• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSEC failover on CARP partly working

Scheduled Pinned Locked Moved IPsec
5 Posts 3 Posters 2.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    eskild
    last edited by Mar 24, 2007, 8:37 PM

    I have two pf boxes running 1.0.1-SNAPSHOT-03-23-2007 with CARP, but this issue has been present for as long as i can remember. Four IPSEC tunnels, two towards m0n0wall, one towards a Cisco router and one towards another pf.

    When the SAs are established on pf1 and and i force(disable carp on pf1) the tunnels to fail over to pf2(no SAs in SAD), everything seems fine for all of them. Only loosing a ping or two.

    If i'm activating pf1 again(enabling carp on pf1), without deleting the old SAs on pf1 first, the tunnels will never come up again until i delete SAs on pf1.

    I have tried with "Prefer old IPsec SAs" enabled/disabled but the result is the same.

    These are the only IPSEC log i get on pf1:

    Mar 24 21:17:54 racoon: INFO: fe80::250:8bff:fef1:2cc7%fxp0[500] used as isakmp port (fd=26)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.123.2[500] used as isakmp port (fd=25)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.50.2[500] used as isakmp port (fd=24)
    Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:5ba6%rl0[500] used as isakmp port (fd=23)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.100.2[500] used as isakmp port (fd=22)
    Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:33d7%rl1[500] used as isakmp port (fd=21)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=20)
    Mar 24 21:17:54 racoon: INFO: ::1[500] used as isakmp port (fd=19)
    Mar 24 21:17:54 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=18)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.125.2[500] used as isakmp port (fd=17)
    Mar 24 21:17:54 racoon: INFO: fe80::250:8bff:fef1:2cc7%vlan0[500] used as isakmp port (fd=16)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=15)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.123.1[500] used as isakmp port (fd=14)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.100.1[500] used as isakmp port (fd=13)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.125.1[500] used as isakmp port (fd=12)
    Mar 24 21:17:54 racoon: INFO: fe80::250:8bff:fef1:2cc7%fxp0[500] used as isakmp port (fd=26)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.123.2[500] used as isakmp port (fd=25)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.50.2[500] used as isakmp port (fd=24)
    Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:5ba6%rl0[500] used as isakmp port (fd=23)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.100.2[500] used as isakmp port (fd=22)
    Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:33d7%rl1[500] used as isakmp port (fd=21)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=20)
    Mar 24 21:17:54 racoon: INFO: ::1[500] used as isakmp port (fd=19)

    Cheers
    //Eskild

    1 Reply Last reply Reply Quote 0
    • E
      eskild
      last edited by Mar 31, 2007, 1:05 AM

      Have anybody experienced this problem and found a solution for it? Or is it just not working for me due to a wrong configuration?

      Thanks,
      //Eskild

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by Mar 31, 2007, 5:05 AM

        The failover option has been removed.  Try with a recent snapshot and change the wan interface to your CARP IP under the VPN -> IPSEC entry.

        1 Reply Last reply Reply Quote 0
        • E
          eskild
          last edited by Mar 31, 2007, 7:55 AM

          I have already done that for all tunnels on both 1.0.1-SNAPSHOT-03-23-2007 and 1.0.1-SNAPSHOT-03-27-2007. All the tunnels are on the WAN interface, and the behaviour during failover with the new config setting with CARP is the same as previously.

          1 Reply Last reply Reply Quote 0
          • Z
            z00te
            last edited by Mar 31, 2007, 6:16 PM

            Hi,

            I've the same problem, but using the 03-15-2007 Snapshot.
            It seems like it works well only the first time (or after a reboot) when there is no SA…
            I'll do some more test...
            bye
            Z

            1 Reply Last reply Reply Quote 0
            2 out of 5
            • First post
              2/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received