Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC / CARP - Re-Keys on failover

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    2
    3
    494
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RusG3G
      last edited by

      Hi,

      We recently configured PFSense is a HA (Active/Passive) setup, where IPSEC is done to a CARP interface. When the firewall is failed-over to the secondary node the VPN's all re-key.

      My question is;

      Is there a way to avoid this?
      Is this a limitation of the PFSense IPSEC / CARP implimentation?

      Thanks

      1 Reply Last reply Reply Quote 0
      • B
        blex
        last edited by

        Hi,

        I have the same setup and didn't find a way to make it work that this is not needed. I think this is due to the reason that the insects crypto generate each connection and time a new key set. And if you enable pf then there are even more keys.

        So I think you have to live with this behavior.

        1 Reply Last reply Reply Quote 0
        • B
          blex
          last edited by

          What you possibly can do:

          Make 2 VPN tunnel. On from the first pfsense and one from the second pfsense. Then you can still make CARP but you configure to NOT sync the IPSec conig.
          When the failover takes place, the vpn tunnel will already be up.

          depending on your setup you may run ospf or another routing protocoll with the two vpn tunnel to make changes that are nessessary due to topology change.

          Best Regars,
          blex

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.