IPSec over CARP at pfsense 2.2.4 unable to setup a tunnel

chilbrink

I installed two PFsense boxes, running both PFsense 2.2.4.
Both are configured as VM's on a ESX VMware server.
Each machine is running with 3 em interfaces, 16 Gb Hd and 8 Gb ram.

All three interfaces are configured for CARP, so the WAN and LAN interfaces have both a CARP-address assigned.
I'm using the LAN as sync interface. Later on i would like to add traffic from the third interface to the tunnel.
As soon as i configure IPsec for a site-to-site tunnel, and choose for the WAN carp address as external address and
CARP ip-address as identifier i assumed that the tunnel should be build from the master pfsense node to the other
endpoint of the VPN.

setkey -DP shows a configured VPN even as that the config could be displayed with ipsec configall at the shell prompt.

i added a few general filter rules to the following tabs:

ipsec tab:

allow ipv4 local LAN -> remote LAN
allow ipv4 remote LAN -> local LAN

LAN tab:

allow ipv4 local LAN -> remote LAN
allow ipv4 remote LAN -> local LAN

Wan tab:

allow ipv4 esp local external CARP-address -> remote external IP
allow ipv4 esp remote external IP -> local external CARP-address

allow ipv4 udp remote external IP -> local external CARP-address port 500
allow ipv4 udp local external CARP-address -> remote external port 500
allow ipv4 udp remote external IP -> local external CARP-address port 4500
allow ipv4 udp local external CARP-address -> remote external port 4500

allow ipv4 local LAN -> remote LAN    // probably unneeded
allow ipv4 remote LAN -> local LAN    // this one as well

I didn't configure any NAT rules, it's a site-to-site connection, it's a routing network to network through IPsec tunnel.

The CARP addresses look like aliases to the WAN and LAN interfaces, i tried CARP- addressess with netmask /32 but
also with the same netmask as the standard external IP.

Ping -S LAN-ip remote-LAN-ip is generating some traffic at the external interface but no tunnel will be build up.
so setkey -DD will stay empty.

As soon as i remove the External-CARP IP from the external interface, disable pf filtering temporary and add
exact the same external IP-address at the outside interface again, the tunnel will be build to the remote site
and ipsec is working.

cmd's:
setkey -DP
ifconfig em0 -alias ext-CARP-IP
pfctl -d
ifconfig em0 alias ext-CARP-IP
ping -S 192.168.1.1 192.168.2.254
setkey -DD
pfctl -e
ping will still functioning…..

The tunnel i like to configure should act between a Checkpoint FW and two pfsense (running in CARP).
the tunnel configuration is working when i use the ext IP as a real alias configured to the outside interface.
the tunnel isn't coming up when using the same IP-address at the outside interface as a CARP address.

Does anyone have seen this problem at FreeBSD 10.1/pfsense 2.2.4?
when ipsec is working with the external IP-address as a alias, what's the real difference compared to
the CARP external IP address? It's visible, no ( vhid 0) at the end of the line.

It's maybe something small or stupid what i forgot, but currently it looks like i'm unable to use two VM's
as a virtual firewall to setup a failover IPsec endpoint.

I'm open for suggestions, i started with 2.2-release and to be sure it's running the latest version i
updated the boxes to 2.2.4 and started all over... same results :-(

chilbrink

Changed the Interfaces under ESX into promisious mode.
I left NAT still disabled and no changes into firewall rules.
After a reboot the tunnel came up from the CARP address.
Now syncing the tunnel configuration to the second node, thanks for the hint wikidd :)

i can continue testing and look how stable it will be.