IPSEC to CARP cluster

morbus

I have an IPSEC vpn running from one site with monowall to another with 2 PFsense walls setup as a CARP pair (also failing over IPSEC).

The vpn works and I can ping the master and access it's webGUI but the slave wont reply to ping or webGUI requests over the VPN. I can ping from the master to the slave on their LAN interfaces just not via the tunnel. I can also ping the CARP VIP via the tunnel.

Have I messed something up or is this going to happen.

Version is PFsense 1.0.1

PF site runs ip range 192.168.2.x/24
Mono is on 192.168.1.x/24

hoba

I guess the problem is that the slave node has it's own tunneldefinition back to the m0n0 und would like to use it but the tunnel is already established by the master node. I don't think this is easy to work around.

Other option is to set the webgui to https and access it at the real wan IPs of the boxes. Just create a firewallrule only permitting access from the public IP of the m0n0.

morbus

yep that would explain it

when I was setting it up it was copying the IPSEC config across via CARP so the same tunnel is setup on the slave too.

I am already using https for the webGIU just wanted to test the tunnel and thought is was strange that one replyed and not the other.

Thanks

sullrich

Set your Failover IP address under IPSEC settings to the CARP IP that you wish to use for failover.

Now modify all your tunnels to use the carp ip instead of "my IP address".  Change the remote tunnels to also use the CARP IP.

Viola.  You are done.  Failover IPSEC.  I have used it since well before 1.0 came out.

morbus

Set your Failover IP address under IPSEC settings to the CARP IP that you wish to use for failover.

Did that

Now modify all your tunnels to use the carp ip instead of "my IP address".  Change the remote tunnels to also use the CARP IP.

I set the remote end of the tunnel to connect to the CARP public ip
setup is like this
pf1 = master = x.x.x.118
pf2 = slave = x.x.x.118
pfwall = CARP shared = x.x.x.120

and the remote site talks to x.x.x.120

I cant see a "my IP address" setting on the IPSec settings or have I done what you ment?

the only thing I didnt get was why I cant talk to 192.168.2.2 (slave) via IPSec on 192.168.2.1 (master)

is hoba right or should I be able to talk to 192.168.2.2 via IPSec

morbus

I tested the failover yesterday and it all worked fine except that the CARP copying (XML-RPC I guess) didnt copy the 'Failover IPSEC IP' to the slave so the slave was trying to use its own IP and the remote end was using the CARP one. I just had to fill in the 'Failover IPSEC IP' on the slave and it worked fine

sullrich

@morbus:

I tested the failover yesterday and it all worked fine except that the CARP copying (XML-RPC I guess) didnt copy the 'Failover IPSEC IP' to the slave so the slave was trying to use its own IP and the remote end was using the CARP one. I just had to fill in the 'Failover IPSEC IP' on the slave and it worked fine

Yep.  Sorry, I forgot that step.  Glad that it is working now.