Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec tunnels not connecting during CARP HA failover

    Scheduled Pinned Locked Moved IPsec
    carpipsec
    3 Posts 1 Posters 931 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TO2020
      last edited by

      I run a pair of pfSense 2.5.2 devices in CARP HA. The setup has 5x IPsec VPN tunnels.
      During a CARP failover where I shut down/halt the MASTER and the BACKUP becomes the MASTER, none of the IPsec VPN tunnels come online automatically. I have to hit Connect under Status > IPsec for the tunnels to be established.

      Have anyone experienced this and/or is this a known issue?

      Regards,
      Thomas

      T 1 Reply Last reply Reply Quote 0
      • T
        TO2020 @TO2020
        last edited by

        I did some reading and I see the following options under IKEv2 Phase 1, Advanced Options:
        Child SA Start Action: I have this as Default. I do see an option to "Initiate at start (VTI or Tunnel Model)"
        Child SA Close Action: I have this as Default. I do see an option to "Restart/Reconnect".

        Does anyone know if this change might fix my issue? I am unable to make the change or test this at the moment.

        Also, in 2.6.0, I see a Keep Alive option under Phase 2. Maybe I need to upgrade to this version to solve my issue?

        1 Reply Last reply Reply Quote 0
        • T
          TO2020
          last edited by

          Wanted to add a bit more info here as this issue remains even after upgrading to 2.6.0 today.

          My tunnels are IKEv2 in VTI mode.

          Under Phase 1 Advanced Options, I set "Child SA Start Action" to "Initiate at start (VTI or Tunnel Mode)"
          and
          "Child SA Close Action" to "Restart/Reconnect"

          Under Phase 2 > Keep Alive, I use a host on the other side of the tunnel with Keep Alive "Enable periodic keep alive check".

          The tunnels do not establish if I shut down the MASTER CARP node or "Enter Persistent CARP Maintenance Mode" on the MASTER CARP node. I have to click Connect to manually establish the tunnels.

          Seeing these messages in the IPsec System Log
          charon[43289]: 04[CFG] trap not found, unable to acquire reqid 5002

          Have anyone else seen this issue?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.