Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAproxy will not connect to remote server over IPSEC VPN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 2 Posters 387 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsense1921
      last edited by

      IPSec is setup between two pfsense firewalls, both running latest version.
      Local network 192.168.128.* <--> Remote network 192.168.101.*
      this works beautifully.

      In the diagnostics ping on Local, I can ping (server VM-remote) 192.168.101.50 from LAN(192.168.128.0)

      In HA proxy, in the backend, I have selected health check and advanced I have selected:
      I have selected to: "Use Client-IP to connect to backend servers"
      I have selected LAN subnet (192.168.128.0/24)

      In statistics it still shows that the server VM-remote down.

      How do I configure HA Proxy to connect to remote server over IPSec?

      P V 2 Replies Last reply Reply Quote 0
      • P
        pfsense1921 @pfsense1921
        last edited by pfsense1921

        I can use the external IP for the VM-remote server in the HA-Proxy and everything works fine. I just do Not understand why it will Not work with the VM-Remote local IP.

        (I can ping and ssh, Everything else directly to the VM-Remote local IP via IPSec)

        Having IPSec setup is really useless in this situation. (when you have to bypass it to get HA Proxy to work)

        1 Reply Last reply Reply Quote 0
        • V
          viragomann @pfsense1921
          last edited by

          @pfsense1921 said in HAproxy will not connect to remote server over IPSEC VPN:

          In HA proxy, in the backend, I have selected health check and advanced I have selected:
          I have selected to: "Use Client-IP to connect to backend servers"

          With policy-based IPSec this setting it would only work if you direct all upstream traffic from the remote server over the IPSec to the local site.

          And for the health check to work you might need to configure the Static Route Workaround as described in the docs.

          Having IPSec setup is really useless in this situation. (when you have to bypass it to get HA Proxy to work)

          I guess it would work with a VTI or an OpenVPN tunnel if the remote endpoint is a pfSense though or just disable the HAproxy transparent mode.

          P 1 Reply Last reply Reply Quote 0
          • P
            pfsense1921 @viragomann
            last edited by

            @viragomann

            Are you saying this works with OpenVPN Tunnel?

            I am using pfsense at both locations.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @pfsense1921
              last edited by

              @pfsense1921 said in HAproxy will not connect to remote server over IPSEC VPN:

              Are you saying this works with OpenVPN Tunnel?

              Yes, presumed you obey some setup steps.

              At the remote site you will have to assign an interface to the respective OpenVPN instance and move over the firewall rule from the OpenVPN tab to it.

              You have to ensure that there is no pass rule on the OpenVPN tab or even a floating rule applied to the forwarded traffic from the remote site!
              This is necessary for the reply-to to work, so that pfSense can send the response packets back to the other site.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.