Restricted on the number of IPSEC VPNs to CARP Address on a secondary routed IPs



  • Current setup

    Primary Range
    n.n.2.109/28 CISCO BOX (Fibre Optic)
    n.n.2.110/28 PFSense BOX
    n.n.2.111/28 CARP
    n.n.2.112/28 CARP
    n.n.2.113/28 CARP
    n.n.2.114/28 CARP
    n.n.2.115/28 CARP
    n.n.2.116/28 CARP
    n.n.2.117/28 CARP
    n.n.2.118/28 CARP 1 IPsec VPN with this as Its endpoint
    n.n.2.119/28 CARP
    n.n.2.120/28 CARP
    n.n.2.121/28 CARP
    n.n.2.122/28 CARP 5 IPsec VPNs with this as their endpoint

    Secondary Range

    n.n.4.33/27 IF ALIAS
    n.n.4.34/27 CARP
    n.n.4.35/27 CARP
    n.n.4.36/27 CARP
    n.n.4.37/27 CARP
    n.n.4.38/27 CARP 52 IPsec VPNs with this as their endpoint cant add anymore
    n.n.4.39/27 CARP 2 IPsec VPNs 1 of which doesnt work
    n.n.4.40/27 CARP
    n.n.4.41/27 CARP
    n.n.4.42/27 CARP
    etc…...

    I am having problems with the secondary routed address range, specifically that one of the external addresses (n.n.4.38/27) wont let me create another tunnel without bringing down the stabuility of the existing ones ie random dropouts etc and on the next external address (n.n.4.39/27) I can only seem to create 1 working tunnel the other refuses to connect with nothing in the racoon logs to indicate why. Its as if it is ignoring the connection entirely and not reporting anything related to it!
    The reason for this setup is that we have hosted clients on various external IP addresses and they have A records associated with their IPs that are used by remote routers to connect to the PFSense box apart from anything else. According to the Dashboard the memory usage is at a constant 26% of 4GB and the CPU usage on the Quad core processor is negliagable...

    I am wondering if this is a known restriction that I am unaware of, or if I am just doing something wrong....



  • I unfortunately can not answer your question and I know this won't help your specific issue but I am curious if you know that you can use a single carp IP and then put an IP Alias attached to that carp IP.  This reduces the amount of CARP network traffic on an interface.  During a firewall failover and the main CARP IP gets brought down the IP Aliases attached to that CARP IP will also be brought down and up along with the CARP IP on the primary and secondary firewall.  It is also done much faster that way from what I read.  I just recently discovered this so I just wanted to spread the info for those that haven't searched on it.  I don't know if you are already doing that or not.


Locked