IPSec with WAN CARP fails on 1.2.3



  • Hi all,

    I have a pfsense cluster running CARP (master/slave) on the WAN interface.

    I successfully set up an IPSec tunnel with pfsense1 and a remote Checkpoint cluster using My Identfier -> My IP address.
    I then configured the tunnel to use the WAN CARP IP (My Identifier -> IP address),
    also on remote Checkpoint I changed the physical ip of pfsense to CARP IP.

    Result, tunnel won't come up.

    I filtered the Checkpoint log for traffic originating from pfsense WAN CARP IP…no records found.
    I run a packet capture on the primary pfsense WAN interface filtering Checkpoints remote ip address and got a lot of IKE packets originating from pfsense local ip address not the CARP IP.

    I also tried to setup a separate CARP IP for IPSec but nothing changed. Packet capture still shows packets from the local ip address.

    Can someone help me, please?


  • Rebel Alliance Developer Netgate

    Did you change the "interface" to be the CARP VIP? Or did you just change the Identifier?


Log in to reply