Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec over VIP CARP IP

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 2 Posters 349 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T2M5T
      T2M5
      last edited by

      I'am trying estableshed a VPN site-to-site IPsec between a normal pfSense and a CARP VIP. I tried configure the ipsec to use a VIP but she don't connect. I'm saw some posts, and I read the docs about it but don't achived replicate.

      I'm did the ipsec configuration tunnel on master CARP fw, on peers identifier i adding "IP addresses" and add the VIP as peer identifier of tunnel, but nothing worked. The two points have communication, no fw rules, just have a NAT on CARP to point the traslate of LAN to VIP, but i think that this is not a problem. I don't know if I right undersant as doing it, if someone can help me I thanks.

      Thanks in advanced.

      Networks:

      pfSense:

       LAN - 10.128.24.0/24
 WAN - 192.168.23.130/25

      pfSense100:

       (NAT - LAN > VIPWAN)
 LAN - 172.16.20.1/24
 WAN - 192.168.23.1/25
 VIP(WAN) - 192.168.23.10/25
 VIP(LAN) - 172.16.20.1/24

      pfSense200

       (NAT - LAN > VIPWAN)
 LAN - 172.16.20.2/24
 WAN - 192.168.23.2/25
 VIP(WAN) - 192.168.23.10/25
 VIP(LAN) - 172.16.20.1/24

      The diagram:

      781103c2-dc39-4df9-86d2-effd1229890c-image.png

      pfSense200(Master) configuration:

      6304717b-2030-4ea3-896d-52f23c2db791-image.png

      M 1 Reply Last reply Reply Quote 0
      • M
        mcury @T2M5
        last edited by

        @T2M5 You can't use those IPs in the Internet, those are RFC1918 IPs.
        Also, click Generate new Pre-Shared Key, don't set it by yourself.

        dead on arrival, nowhere to be found.

        T2M5T 1 Reply Last reply Reply Quote 0
        • T2M5T
          T2M5 @mcury
          last edited by

          @mcury said in IPsec over VIP CARP IP:

          RFC1918

          Hi mcury, thanks to reply.

          I off the "Block private networks" and "Block Bogon networks" rules, than I no think that is the problem, unless that ipsec don't permit private IPS, but I have done others ipsec configurations with privates ips on labs. And about the PSK, is only a simple test lab environment.

          M 1 Reply Last reply Reply Quote 0
          • M
            mcury @T2M5
            last edited by

            @T2M5
            efdf3d1c-335f-4ea3-8f48-7ec8cbbbe16b-image.png

            you can't use e0's IP address there, you need to use the router's e0/1 IP address.
            If it goes through the Internet, you must use the public IP for the IPsec.

            dead on arrival, nowhere to be found.

            T2M5T 1 Reply Last reply Reply Quote 0
            • T2M5T
              T2M5 @mcury
              last edited by

              @mcury interesting, but the router are servin just a routing, it don't have NAT or something. My intention is seal a connection between pfSenses, the router is tecnicaly invisible, i placed he there just to don't connect the two fw directly. I maybe misundersant what did say, i'm sorry if was this.

              M 1 Reply Last reply Reply Quote 0
              • M
                mcury @T2M5
                last edited by

                @T2M5 ok, I thought that this was going through the Internet and you were using invalid IPs for that purpose.

                95029c00-7c6b-412a-b068-351cd9c5ff7e-image.png

                There, select the VIP.

                You mentioned NAT, check if you followed the instructions correctly:

                https://docs.netgate.com/pfsense/en/latest/solutions/reference/highavailability/clusterconfiguration.html

                dead on arrival, nowhere to be found.

                T2M5T 1 Reply Last reply Reply Quote 1
                • T2M5T
                  T2M5 @mcury
                  last edited by

                  @mcury @mcury yeah man, worked. I didn't know that i should change the interface too. On documentations and posts this looks a bit confuses. Maybe after I will do a detailed post about this.

                  Thanks a lot for the help, have a great day bro.

                  M 1 Reply Last reply Reply Quote 1
                  • M
                    mcury @T2M5
                    last edited by mcury

                    @T2M5 said in IPsec over VIP CARP IP:

                    Thanks a lot for the help, have a great day bro.

                    glad that it worked, good day for you too bro

                    dead on arrival, nowhere to be found.

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.