Ipsec started using the wrong IP after WAN switch rebooted



  • 2.1.3-RELEASE (amd64)
    built on Thu May 01 15:52:13 EDT 2014
    FreeBSD 8.3-RELEASE-p16

    I have ipsec set to use the primary CARP ip of the wan for each of the ipsec tunnels (2 sites) but the racoon.conf is getting generated with one of the IP Aliases which are assigned to the CARP ip.

    This was working just fine until a couple hours ago when the switch was rebooted on the WAN.  Ever since then ipsec stopped working and started using the wrong IP for ipsec.  Stopping and starting ipsec did not fix it.

    x.x.x.165 is the physical IP address
    x.x.x.164 is the carp IP
    x.x.x.169 is an IP Alias assigned to the carp 164 interface

    I have the ipsec VPN tunnels configured to use the CARP IP (164) but the racoon.conf is getting generated with the 169 address.  Looking at the ipsec logs I can see that racoon is using the wrong source IP too.

    May 6 17:12:21 racoon: [VPN SITE 1]: INFO: initiate new phase 1 negotiation: x.x.x.169[500]<=>y.y.y.36[500]

    It should be sending from x.x.x.164

    Note:  The site has been working fine for a few weeks on 2.1.2 and was upgraded to 2.1.3 yesterday morning.

    UPDATE: I noticed that there were some IP Aliases that are assigned to the Carp IP on the primary firewall missing so I disabled carp and re-enabled it.  IPsec didn't change its config so I stopped IPsec and restarted ipsec and now it is using the correct IP again.

    It appears IP Aliases assigned to a Carp IP do not always come up under some circumstances (maybe a timing issue).  In this case it seems to confuse the code that generates the racoon.conf and it uses the wrong Interface IP to send packets from even though the correct IP is specified in the ipsec GUI configuration.  Definitely a bug or timing issue in there somewhere.