CARP with Ipsec VPN problem



  • I have three machines (M, A1,A2)and each has pfsense installed. Two of them (A1,A2) have configured as CARP.  I have configured CARP without any problem I mean I can reach ACTIVE machine via VIP. What  I want is to establish an IPSEC VPN between (M1<–->A). Before this configuration I tested that  M-A1 and M-A2 Ipsec VPN connections can be established individually.  But when I give VIP ip as Remote IP in ipsec settings screen at M machine, I am having following error.  All machines (A1,A2, and M) can ping each other over WAN IP properly.

    Mar 6 15:09:07 racoon: ERROR: phase1 negotiation failed due to time up. c73b3fe96b0b7f0d:0000000000000000
    Mar 6 15:08:57 racoon: DEBUG: resend phase1 packet c73b3fe96b0b7f0d:0000000000000000
    Mar 6 15:08:57 racoon: DEBUG: c73b3fe9 6b0b7f0d 00000000 00000000 01100200 00000000 000000cc 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 80010005 80030001 80020002 80040002 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
    Mar 6 15:08:57 racoon: [Unknown Gateway/Dynamic]: DEBUG: 1 times of 204 bytes message will be sent to 47.168.137.21[500]
    Mar 6 15:08:57 racoon: [Unknown Gateway/Dynamic]: DEBUG: send packet to 47.168.137.21[500]
    Mar 6 15:08:57 racoon: [Unknown Gateway/Dynamic]: DEBUG: send packet from 47.168.96.96[500]
    Mar 6 15:08:57 racoon: [Unknown Gateway/Dynamic]: DEBUG: sockname 47.168.96.96[500]
    Mar 6 15:08:57 racoon: [Unknown Gateway/Dynamic]: DEBUG: 204 bytes from 47.168.96.96[500] to 47.168.137.21[500]

    Here is my Network configuration.
    A1:
    WAN IP: 47.168.96.45
    LAN IP: 192.168.1.4
    SYNCH IP: 10.100.1.4

    A2:
    WAN IP: 47.168.96.38
    LAN IP: 192.168.1.5
    SYNCH IP: 10.100.1.5

    VIP WAN: 47.168.96.96
    VIP LAN: 192.168.1.6

    M:
    WAN IP: 47.168.137.21
    LAN IP: 192.168.4.3

    _–-> A1-Lan1
    LAN-M<------> VIP-WAN

    -____>A2-Lan2
    IPSEC at A (master machine)
    Remote Gateway Mode P1 Protocol P1 Transforms P1 Description
    47.168.96.96 (WAN CARP)
    47.168.137.21 main 3DES SHA1 IPSEC VPN turksat2 
    [edit phase1 entry] [delete phase1 entry]
    [copy phase1 entry]
    Mode Local Subnet Remote Subnet P2 Protocol P2 Transforms P2 Auth Methods [add phase2 entry]
    tunnel LAN 192.168.4.0/24 ESP 3DES SHA1

    IPSEC at M (machine)
    Remote Gateway Mode P1 Protocol P1 Transforms P1 Description
    WAN

    47.168.96.96 main 3DES SHA1  
    [edit phase1 entry] [delete phase1 entry]
    [copy phase1 entry]
    Mode Local Subnet Remote Subnet P2 Protocol P2 Transforms P2 Auth Methods [add phase2 entry]
    tunnel LAN 192.168.1.6/24 ESP 3DES SHA1

    Thanks in advance.



  • Hi mmc18,

    I have exactly the same problem. Have you fixed it yet? Maybe we need to change outbound NAT rules?


Locked