IpSec VPN and ProxyARP virtual IP

Speck · Mar 13, 2007, 11:05 AM

Hi!

I'm trying to configure an IPSEC vpn between two pfsense boxes.

One machine has wan with CARP IP and activation of IPSEC seems ok.

The other machine has this configuration:

WAN: 192.168.50.1/255.255.255.0
LAN: 192.168.10.1/255.255.255.0

On WAN side there are configured four proxyArp public static IP (85.18.xx.xxx).

These IP work flawless in NAT both inbound and outbound.

The problem is that when enabling IPSEC I see this log:

Mar 12 14:18:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 12 14:18:41 racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=19)
Mar 12 14:18:41 racoon: INFO: fe80::2c0:dfff:fe12:b5e2%rl0[500] used as isakmp port (fd=18)
Mar 12 14:18:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 12 14:18:41 racoon: INFO: 192.168.10.11[500] used as isakmp port (fd=17)
Mar 12 14:18:41 racoon: INFO: fe80::201:2ff:fe05:e5c9%xl0[500] used as isakmp port (fd=16)
Mar 12 14:18:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 12 14:18:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Mar 12 14:18:41 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Mar 12 14:18:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Mar 12 14:18:41 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Mar 12 14:18:41 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)

It seems to listen only to 192.168.50.1 wan's IP but not to the public virtual IP. If i try to connect from the other site i receive no answer.

If I put one of the VIPs in FailOver section of IPsec VPN i get this:

Mar 13 11:51:09 racoon: ERROR: no address could be bound.
Mar 13 11:51:09 racoon: ERROR: failed to bind to address 85.18.xx.xx[500] (Can't assign requested address).
Mar 13 11:51:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Mar 13 11:51:09 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Mar 13 11:50:44 racoon: ERROR: no address could be bound.
Mar 13 11:50:44 racoon: ERROR: failed to bind to address 85.18.xx.xx[500] (Can't assign requested address).
Mar 13 11:50:44 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Mar 13 11:50:44 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Mar 13 11:38:16 racoon: ERROR: no address could be bound.
Mar 13 11:38:16 racoon: ERROR: failed to bind to address 85.18.xx.xx[500] (Can't assign requested address).
Mar 13 11:38:16 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Mar 13 11:38:16 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Mar 13 11:24:32 racoon: INFO: racoon shutdown

Any idea? Thanks in advance,
Speck

hoba · Mar 13, 2007, 9:25 PM

Ony CARP can be used by the firewallitself to run services on. ProxyARP and Other ony can be forwarded. Change this IP to CARP and use the CARP IP as ipsec failover IP. Then it should work.