Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC failover on CARP partly working

    IPsec
    3
    5
    2.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eskild
      last edited by

      I have two pf boxes running 1.0.1-SNAPSHOT-03-23-2007 with CARP, but this issue has been present for as long as i can remember. Four IPSEC tunnels, two towards m0n0wall, one towards a Cisco router and one towards another pf.

      When the SAs are established on pf1 and and i force(disable carp on pf1) the tunnels to fail over to pf2(no SAs in SAD), everything seems fine for all of them. Only loosing a ping or two.

      If i'm activating pf1 again(enabling carp on pf1), without deleting the old SAs on pf1 first, the tunnels will never come up again until i delete SAs on pf1.

      I have tried with "Prefer old IPsec SAs" enabled/disabled but the result is the same.

      These are the only IPSEC log i get on pf1:

      Mar 24 21:17:54 racoon: INFO: fe80::250:8bff:fef1:2cc7%fxp0[500] used as isakmp port (fd=26)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.123.2[500] used as isakmp port (fd=25)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.50.2[500] used as isakmp port (fd=24)
      Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:5ba6%rl0[500] used as isakmp port (fd=23)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.100.2[500] used as isakmp port (fd=22)
      Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:33d7%rl1[500] used as isakmp port (fd=21)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=20)
      Mar 24 21:17:54 racoon: INFO: ::1[500] used as isakmp port (fd=19)
      Mar 24 21:17:54 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=18)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.125.2[500] used as isakmp port (fd=17)
      Mar 24 21:17:54 racoon: INFO: fe80::250:8bff:fef1:2cc7%vlan0[500] used as isakmp port (fd=16)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=15)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.123.1[500] used as isakmp port (fd=14)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.100.1[500] used as isakmp port (fd=13)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.125.1[500] used as isakmp port (fd=12)
      Mar 24 21:17:54 racoon: INFO: fe80::250:8bff:fef1:2cc7%fxp0[500] used as isakmp port (fd=26)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.123.2[500] used as isakmp port (fd=25)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.50.2[500] used as isakmp port (fd=24)
      Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:5ba6%rl0[500] used as isakmp port (fd=23)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 192.168.100.2[500] used as isakmp port (fd=22)
      Mar 24 21:17:54 racoon: INFO: fe80::210:a7ff:fe1d:33d7%rl1[500] used as isakmp port (fd=21)
      Mar 24 21:17:54 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
      Mar 24 21:17:54 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=20)
      Mar 24 21:17:54 racoon: INFO: ::1[500] used as isakmp port (fd=19)

      Cheers
      //Eskild

      1 Reply Last reply Reply Quote 0
      • E
        eskild
        last edited by

        Have anybody experienced this problem and found a solution for it? Or is it just not working for me due to a wrong configuration?

        Thanks,
        //Eskild

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by

          The failover option has been removed.  Try with a recent snapshot and change the wan interface to your CARP IP under the VPN -> IPSEC entry.

          1 Reply Last reply Reply Quote 0
          • E
            eskild
            last edited by

            I have already done that for all tunnels on both 1.0.1-SNAPSHOT-03-23-2007 and 1.0.1-SNAPSHOT-03-27-2007. All the tunnels are on the WAN interface, and the behaviour during failover with the new config setting with CARP is the same as previously.

            1 Reply Last reply Reply Quote 0
            • Z
              z00te
              last edited by

              Hi,

              I've the same problem, but using the 03-15-2007 Snapshot.
              It seems like it works well only the first time (or after a reboot) when there is no SA…
              I'll do some more test...
              bye
              Z

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.