Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade 2.01 to 2.1 | IPSEC ISAKMP bind to wrong IP

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    2 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mkoninkx
      last edited by

      Dear All,

      I've just upgraded my PfSense cluster (master/slave) from v2.01 to v2.1.

      IPSEC VPN's (I have 16 IPSEC VPN's configured) did not come up automaticly. When I was investigating the problem I noticed that Racoon is not using the correct IP as ISAKMP.
      Somehow it changed from x.x.x.253 (CARP IP) to x.x.x.5 (virtual IP on the WAN interface).

      I've got the following questions:

      • Where does the Racoon.conf get it's ISAKMP IP from?
      • Is this a known bug with 2.1?

      Strange behaviour:

      • Tunnels configured before the upgrade who use the CARP IP static (Phase 1 -> Use this IP option) work correctly
      • Tunnels added after the upgrade with CARP IP static do not use the CARP IP, but use the x.x.x.5 address
      • Status IPSEC view also displays the x.x.x.5 address at all tunnels, also the one with the static IP configured.

      If you need any more info, please let me know!

      BR
      Martijn

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        We have seen a similar thing happen on upgrade before but we could never reproduce it even with the same customer configuration. The IP is taken from the 'interface' selection on the IPsec Phase 1 settings. On 2.0.x, the vip "interface" names were different (vip1, vip2, etc where the number is the VHID), and on 2.1 the names changed to intX_vipY where the VIP interface (e.g. em0, fxp1, vr2, etc) is a part of the name. The code to rename the interfaces in the config.xml data during the upgrade must not have properly translated the old names to the new names.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.