CARP VIP as IPSEC Endpoint -SOLVED

RobinGill

Edit3: In the end I realised I hadn't changed the properties of the vpn to use the carp tunnel rather than wan. Works like a dream!

Hi,

I've followed the tutorial and appear to have a working carp cluster (dedicated carp interface, xmlsync looks like it works as well as failover). Using 1.2.3 on the pfsense cluster, draytek 2820 as "remote" router. In reality the wan side for all three is on my office lan and I've made a few mini lans under these routers.

My major issue is that I cannot get ipsec vpn to work with this. My "remote" draytek router claims to be correctly connected and racoon logs appear to be ok. pfSense webgui shows SA's that look correct, if I manually delete them in pfsense webgui they are instantly replaced.

Problem is pfSense webgui shows the vpn as yellow status and can't access either side through vpn. Can't see anything alarming in the racoon log, the only thing that looks a little odd is that in pfsense webgui, ipsec overview that shows yellow says the source is the real wan ip rather than the carp wan vip.

If I try and connect my vpn to the real wan ip, once I've manually cleared all the old SA's, it works perfectly (I need to set pfsense to prefer old SA's to work with drayteks).

I have since changed my ipsec identifier on pfsense from the wan ip to the carp ip and still got no joy. (my primary pfsense wan ip is 192.168.221, carp is 192.168.2.223, remote router is 192.168.2.224)

Here is some info from racoon in case anyone here can help out I would be very grateful.

Edit : One last thought I've had is that the master has 3c905 nic's while the backup has intel pro 1000/gt's - would it be more likely to work with 1000/mt's in both boxes?
Edit2: Someone may have had the wrong subnet mask on the wan vip initally. Sorted this and racoon log now doesn't go on forever but I still can't spot an error.

2011-05-06 14:44:43: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
2011-05-06 14:44:43: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
2011-05-06 14:44:43: INFO: Reading configuration from "/var/etc/racoon.conf"
2011-05-06 14:44:43: INFO: 192.168.2.223[500] used as isakmp port (fd=7)
2011-05-06 14:44:43: INFO: 192.168.254.3[500] used as isakmp port (fd=8)
2011-05-06 14:44:43: INFO: 127.0.0.1[500] used as isakmp port (fd=9)
2011-05-06 14:44:43: INFO: 192.168.253.1[500] used as isakmp port (fd=10)
2011-05-06 14:44:43: INFO: 192.168.254.1[500] used as isakmp port (fd=11)
2011-05-06 14:44:43: INFO: 192.168.2.221[500] used as isakmp port (fd=12)
2011-05-06 14:45:21: INFO: respond new phase 1 negotiation: 192.168.2.223[500]<=>192.168.2.224[500]
2011-05-06 14:45:21: INFO: begin Identity Protection mode.
2011-05-06 14:45:21: INFO: received Vendor ID: DPD
2011-05-06 14:45:21: INFO: received Vendor ID: RFC 3947
2011-05-06 14:45:21: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-05-06 14:45:21: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-05-06 14:45:21: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2011-05-06 14:45:21: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2011-05-06 14:45:21: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
2011-05-06 14:45:21: INFO: ISAKMP-SA established 192.168.2.223[500]-192.168.2.224[500] spi:2fa7634232aa6746:4d19ec943eb204b6
2011-05-06 14:45:21: INFO: respond new phase 2 negotiation: 192.168.2.223[0]<=>192.168.2.224[0]
2011-05-06 14:45:21: INFO: IPsec-SA established: ESP 192.168.2.224[0]->192.168.2.223[0] spi=213611411(0xcbb7393)
2011-05-06 14:45:21: INFO: IPsec-SA established: ESP 192.168.2.223[0]->192.168.2.224[0] spi=3138238348(0xbb0db78c)