PfSense 2.0, CARP, IPSEC Failover

  • Hi guys!

    I'm a newbie in pfSense. I want to build a ipsec tunnel between two remote sites. On both sites there will be two nodes in cluster and carp interfaces on both sides (lan and wan).  Scheme:

    |–pf1--|                                                |--pf3--|
      carp-lan---            ---carp-wan---IPSEC---carp-wan---            ---carp-lan
                      |--pf2--|                                                |--pf4-

    SITE 1                 SITE 2

    I successfully build a ipsec tunnel between two "remote sites" in virtual environment but not everything worked fine. IPSEC configuration was made between "carp wan" interfaces. The pings from site 1 lan machines goes perfectly to site 2.
    When master node became slave on site 2 (for example) to test failover of ipsec, the tunnel doesn't not start any longer. When i return master role to original node tunnel continues to work.
    I noticed that there is not entries in SAD tabs on Backup node. It seems that there is no replication of SAD to Backups nodes. Is there any sollution or workaround for this. I googled a lot today and i found
    I haven't found the package. Is there a way to make this to work on 2.0 Beta 4?
    And finally i'm not sure is there any way to make ipsec tunnel failover between my 2 clusters.
    Any help and suggestions will be appreciated.

    Thank you in advance!

  • Is there a way to run shell command from /etc/rc.carpbackup script like this one: "exec ('setkey -F');"?

    Why this script seems to not execute when a master node became backup?

    I want to clear old SA in the SAD….but without success with rc.carpbackup and rc.carpmaster scripts...

    Thank you in advance!

  • Check Dead Peer Detection. If you put 30 seconds the failed Remote peer will be deleted and a new Phase 1 negotiation will start.

Log in to reply