Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSEC to CARP cluster

    IPsec
    3
    7
    3913
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      morbus last edited by

      I have an IPSEC vpn running from one site with monowall to another with 2 PFsense walls setup as a CARP pair (also failing over IPSEC).

      The vpn works and I can ping the master and access it's webGUI but the slave wont reply to ping or webGUI requests over the VPN. I can ping from the master to the slave on their LAN interfaces just not via the tunnel. I can also ping the CARP VIP via the tunnel.

      Have I messed something up or is this going to happen.

      Version is PFsense 1.0.1

      PF site runs ip range 192.168.2.x/24
      Mono is on 192.168.1.x/24

      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        I guess the problem is that the slave node has it's own tunneldefinition back to the m0n0 und would like to use it but the tunnel is already established by the master node. I don't think this is easy to work around.

        Other option is to set the webgui to https and access it at the real wan IPs of the boxes. Just create a firewallrule only permitting access from the public IP of the m0n0.

        1 Reply Last reply Reply Quote 0
        • M
          morbus last edited by

          yep that would explain it

          when I was setting it up it was copying the IPSEC config across via CARP so the same tunnel is setup on the slave too.

          I am already using https for the webGIU just wanted to test the tunnel and thought is was strange that one replyed and not the other.

          Thanks

          1 Reply Last reply Reply Quote 0
          • S
            sullrich last edited by

            Set your Failover IP address under IPSEC settings to the CARP IP that you wish to use for failover.

            Now modify all your tunnels to use the carp ip instead of "my IP address".  Change the remote tunnels to also use the CARP IP.

            Viola.  You are done.  Failover IPSEC.  I have used it since well before 1.0 came out.

            1 Reply Last reply Reply Quote 0
            • M
              morbus last edited by

              Set your Failover IP address under IPSEC settings to the CARP IP that you wish to use for failover.

              Did that

              Now modify all your tunnels to use the carp ip instead of "my IP address".  Change the remote tunnels to also use the CARP IP.

              I set the remote end of the tunnel to connect to the CARP public ip
              setup is like this
              pf1 = master = x.x.x.118
              pf2 = slave = x.x.x.118
              pfwall = CARP shared = x.x.x.120

              and the remote site talks to x.x.x.120

              I cant see a "my IP address" setting on the IPSec settings or have I done what you ment?

              the only thing I didnt get was why I cant talk to 192.168.2.2 (slave) via IPSec on 192.168.2.1 (master)

              is hoba right or should I be able to talk to 192.168.2.2 via IPSec

              1 Reply Last reply Reply Quote 0
              • M
                morbus last edited by

                I tested the failover yesterday and it all worked fine except that the CARP copying (XML-RPC I guess) didnt copy the 'Failover IPSEC IP' to the slave so the slave was trying to use its own IP and the remote end was using the CARP one. I just had to fill in the 'Failover IPSEC IP' on the slave and it worked fine

                1 Reply Last reply Reply Quote 0
                • S
                  sullrich last edited by

                  @morbus:

                  I tested the failover yesterday and it all worked fine except that the CARP copying (XML-RPC I guess) didnt copy the 'Failover IPSEC IP' to the slave so the slave was trying to use its own IP and the remote end was using the CARP one. I just had to fill in the 'Failover IPSEC IP' on the slave and it worked fine

                  Yep.  Sorry, I forgot that step.  Glad that it is working now.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post