Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IpSec VPN and ProxyARP virtual IP

    IPsec
    2
    2
    3848
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Speck last edited by

      Hi!

      I'm trying to configure an IPSEC vpn between two pfsense boxes.

      One machine has wan with CARP IP and activation of IPSEC seems ok.

      The other machine has this configuration:

      WAN: 192.168.50.1/255.255.255.0
      LAN: 192.168.10.1/255.255.255.0

      On WAN side there are configured four proxyArp public static IP (85.18.xx.xxx).

      These IP work flawless in NAT both inbound and outbound.

      The problem is that when enabling IPSEC I see this log:

      Mar 12 14:18:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 12 14:18:41 racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=19)
      Mar 12 14:18:41 racoon: INFO: fe80::2c0:dfff:fe12:b5e2%rl0[500] used as isakmp port (fd=18)
      Mar 12 14:18:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 12 14:18:41 racoon: INFO: 192.168.10.11[500] used as isakmp port (fd=17)
      Mar 12 14:18:41 racoon: INFO: fe80::201:2ff:fe05:e5c9%xl0[500] used as isakmp port (fd=16)
      Mar 12 14:18:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 12 14:18:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Mar 12 14:18:41 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Mar 12 14:18:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Mar 12 14:18:41 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
      Mar 12 14:18:41 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)

      It seems to listen only to 192.168.50.1 wan's IP but not to the public virtual IP. If i try to connect from the other site i receive no answer.

      If I put one of the VIPs in FailOver section of IPsec VPN i get this:

      Mar 13 11:51:09 racoon: ERROR: no address could be bound.
      Mar 13 11:51:09 racoon: ERROR: failed to bind to address 85.18.xx.xx[500] (Can't assign requested address).
      Mar 13 11:51:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
      Mar 13 11:51:09 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
      Mar 13 11:50:44 racoon: ERROR: no address could be bound.
      Mar 13 11:50:44 racoon: ERROR: failed to bind to address 85.18.xx.xx[500] (Can't assign requested address).
      Mar 13 11:50:44 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
      Mar 13 11:50:44 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
      Mar 13 11:38:16 racoon: ERROR: no address could be bound.
      Mar 13 11:38:16 racoon: ERROR: failed to bind to address 85.18.xx.xx[500] (Can't assign requested address).
      Mar 13 11:38:16 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
      Mar 13 11:38:16 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
      Mar 13 11:24:32 racoon: INFO: racoon shutdown

      Any idea? Thanks in advance,
      Speck

      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        Ony CARP can be used by the firewallitself to run services on. ProxyARP and Other ony can be forwarded. Change this IP to CARP and use the CARP IP as ipsec failover IP. Then it should work.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post