Problem of CARP with IPSEC

anass131

Hello everybody!
i'm a new user of this website, i just wanna post a problem about CARP And IPSEC Tunnel, i have a topology with 2 PfSense Ha Cluster (with 4 interfaces WAN LAN DMZ SYNC) i created i tunnel between pfsense and a remote site having FortiGate HA Cluster, when i connect the 2 sites, my LAN VIP CARP on the Master PfSence pass to Backup and still BACKUP on the Slave and the communication is broking :/
what should i did
thank you ?!
The First Picture : SLAVE
Second Picture : MASTER
Third Picture : MASTER

johnpoz

So you want to report a problem with an EOL version of pfsense 2.2.6 that is no longer supported and has been dead for years..

2.2.6 was released in 2015..
The version of freebsd it was using 10.1 was EOL, December 31, 2016

Really???

I would suggest you update to current 2.4.4p2, and then if you are still having issues feel free to come back.

anass131

hi @johnpoz thank you for you reply
the problem is that i have just only trial version of FortiGate and it just give me the right to chose only DES encryption, Pfsense 2.4.4 doesn't have DES encryption that's why i moved to an older version of pfsense that have DES encryption
hope you understand

johnpoz

DES encryption is not secure.. Was retired back in 2005?

So no I don't understand at all..

anass131

I know that AES it's the secure one but Fortigate VMware Version it's just give the right to chose only DES because it's trial version for my case i want just create a VPN tunnel between 2 sites even if the encryption it's too old for me doesn't matter just i want create it
thank you

johnpoz

That is just moronic.. That they would only allow DES in their trail - WTF you suppose t connect too... Just fire up pfsense on this location... No trial needed.

That being said - NOBODY is going to give or care to help about anything to do with 2.2.6 of pfsense - its DEAD!!

anass131

i wan't to use a different Firewall in the remote site so can you suggest me another good one like pfsense ?

anass131

johnpoz

Well there isn't much that comes close to pfsense ;)

Why can you not just use pfsense on both ends? But there are multiple other firewall distros you could use that are free without a trial, that support ipsec with current modes of operation.. Vyos comes to mind right off the top of my head..

For that matter ANY linux or BSD distro could be used as firewall/router with a bit of setup.

anass131

@johnpoz thank you very much for your help i will do some research about Vyos.
for the second site i want to use another Firewall it's about my Study to show to the jury that we can use a different technology in the same time that's why

anass131

@johnpoz hi, i just created an ipsec tunnel between 2 Clusters of PfSense 2.4.4 (2 sites- Ha cluster in the two ends), and when i shutdown the master the Slave change VIP CARP of WAN and DMZ to Master but VIP LAN still always buckup what is wrong please ?

Configuration of IPSEC:

Configuration of NAT :

Configuration of VIP :

The Slave :

JeGr

Huh, perhaps one should check on those 63 error/warning indicators the UI shows?

anass131

@JeGr thank you for your reply
finally i found the problem it was related with GNS3 because my 2 sites are connected with it. the cloud's i used to represent my LAN block the VIP of the LAN when i shutdown the Master.