Today I wanted to write about how I fixed my IPsec tunnel between my home and my office, but my ISP decided to throw yet another curveball.
The start
I wanted to have a secure connection between my home and my office. Initially, I had a more or less working setup using two DrayTek routers. After running into a long list of issues with those (which I’ve written about before), I decided to switch to two OPNsense installations and set up an IPsec tunnel between them.
That worked fine… until about fourteen days ago.
That is… until my provider, Odido, decided to do some maintenance on the network, which resulted in an outage of my home connection. After the connection was restored, I noticed that my home IP address had changed. Yes, I know, those are the perks of having a dynamic IP.
But my IP wasn’t that dynamic.
I had been using the same address for years, and it had never changed before.
But yes, it changed, and that’s when the IPsec mayhem started.
Mayhem
Mayhem? Yes, mayhem. How difficult could it be to fix this issue? Update the IPsec configuration, replace the old IP address with the new one, restart IPsec, and everything should be fine.
Yeah…
But no.
I replaced the IP address, restarted the connection from my office (which turns out to be important), and the tunnel came back up.
Yay! Victory!
Yeah. No.
After about fifty minutes, the connection dropped. To get it working again, I had to manually reinstate the tunnel. And then, fifty minutes later… click. No connection. Again.
Diagnosis
Maybe I had overlooked a setting? I checked the configuration at home first. I couldn’t find anything obviously wrong, but when I tried to restart the tunnel from home, it failed.
Great. Now I had to go to the office to check it there as well.
The next day, at the office, I double-checked the configuration. There weren’t many places to look anyway. Everything still seemed correct, so I restarted the tunnel.
It worked.
For fifty minutes.
Testing
Maybe adding Automatically Ping Host would fix the issue. A constant stream of traffic to keep the tunnel alive sounded reasonable enough.
Yeah… that didn’t work.
I tried the same thing from home as well.
Yeah… still didn’t work.
At this point my best guess was that, after the IP change, the old address was still referenced somewhere deep inside the OPNsense configuration. Buried in a setting I had overlooked, quietly throwing a wrench into the whole setup.
Fixed!
Or is it?!
IPsec is quite cumbersome when setting up a site-to-site VPN connection. There is the Phase 1 configuration, which handles authentication, identities, and timeouts, and a Phase 2 configuration, which defines the actual tunnel and has its own set of lifetimes and parameters.
I updated the Phase 1 authentication on both sides, switching from IP-based identities to two fixed, distinguished names.
I also explicitly configured the Phase 1 timers, which had been left empty and therefore relied on defaults. I set them to fixed values and made sure they were identical on both sides.
I applied the same approach to the Phase 2 configuration: explicitly defined lifetimes and ensured they matched on both ends.
And yes.
It worked.
I was sceptical at first.
Would this just work for another fifty minutes, or would it finally stay up? But after an entire day of uninterrupted connectivity, I decided it was safe to declare victory—and write about it here.
That is… up until this morning.
Dynamic IP
Curveball!
After God-knows-how-many years of having a more or less fixed dynamic IP address, it switched again?
Yes.
I received two warnings from my NAS indicating that a backup to my other NAS at the office had failed. 3-2-1 backup strategy, remember!
I then tried connecting to my router at work, which didn’t work either.
After checking https://www.whatismyip.com/, it became clear why:
my home IP address had changed again.
Great.
That meant another trip to the office to update the IP address.
Again.
DynDNS
Hey Brain, there’s a thing called Dynamic DNS that would solve this permanently!
Yes, I know.
But I’m in the process of shutting down my office. By the end of March, it’s done. So why set up Dynamic DNS now?
Ah well.
I’ll update the IP again on Tuesday, and then it will work again—hopefully for at least a week.
Brain out!