• There is a bug in the way ipsec config is written when using a CARP address.

    If I use the machines real IP ipsec works fine and the config is written as

    # cat /var/etc/racoon.conf
    # This file is automatically generated. Do not edit
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    listen
    {
            adminsock "/var/run/racoon.sock" "root" "wheel" 0660;
            isakmp a.b.c.118 [500];
            isakmp_natt a.b.c.118 [4500];
    }
    
    remote w.x.y.z
    {
            ph1id 1;
            exchange_mode aggressive;
            my_identifier address a.b.c.118;
            peers_identifier address w.x.y.z;
            ike_frag on;
            generate_policy = off;
            initial_contact = on;
            nat_traversal = off;
    
            dpd_delay = 10;
            dpd_maxfail = 5;
            support_proxy on;
            proposal_check claim;
    
            proposal
            {
                    authentication_method pre_shared_key;
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    dh_group 2;
                    lifetime time 1200 secs;
            }
    }
    
    sainfo subnet 192.168.2.0/24 any subnet 192.168.1.0/24 any
    {
            remoteid 1;
            encryption_algorithm aes 256, aes 192, aes 128, blowfish 256, blowfish 248, blowfish 240, blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200, blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160, blowfish 152, blowfish 144, blowfish 136, blowfish 128, 3des, cast128;
            authentication_algorithm hmac_sha1,hmac_md5;
    
            lifetime time 1200 secs;
            compression_algorithm deflate;
    }
    
    

    However if I select the CARP ip a.d.c.120 this is the config produced

    # cat /var/etc/racoon.conf
    # This file is automatically generated. Do not edit
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    sainfo subnet 192.168.2.0/24 any subnet 192.168.1.0/24 any
    {
            remoteid 1;
            encryption_algorithm aes 256, aes 192, aes 128, blowfish 256, blowfish 248, blowfish 240, blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200, blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160, blowfish 152, blowfish 144, blowfish 136, blowfish 128, 3des, cast128;
            authentication_algorithm hmac_sha1,hmac_md5;
    
            lifetime time 1200 secs;
            compression_algorithm deflate;
    }
    
    

    As you can see most of the config has not been written for the CARP address ipsec


  • After a bit more trawling through the php it looks like this is because

    convert_friendly_interface_to_real_interface_name($if);

    Is not converting carp1 into xl? hence no ip is returned. This is because the real interface is called opt1 not carp1, get_configured_interface_with_descr in util.inc only returns the real interfaces and not the carpX ones


  • Ok that is on me so i will check this.


  • Should fixed.


  • Thanks Ermal, that has fixed it.