Packets from phase1 bound to CARP VIP do not have the right source address
-
Hi,
I reported an issue which apparently isn't a bug: https://redmine.pfsense.org/issues/8359.
I have a cluster with one member having a wan IP of 192.168.0.1. I have configured a CARP VIP of 192.168.0.10 on the wan interface.
I have several phase1 configurations, all of them are bound to the VIP Interface and the ipsec logs show:charon: 05[NET] <con73000|1>sending packet: from 192.168.0.10[500] to xxxxxxxx[500] (360 bytes)</con73000|1>However, running tcpdump on the wan interface shows that the packets are not sent from the VIP but from the interface address:
IP 192.168.0.1.500 > xxxxxxx.500: isakmp: phase 1 I aggI had to force an outbound NAT in order for my packets to originate from the VIP and not the interface address. Before I added this rule, I had no outbound NATs defined.
I have a similar setup in a 2.3 cluster and I don't see this behaviour.