Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Problem of CARP with IPSEC

    HA/CARP/VIPs
    3
    13
    725
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anass131 last edited by anass131

      Hello everybody!
      i'm a new user of this website, i just wanna post a problem about CARP And IPSEC Tunnel, i have a topology with 2 PfSense Ha Cluster (with 4 interfaces WAN LAN DMZ SYNC) i created i tunnel between pfsense and a remote site having FortiGate HA Cluster, when i connect the 2 sites, my LAN VIP CARP on the Master PfSence pass to Backup and still BACKUP on the Slave and the communication is broking :/
      what should i did
      thank you ?!
      The First Picture : SLAVE
      Second Picture : MASTER
      Third Picture : MASTER
      SLAVE.PNG MASTER.PNG Bypass.PNGDebug.PNG

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by johnpoz

        So you want to report a problem with an EOL version of pfsense 2.2.6 that is no longer supported and has been dead for years..

        2.2.6 was released in 2015..
        The version of freebsd it was using 10.1 was EOL, December 31, 2016

        Really???

        I would suggest you update to current 2.4.4p2, and then if you are still having issues feel free to come back.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • A
          anass131 last edited by anass131

          hi @johnpoz thank you for you reply
          the problem is that i have just only trial version of FortiGate and it just give me the right to chose only DES encryption, Pfsense 2.4.4 doesn't have DES encryption that's why i moved to an older version of pfsense that have DES encryption
          hope you understand

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            DES encryption is not secure.. Was retired back in 2005?

            So no I don't understand at all..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • A
              anass131 last edited by

              I know that AES it's the secure one but Fortigate VMware Version it's just give the right to chose only DES because it's trial version for my case i want just create a VPN tunnel between 2 sites even if the encryption it's too old for me doesn't matter just i want create it
              thank you

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by johnpoz

                That is just moronic.. That they would only allow DES in their trail - WTF you suppose t connect too... Just fire up pfsense on this location... No trial needed.

                That being said - NOBODY is going to give or care to help about anything to do with 2.2.6 of pfsense - its DEAD!!

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                1 Reply Last reply Reply Quote 0
                • A
                  anass131 last edited by anass131

                  i wan't to use a different Firewall in the remote site so can you suggest me another good one like pfsense ?

                  1 Reply Last reply Reply Quote 0
                  • A
                    anass131 last edited by

                    5f40711f-2a40-4154-b95e-0914c9e5009a-image.png

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by johnpoz

                      Well there isn't much that comes close to pfsense ;)

                      Why can you not just use pfsense on both ends? But there are multiple other firewall distros you could use that are free without a trial, that support ipsec with current modes of operation.. Vyos comes to mind right off the top of my head..

                      For that matter ANY linux or BSD distro could be used as firewall/router with a bit of setup.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                      1 Reply Last reply Reply Quote 0
                      • A
                        anass131 last edited by

                        @johnpoz thank you very much for your help i will do some research about Vyos.
                        for the second site i want to use another Firewall it's about my Study to show to the jury that we can use a different technology in the same time that's why ๐Ÿ˜„

                        1 Reply Last reply Reply Quote 0
                        • A
                          anass131 last edited by anass131

                          @johnpoz hi, i just created an ipsec tunnel between 2 Clusters of PfSense 2.4.4 (2 sites- Ha cluster in the two ends), and when i shutdown the master the Slave change VIP CARP of WAN and DMZ to Master but VIP LAN still always buckup what is wrong please ?

                          Configuration of IPSEC:
                          1834ff6f-f8b7-4b32-aca6-8eaa9f6a5a51-image.png

                          Configuration of NAT :
                          9bebd0b8-fc1a-4d18-97d0-ba438e626e5e-image.png

                          Configuration of VIP :
                          2f564d66-d157-4aa4-826e-7711063cc019-image.png

                          The Slave :
                          d86ec6e6-3cdc-4b06-ac5a-1bc33ffcffb4-image.png

                          1 Reply Last reply Reply Quote 0
                          • JeGr
                            JeGr LAYER 8 Moderator last edited by

                            Huh, perhaps one should check on those 63 error/warning indicators the UI shows?

                            Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                            1 Reply Last reply Reply Quote 1
                            • A
                              anass131 last edited by

                              @JeGr thank you for your reply
                              finally i found the problem it was related with GNS3 because my 2 sites are connected with it. the cloud's i used to represent my LAN block the VIP of the LAN when i shutdown the Master.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post