4. Packets from phase1 bound to CARP VIP do not have the right source address

Packets from phase1 bound to CARP VIP do not have the right source address

  • S

    Hi,
    I reported an issue which apparently isn't a bug: https://redmine.pfsense.org/issues/8359.
    I have a cluster with one member having a wan IP of 192.168.0.1. I have configured a CARP VIP of 192.168.0.10 on the wan interface.
    I have several phase1 configurations, all of them are bound to the VIP Interface and the ipsec logs show:

    
charon: 05[NET] <con73000|1>sending packet: from 192.168.0.10[500] to xxxxxxxx[500] (360 bytes)</con73000|1>

    However, running tcpdump on the wan interface shows that the packets are not sent from the VIP but from the interface address:

    
IP 192.168.0.1.500 > xxxxxxx.500: isakmp: phase 1 I agg

    I had to force an outbound NAT in order for my packets to originate from the VIP and not the interface address. Before I added this rule, I had no outbound NATs defined.

    I have a similar setup in a 2.3 cluster and I don't see this behaviour.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy