Problem of CARP with IPSEC



  • Hello everybody!
    i'm a new user of this website, i just wanna post a problem about CARP And IPSEC Tunnel, i have a topology with 2 PfSense Ha Cluster (with 4 interfaces WAN LAN DMZ SYNC) i created i tunnel between pfsense and a remote site having FortiGate HA Cluster, when i connect the 2 sites, my LAN VIP CARP on the Master PfSence pass to Backup and still BACKUP on the Slave and the communication is broking :/
    what should i did
    thank you ?!
    The First Picture : SLAVE
    Second Picture : MASTER
    Third Picture : MASTER
    SLAVE.PNG MASTER.PNG Bypass.PNGDebug.PNG


  • LAYER 8 Global Moderator

    So you want to report a problem with an EOL version of pfsense 2.2.6 that is no longer supported and has been dead for years..

    2.2.6 was released in 2015..
    The version of freebsd it was using 10.1 was EOL, December 31, 2016

    Really???

    I would suggest you update to current 2.4.4p2, and then if you are still having issues feel free to come back.



  • hi @johnpoz thank you for you reply
    the problem is that i have just only trial version of FortiGate and it just give me the right to chose only DES encryption, Pfsense 2.4.4 doesn't have DES encryption that's why i moved to an older version of pfsense that have DES encryption
    hope you understand


  • LAYER 8 Global Moderator

    DES encryption is not secure.. Was retired back in 2005?

    So no I don't understand at all..



  • I know that AES it's the secure one but Fortigate VMware Version it's just give the right to chose only DES because it's trial version for my case i want just create a VPN tunnel between 2 sites even if the encryption it's too old for me doesn't matter just i want create it
    thank you


  • LAYER 8 Global Moderator

    That is just moronic.. That they would only allow DES in their trail - WTF you suppose t connect too... Just fire up pfsense on this location... No trial needed.

    That being said - NOBODY is going to give or care to help about anything to do with 2.2.6 of pfsense - its DEAD!!



  • i wan't to use a different Firewall in the remote site so can you suggest me another good one like pfsense ?



  • 5f40711f-2a40-4154-b95e-0914c9e5009a-image.png


  • LAYER 8 Global Moderator

    Well there isn't much that comes close to pfsense ;)

    Why can you not just use pfsense on both ends? But there are multiple other firewall distros you could use that are free without a trial, that support ipsec with current modes of operation.. Vyos comes to mind right off the top of my head..

    For that matter ANY linux or BSD distro could be used as firewall/router with a bit of setup.



  • @johnpoz thank you very much for your help i will do some research about Vyos.
    for the second site i want to use another Firewall it's about my Study to show to the jury that we can use a different technology in the same time that's why 😄



  • @johnpoz hi, i just created an ipsec tunnel between 2 Clusters of PfSense 2.4.4 (2 sites- Ha cluster in the two ends), and when i shutdown the master the Slave change VIP CARP of WAN and DMZ to Master but VIP LAN still always buckup what is wrong please ?

    Configuration of IPSEC:
    1834ff6f-f8b7-4b32-aca6-8eaa9f6a5a51-image.png

    Configuration of NAT :
    9bebd0b8-fc1a-4d18-97d0-ba438e626e5e-image.png

    Configuration of VIP :
    2f564d66-d157-4aa4-826e-7711063cc019-image.png

    The Slave :
    d86ec6e6-3cdc-4b06-ac5a-1bc33ffcffb4-image.png


  • LAYER 8 Moderator

    Huh, perhaps one should check on those 63 error/warning indicators the UI shows?



  • @JeGr thank you for your reply
    finally i found the problem it was related with GNS3 because my 2 sites are connected with it. the cloud's i used to represent my LAN block the VIP of the LAN when i shutdown the Master.


Log in to reply