CARP + IPsec pfSense v2.1.2



  • My google foo is failing me terribly.

    I've noticed that when setting up an IPsec tunnel on the CARP IP, that when I test failover and the backup FW comes online as MASTER, the IPSec tunnel drops and doesn't come back online even with DPD enabled and "Force IPsec Reload on Failover" enabled.

    Is there a trick to this or does this flat out not work?

    clogging the ipsec log all I get on the CLIENT pfSense FW when I fail over the opposite ends pfSense FW(the peer) to it's backup pfsense FW

    Jun 13 12:02:20 anet-pfsense-dev1 racoon: [69.28.69.142] INFO: DPD: remote (ISAKMP-SA spi=605cac5385b70384:fe03c7f652e9632c) seems to be dead.
    Jun 13 12:02:20 pfsense-dev1 racoon: INFO: purging ISAKMP-SA spi=605cac5385b70384:fe03c7f652e9632c.
    Jun 13 12:02:20 pfsense-dev1 racoon: INFO: purged IPsec-SA spi=230041294.
    Jun 13 12:02:20 pfsense-dev1 racoon: INFO: purged IPsec-SA spi=244248399.
    Jun 13 12:02:20 pfsense-dev1 racoon: INFO: purged ISAKMP-SA spi=605cac5385b70384:fe03c7f652e9632c.
    Jun 13 12:02:20 pfsense-dev1 racoon: INFO: ISAKMP-SA deleted x.x.x.x[500]-x.x.x.x[500] spi:605cac5385b70384:fe03c7f652e9632c

    On the other side, now on the backup pfSense server which is now MASTER, the logs show nothing. No additional attempts from the client or the server itself that indicates that the tunnel is trying to come back up/reloading.

    Make sense? Or is that confusing?

    And then nothing happens, it just stays down and doesn't attemp



  • also, on the backup pfSense server thats now the MASTER, if i manually UP the tunnel, it will come online, so it's partially working, but ideally, i'd want it to auto come up without manual intervention.


  • Rebel Alliance Developer Netgate

    It should work, though with CARP you will want to make sure that none of your Phase 2's have an "automatically ping" address in them. Otherwise the secondary will constantly try to bring up a tunnel even when it's in a backup state, so it may get confused about its P1 status…


Log in to reply