OpenVPN Client on Redundant CARP pfsense
-
Hey all:
I've got 2 pfsense instances that otherwise work correctly w/ CARP between them at site A.
At a remote site, there's also 2 pfsense instances w/ CARP as well at site B.
I've setup a site to site shared key openvpn instance, but am noticing that both of the OpenVPN client instances at site A are simultaneously connecting to site B, and appear to both be sending redundant packets:
Jul 23 12:24:04 pf01 openvpn[2161]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21 / time = (1311449003) Sat Jul 23 12:23:23 2011 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jul 23 12:24:05 pf01 openvpn[2161]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #22 / time = (1311449003) Sat Jul 23 12:23:23 2011 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jul 23 12:24:06 pf01 openvpn[2161]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #23 / time = (1311449003) Sat Jul 23 12:23:23 2011 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warningsBoth sites have the OpenVPN client/server bound to the CARP VIP interface.
Is there a way to only have pfsense bring up an openvpn client interface if it is currently the master for this instance? At the moment to get this to work I have to power off one of the pf instances on the client side of the link.
Thanks!
-
You need a devd script hacked in for that instance, to stop/start the client with the CARP status. There is a ticket open on that to address automatically in a future release, hopefully in a generic way so nothing on CARP IPs can initiate traffic unless they have master status.
-
ten-four - thanks for the reply at light speed :)
-t
-
Updating this old thread because it comes up in search results. In 2.0.2 release and newer, you just need to bind the OpenVPN client instance to a CARP IP, and the system automatically handles starting/stopping the client instance with the CARP status.