Currently, I’m on a Netscreen-25 (don’t laugh) using ScreenOS and looking to upgrade … and this is one of those important features I need.


Well, you will need to have a way how both peers and contact each other. Otherwise there is no chance to establish the VPN tunnel. For IPFire, one side is enough. Lets assume you have an IPFire box in a data center with a static IP address, the other one can be behind some router with a changing IP address. However, the box in the data center won’t be able to establish the VPN connection.

We do not support aggressive mode at all. With that, you do not really need the VPN. Your PSK will be transmitted in plain text and everyone who can capture all communication will be able to decrypt all your communication. I recommend using certificates, but PSKs are supported, too.

We don’t judge here, but assuming this is EOL for a decade now, you should consider removing this thing as quickly as possible.

1 Like

Im “Main Mode” (opposite from “Aggressive Mode”) without a static IP or a Dynamic DNS that matches to the HostID IPSec tunnels cannot established becasue IPSec always compare the HostID with the DNS Names to make sure that it talk with the correct peer.

So IPFire not support “Aggressive Mode” because we not set such stupid options.

Yes - one end (my end) is on Static IPs, so remotes can always find the hub end by DNS or static entered IP.

The remote ends are typically stuffed behind a NAT router/fw (common ISP router setup) where both the ISP router WAN is DHCP and most of the time the WAN for the appliance calling in to my FW for connection is also DHCP. (because it’s on the LAN of the ISP box.)

So my equipment will never really be able to initiate any tunnels.

So it sounds like IPfire will do what I need (provided I can work around aggressive mode - which you need not point out the pitfalls – some of these tunnels were configured long long ago (like 10yrs)

So definitely time for an upgrade.

Thanks for the answer. I have a test box to load IPfire to give it a try.

Yes, but depending on your use-case that might not be a problem at all.

Yes, it will be absolutely necessary to upgrade the router on the other end if it only supports aggressive mode. The reason why Arne and I are emphasising this so strongly is because it really really really is a bad idea. IPFire supports loads of modern cryptography option which make a tunnel fast and reliable, even on small hardware. So you won’t have to spend a fortune to keep your data secure.

Well, understand, I don’t have a choice to be going and changing the remote equipment.

Most of them are brand new Juniper SRX300 series units. EVERY Juniper/Netscreen unit I’ve used supports Main-Mode and Aggressive – but my understanding was/is that aggressive most is what’s used when one end is dynamic. Main-mode only works when both ends are static. (feel free to correct me if I’m wrong – I’m going to be researching it now anyway)

While I understand that aggressive mode allows for plain-text auth transmission, Juniper had a tech article rating that vulnerability as “low” as long as quality PSKs and IDs are used.

In any case, from what you describe though, it’s probably worth loading up IPfire and checking to see if it will work.

I have a Juniper SSG140 as a backup plan (actually, it was my original plan, but I use that as a test router on my network for configuring client equipment before shipping it to them so the device is ready to plug into the network) – and the PC based firewalls have a lot of nice features.

Also, I could get an SRX300 series if I wanted… but honestly I kinda hate the interface and the limited set of features.

I was really disappointed to see OPNsense couldn’t handle remote VPNs without needing their IP address.

No, I have heard people saying this before, but it is wrong. Main mode always works.

As far as I understand it, this is referring to the risk of enumeration. Aggressive mode is absolutely broken.

Since these all cost a lot of money, buy a nice IPFire appliance, donate some bucks and go on holiday with what you have left. And it will of course work a lot better. :slight_smile:

Once upon a time, (and we’re going back 20yrs) – main mode didn’t work in the same scenario and that’s how aggressive mode came into play.

Agreed on it’s weaknesses.

I already have the SSG140 – and and SRX300 kicking around (but again, the webGUI makes my eyes bleed and Juniper likes to add features but not fix webUI bugs)

Also, I have lots of rack PC’s around - so if I get it working and it’s good – reusing available hardware will let me donate more to IPfire should it work out. :stuck_out_tongue:

This has all improved a lot with IKEv2. We have adopted that quite early and I think IPsec is therefore one of the best features in IPFire.

Sounds good.

But again, I don’t have say so in changing all the remote ends that may or may not support IKEv2.

On another note having installed IPfire on my test system, is it just a WebUI limitation or does IPfire not easily (or at all) support Ethernet LAG interfaces?

I did the prelim setup and it wasn’t really obvious anywhere.

Did I miss something?



IKEv2 was specified in 2005. That is 15 years now. I do not want to be the bad again, but if your equipment is that old you should probably consider upgrading it.

Is 10G not enough for you?

I didn’t say the remote ends didn’t support IKEv2 – and that’s the problem it’s not my equipment.

The only thing that’s mine is my firewall.

Anyway - as for the 10G, the problem there is

A) My intended equipment doesn’t have 10G – and my switch fabric at home doesn’t have 10G. And really, 2-3G would be fine in a collection fo 1G ports.

Anyway - thanks again for all your info.