IPSec, Outbound NAT and CARP
-
Hi all,
I'm just troubleshooting our in-place CARP installation…it's between a couple of dedicated Dell servers running ESXi 6.0u3 with identical hardware.
I have one issue in that apparently the site-to-site VPN from here to our manufacturing site doesn't appear to work on the backup pfsense despite it being configured against a CARP IP on the WAN interface.
I've been through the hangouts on HA, and read up a bunch, and one thing which might be related (or not, I really don't know!) is the outbound NAT setting for ISAKMP. Currently it's set to the NAT address of the "WAN interface" rather than the CARP address on the WAN that's only use is the VPN (i.e. i've got a CARP on the WAN dedicated for LAN-to-WAN traffic, but another CARP address dedicated for connectivity to the IPSec tunnel from the manufacturing site).
Can anyone shed any light on whether this would be the likely reason the VPN is failing? I'm not sure what purpose the ISAKMP NAT rule would have with relation to the VPN tunnel given that the tunnel works on the primary despite the NAT rule not having been changed from the WAN address?
I don't have a maintenance window yet to make any changes, so i'm trying to discuss it before I get there (so don't expect me scrambling around to test things!)
Thanks,
Mike. -
It will only work when that unit is Master. The other side should be configured to connect to the CARP VIP. They will get whichever unit is Master at the time.
Outbound NAT rules should be source-address limited to the addresses you actually want to NAT. If those are any that is almost never right.
Outbound NAT should almost always be set to have a NAT address of the CARP VIP, too. But those rules are for IPsec passthrough from clients behind the firewall, not for Site-to-site connections from the firewall itself.
