IPsec tunnels not connecting during CARP HA failover
-
I run a pair of pfSense 2.5.2 devices in CARP HA. The setup has 5x IPsec VPN tunnels.
During a CARP failover where I shut down/halt the MASTER and the BACKUP becomes the MASTER, none of the IPsec VPN tunnels come online automatically. I have to hit Connect under Status > IPsec for the tunnels to be established.Have anyone experienced this and/or is this a known issue?
Regards,
Thomas -
I did some reading and I see the following options under IKEv2 Phase 1, Advanced Options:
Child SA Start Action: I have this as Default. I do see an option to "Initiate at start (VTI or Tunnel Model)"
Child SA Close Action: I have this as Default. I do see an option to "Restart/Reconnect".Does anyone know if this change might fix my issue? I am unable to make the change or test this at the moment.
Also, in 2.6.0, I see a Keep Alive option under Phase 2. Maybe I need to upgrade to this version to solve my issue?
-
Wanted to add a bit more info here as this issue remains even after upgrading to 2.6.0 today.
My tunnels are IKEv2 in VTI mode.
Under Phase 1 Advanced Options, I set "Child SA Start Action" to "Initiate at start (VTI or Tunnel Mode)"
and
"Child SA Close Action" to "Restart/Reconnect"Under Phase 2 > Keep Alive, I use a host on the other side of the tunnel with Keep Alive "Enable periodic keep alive check".
The tunnels do not establish if I shut down the MASTER CARP node or "Enter Persistent CARP Maintenance Mode" on the MASTER CARP node. I have to click Connect to manually establish the tunnels.
Seeing these messages in the IPsec System Log
charon[43289]: 04[CFG] trap not found, unable to acquire reqid 5002Have anyone else seen this issue?