Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec and CARP

    2.0-RC Snapshot Feedback and Problems - RETIRED
    2
    5
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      morbus
      last edited by

      There is a bug in the way ipsec config is written when using a CARP address.

      If I use the machines real IP ipsec works fine and the config is written as

      # cat /var/etc/racoon.conf
# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
        adminsock "/var/run/racoon.sock" "root" "wheel" 0660;
        isakmp a.b.c.118 [500];
        isakmp_natt a.b.c.118 [4500];
}

remote w.x.y.z
{
        ph1id 1;
        exchange_mode aggressive;
        my_identifier address a.b.c.118;
        peers_identifier address w.x.y.z;
        ike_frag on;
        generate_policy = off;
        initial_contact = on;
        nat_traversal = off;

        dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check claim;

        proposal
        {
                authentication_method pre_shared_key;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 1200 secs;
        }
}

sainfo subnet 192.168.2.0/24 any subnet 192.168.1.0/24 any
{
        remoteid 1;
        encryption_algorithm aes 256, aes 192, aes 128, blowfish 256, blowfish 248, blowfish 240, blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200, blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160, blowfish 152, blowfish 144, blowfish 136, blowfish 128, 3des, cast128;
        authentication_algorithm hmac_sha1,hmac_md5;

        lifetime time 1200 secs;
        compression_algorithm deflate;
}

      However if I select the CARP ip a.d.c.120 this is the config produced

      # cat /var/etc/racoon.conf
# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

sainfo subnet 192.168.2.0/24 any subnet 192.168.1.0/24 any
{
        remoteid 1;
        encryption_algorithm aes 256, aes 192, aes 128, blowfish 256, blowfish 248, blowfish 240, blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200, blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160, blowfish 152, blowfish 144, blowfish 136, blowfish 128, 3des, cast128;
        authentication_algorithm hmac_sha1,hmac_md5;

        lifetime time 1200 secs;
        compression_algorithm deflate;
}

      As you can see most of the config has not been written for the CARP address ipsec

      1 Reply Last reply Reply Quote 0
      • M
        morbus
        last edited by

        After a bit more trawling through the php it looks like this is because

        convert_friendly_interface_to_real_interface_name($if);

        Is not converting carp1 into xl? hence no ip is returned. This is because the real interface is called opt1 not carp1, get_configured_interface_with_descr in util.inc only returns the real interfaces and not the carpX ones

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Ok that is on me so i will check this.

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Should fixed.

            1 Reply Last reply Reply Quote 0
            • M
              morbus
              last edited by

              Thanks Ermal, that has fixed it.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.