Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    CARP + IPsec pfSense v2.1.2

    HA/CARP/VIPs
    2
    3
    1180
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Amora last edited by

      My google foo is failing me terribly.

      I've noticed that when setting up an IPsec tunnel on the CARP IP, that when I test failover and the backup FW comes online as MASTER, the IPSec tunnel drops and doesn't come back online even with DPD enabled and "Force IPsec Reload on Failover" enabled.

      Is there a trick to this or does this flat out not work?

      clogging the ipsec log all I get on the CLIENT pfSense FW when I fail over the opposite ends pfSense FW(the peer) to it's backup pfsense FW

      Jun 13 12:02:20 anet-pfsense-dev1 racoon: [69.28.69.142] INFO: DPD: remote (ISAKMP-SA spi=605cac5385b70384:fe03c7f652e9632c) seems to be dead.
      Jun 13 12:02:20 pfsense-dev1 racoon: INFO: purging ISAKMP-SA spi=605cac5385b70384:fe03c7f652e9632c.
      Jun 13 12:02:20 pfsense-dev1 racoon: INFO: purged IPsec-SA spi=230041294.
      Jun 13 12:02:20 pfsense-dev1 racoon: INFO: purged IPsec-SA spi=244248399.
      Jun 13 12:02:20 pfsense-dev1 racoon: INFO: purged ISAKMP-SA spi=605cac5385b70384:fe03c7f652e9632c.
      Jun 13 12:02:20 pfsense-dev1 racoon: INFO: ISAKMP-SA deleted x.x.x.x[500]-x.x.x.x[500] spi:605cac5385b70384:fe03c7f652e9632c

      On the other side, now on the backup pfSense server which is now MASTER, the logs show nothing. No additional attempts from the client or the server itself that indicates that the tunnel is trying to come back up/reloading.

      Make sense? Or is that confusing?

      And then nothing happens, it just stays down and doesn't attemp

      1 Reply Last reply Reply Quote 0
      • A
        Amora last edited by

        also, on the backup pfSense server thats now the MASTER, if i manually UP the tunnel, it will come online, so it's partially working, but ideally, i'd want it to auto come up without manual intervention.

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          It should work, though with CARP you will want to make sure that none of your Phase 2's have an "automatically ping" address in them. Otherwise the secondary will constantly try to bring up a tunnel even when it's in a backup state, so it may get confused about its P1 status…

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy