I did the packet capture like you suggested, and I saw DNS requests coming over the VPN tunnel but nothing that was destined for the Internet. That got me thinking, so I checked my default route while connected to the VPN. Sure enough, the default route was to the local network gateway (instead of the VPN connection). I dug through my VPN settings a little and found that the "Use default gateway on remote network" wasn't checked. Checked that box, reconnected, and now it works! @Derelict thank you for your help! ^_^ I was banging my head against a wall trying to figure this out lol Documenting my solution: Go to the interface settings for the VPN interface Go to the Networking tab and open IPv4 properties Open the Advanced window and check the "Use default gateway on remote network"

Hi Derelict. Was able to get this setup. Worked a treat, easy as! Thanks for your help Cheers Mitch.

Well it is going to need at least a sync cable to sync over. You might also want to disable XMLRPC sync on the restored primary until you are ready to do that too. Or ifnore that error. If it is supposed to be syncing and cannot, you'll have to work out why there is no connectivity between the two.

Well that was it ! Thanks a lot for the help !

@capitanblack Would you be able to share the python script? Would be super helpful. I am encountering the same issue with OVH IP failover.

Understood Thanks for taking time to respond.

@derelict nope, the only warning which i got was one of the pfblockerng package. There was a faulty url in one ASN rule i have installed for another purpose...

The number of CARP VIPs and the number of interfaces are completely unrelated problems, but thanks for the note.

Sounds like whatever is between those two nodes on those interfaces is not passing the CARP advertisements properly.

Apologize for that. I have seen so many examples of setting up carp with VM's it didn't cross my mind about promiscuous mode.

Hey @jimp, thanks for your answer! In the secondary I'm injecting what I believe are the only required (counterpart/secondary) HA settings: [image: 1549965184784-screenshot-2019-02-12-at-10.51.54.png] Are these sufficient? The only changes I can see after hitting sync on the webUI are: Replacing the bcrypt-hashes for those in the master. This might be important? Removing ipsec, aliases, wol and openvpn, empty fields. Adding all the vips as they're defined in the master. Also tried rebooting them both (it's actually one of the steps I defined for the deploy process to catch up with the synthetic config) but no luck. However, as you point out, running rc.filter_synchronize did work for me - I can just include it as an additional action over SSH for the master node. Nice! Was looking for something just like that.

All that matters is that they are syncing and are mostly identical.

Well if the identifier doesn't match the address used it will fail to match in IPsec. It needs to be built with everything referencing the CARP VIP (or some other common identifier, like an FQDN that resolves to the CARP VIP.) If this is IKEv2 with a server certificate then the CN and SAN there needs to match whatever the client thinks it is connecting to or server certificate validation will fail.

@viragomann said in Slow IPsec / internet when using CARP: Have you configured the Outbound NAT to use the WAN CARP VIP? YEP

Why would sync interface traffic ever have to go out the WAN? Yes, outbound NAT with source any is almost never right - especially to a CARP VIP. Traffic from Localhost should NAT to the interface address Traffic from inside hosts should: Use the local interface CARP VIP as their default gateway Have outbound NAT to the WAN CARP VIP set. Traffic from the sync interface should never need internet access.

I will try the setup in that page. In addition, i have no idea whether my original setup is possible or not, may i have suggestion on it? Thank you for your assistance.