IPSEC failover on CARP partly working



  • I have two pf boxes running 1.0.1-SNAPSHOT-03-23-2007 with CARP, but this issue has been present for as long as i can remember. Four IPSEC tunnels, two towards m0n0wall, one towards a Cisco router and one towards another pf.

    When the SAs are established on pf1 and and i force(disable carp on pf1) the tunnels to fail over to pf2(no SAs in SAD), everything seems fine for all of them. Only loosing a ping or two.

    If i'm activating pf1 again(enabling carp on pf1), without deleting the old SAs on pf1 first, the tunnels will never come up again until i delete SAs on pf1.

    I have tried with "Prefer old IPsec SAs" enabled/disabled but the result is the same.

    These are the only IPSEC log i get on pf1:

    Mar 24 21:17:54 racoon: INFO: fe80::250:8bff:fef1:2cc7%fxp0[500] used as isakmp port (fd=26)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.123.2[500] used as isakmp port (fd=25)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.50.2[500] used as isakmp port (fd=24)
    Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:5ba6%rl0[500] used as isakmp port (fd=23)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.100.2[500] used as isakmp port (fd=22)
    Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:33d7%rl1[500] used as isakmp port (fd=21)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=20)
    Mar 24 21:17:54 racoon: INFO: ::1[500] used as isakmp port (fd=19)
    Mar 24 21:17:54 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=18)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.125.2[500] used as isakmp port (fd=17)
    Mar 24 21:17:54 racoon: INFO: fe80::250:8bff:fef1:2cc7%vlan0[500] used as isakmp port (fd=16)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=15)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.123.1[500] used as isakmp port (fd=14)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.100.1[500] used as isakmp port (fd=13)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.125.1[500] used as isakmp port (fd=12)
    Mar 24 21:17:54 racoon: INFO: fe80::250:8bff:fef1:2cc7%fxp0[500] used as isakmp port (fd=26)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.123.2[500] used as isakmp port (fd=25)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.50.2[500] used as isakmp port (fd=24)
    Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:5ba6%rl0[500] used as isakmp port (fd=23)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 192.168.100.2[500] used as isakmp port (fd=22)
    Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:33d7%rl1[500] used as isakmp port (fd=21)
    Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Mar 24 21:17:54 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=20)
    Mar 24 21:17:54 racoon: INFO: ::1[500] used as isakmp port (fd=19)

    Cheers
    //Eskild



  • Have anybody experienced this problem and found a solution for it? Or is it just not working for me due to a wrong configuration?

    Thanks,
    //Eskild



  • The failover option has been removed.  Try with a recent snapshot and change the wan interface to your CARP IP under the VPN -> IPSEC entry.



  • I have already done that for all tunnels on both 1.0.1-SNAPSHOT-03-23-2007 and 1.0.1-SNAPSHOT-03-27-2007. All the tunnels are on the WAN interface, and the behaviour during failover with the new config setting with CARP is the same as previously.



  • Hi,

    I've the same problem, but using the 03-15-2007 Snapshot.
    It seems like it works well only the first time (or after a reboot) when there is no SA…
    I'll do some more test...
    bye
    Z


Log in to reply