IPSEC / CARP - Re-Keys on failover

  • Hi,

    We recently configured PFSense is a HA (Active/Passive) setup, where IPSEC is done to a CARP interface. When the firewall is failed-over to the secondary node the VPN's all re-key.

    My question is;

    Is there a way to avoid this?
    Is this a limitation of the PFSense IPSEC / CARP implimentation?


  • Hi,

    I have the same setup and didn't find a way to make it work that this is not needed. I think this is due to the reason that the insects crypto generate each connection and time a new key set. And if you enable pf then there are even more keys.

    So I think you have to live with this behavior.

  • What you possibly can do:

    Make 2 VPN tunnel. On from the first pfsense and one from the second pfsense. Then you can still make CARP but you configure to NOT sync the IPSec conig.
    When the failover takes place, the vpn tunnel will already be up.

    depending on your setup you may run ospf or another routing protocoll with the two vpn tunnel to make changes that are nessessary due to topology change.

    Best Regars,

Log in to reply