CARP/HA + Ipsec, failover is not working as expected
-
Hi all,
I'm testing this configuration before the release in production.
I have a remote LAN (192.168.5.x/24) with 2 PFsense firewalls (192.168.5.1 master and 192.168.5.254 slave). The HA is working really well and also the PFsync is syncing without problems.
I configured 2 tunnels with public VIP as interface. 1 is configured between the PFsense applicances and a Palo Alto, the other one is between the local PFsense and another remote PFsense.
The only problem i have is IPSec not reconnecting automatically when the 2 VIPs (public IP and 192.168.5.253) passes from master to slave.
I changed also NAT to manual AON and configured the VIP as NAT address. The IPSEC failover is not working at all.
Can someone please help me fixing this issue?
Thank you!
-
Sorry for the bump, has some encountered the same problem? Any solution will be appreciated.
Thanks!
-
Sorry if i bother, i would like some help if someone is kindly available to help me troubleshooting this issue. It's driving me crazy and i don't find anything useful to fix the problem on the net.
Thank you
-
Hey friend. This seems a little late coming, but I thought I'd leave a reply here as I ran into the same "issue" myself just today.
By the nature of an IPSec tunnel, they do not truly get "started" or "stopped" they only come up when traffic that is being routed through them is detected. So in this case, basically as soon as there is traffic on the IPSec tunnel from the secondary node after your primary fails, it will connect perfectly fine with the new tunnel.
To test this yourself, you can add an address in your P2 entry at the bottom to automatically ping. This ping will occur every few seconds and as soon as the first ping is sent from the secondary node after the fail, the tunnel will reconnect and allow traffic to pass.
Hopefully this helps you and any others pursuing this topic in the future!