IPSec mobile client traffic to primary firewall passes, but blocked to secondary
thejohnny last edited by
I'm trying to resolve an issue with a mostly working HA setup running IPSec for mobile clients. When I'm connected to the VPN, I can communicate with all hosts on the LAN segment except the secondary firewall. What I'm seeing on the secondary firewall is that the traffic is being filtered by the default deny rule. For instance, if I'm connected to the VPN and fw-1 is primary, I can ping fw-1 and access the web configurator without issue. The same requests to fw-2 are blocked on fw-2 by the default deny all rule. If I disable carp on fw-1 and let fw-2 take over as master, the inverse becomes true (can ping fw-2, but not fw-1).
While debugging I setup a rule for the LAN interface to pass any from the IPsec subnet and logged the requests. Doing another ping, I saw the rule logged as a pass but still wasn't getting a reply (ping/http/https). This behavior only happens for mobile clients. If I ssh into a host on the LAN segment, I can ping the LAN interface on both firewalls without a problem.
Anyone have any insight on this? Anything else I can provide to help resolve this?
That is normal for any VPN type. The secondary will always believe it has a more direct route back to the client and eat the traffic since it has no connected tunnel.
You can work around it by adding an outbound NAT rule on the LAN that will NAT traffic leaving from the IPsec mobile subnet going to the secondary to the primary's LAN IP
You may also want to add a similar rule to the secondary (nat out from the IPsec mobile subnet going to the primary's LAN IP, translated to the secondary's lan IP), so you can get to the primary if it's not master.