Upgrade 2.01 to 2.1 | IPSEC ISAKMP bind to wrong IP

  • Dear All,

    I've just upgraded my PfSense cluster (master/slave) from v2.01 to v2.1.

    IPSEC VPN's (I have 16 IPSEC VPN's configured) did not come up automaticly. When I was investigating the problem I noticed that Racoon is not using the correct IP as ISAKMP.
    Somehow it changed from x.x.x.253 (CARP IP) to x.x.x.5 (virtual IP on the WAN interface).

    I've got the following questions:

    • Where does the Racoon.conf get it's ISAKMP IP from?
    • Is this a known bug with 2.1?

    Strange behaviour:

    • Tunnels configured before the upgrade who use the CARP IP static (Phase 1 -> Use this IP option) work correctly
    • Tunnels added after the upgrade with CARP IP static do not use the CARP IP, but use the x.x.x.5 address
    • Status IPSEC view also displays the x.x.x.5 address at all tunnels, also the one with the static IP configured.

    If you need any more info, please let me know!


  • Rebel Alliance Developer Netgate

    We have seen a similar thing happen on upgrade before but we could never reproduce it even with the same customer configuration. The IP is taken from the 'interface' selection on the IPsec Phase 1 settings. On 2.0.x, the vip "interface" names were different (vip1, vip2, etc where the number is the VHID), and on 2.1 the names changed to intX_vipY where the VIP interface (e.g. em0, fxp1, vr2, etc) is a part of the name. The code to rename the interfaces in the config.xml data during the upgrade must not have properly translated the old names to the new names.

Log in to reply