4. Packets from phase1 bound to CARP VIP do not have the right source address

Packets from phase1 bound to CARP VIP do not have the right source address

  • S

    Hi,
    I reported an issue which apparently isn't a bug: https://redmine.pfsense.org/issues/8359.
    I have a cluster with one member having a wan IP of 192.168.0.1. I have configured a CARP VIP of 192.168.0.10 on the wan interface.
    I have several phase1 configurations, all of them are bound to the VIP Interface and the ipsec logs show:

    
charon: 05[NET] <con73000|1>sending packet: from 192.168.0.10[500] to xxxxxxxx[500] (360 bytes)</con73000|1>

    However, running tcpdump on the wan interface shows that the packets are not sent from the VIP but from the interface address:

    
IP 192.168.0.1.500 > xxxxxxx.500: isakmp: phase 1 I agg

    I had to force an outbound NAT in order for my packets to originate from the VIP and not the interface address. Before I added this rule, I had no outbound NATs defined.

    I have a similar setup in a 2.3 cluster and I don't see this behaviour.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy