Pfsense 2.2.1 - CARP Address as IPsec VPN endpoint does not work

IPsec
Log in to reply
  • U

    VPN connections using the WAN CARP Address as VPN endpoint can not be established.

    –-----------------
    I've got two pfSense 2.2.1 virtual machines (GW_A, GW_B) running as an HA IPSec VPN Cluster (GW_AB).
    On WAN Interface a virtual IP (CARP IP) is bound. This IP should work as VPN endpoint address.
    GW_A:    WAN_IP=1.0.1.2/24
    GW_B:    WAN_IP=1.0.1.3/24
    GW_AB: CARP_IP=1.0.1.1/24  - VPN Endpoint

    When configuring IPSec Connection "IPsec: Edit Phase 1", it's not possible to set or select the Local Gateway. The Local gateway IP Address will be automatically assigned and it's always the dedicated WAN Address, for example 1.0.1.2.

    In /var/etc/ipsec/ipsec.conf the local IP looks like this:
    conn con1
    ...
    left = 1.0.1.2
    right = gwremote.example.com
            …

    The assigned address is wrong.
    Incoming IKE traffic from remote gateway directed to 1.0.1.1 does not match the IKE config. The requests are rejected.
    Here are the corresponding log events.
    charon: 15[NET] received packet: from 1.0.5.5[500] to 1.0.1.1[500] (440 bytes)

    charon: 15[IKE] no IKE config found for 1.0.1.1…1.0.5.5, sending NO_PROPOSAL_CHOSE
    charon: 15[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

    –----------------

    If it would be possible to set (or select) the entry of Local Gateway, a specific configuration for each connection could be configured. Here's the correct connection description in /var/etc/ipsec/ipsec.conf.

    conn con1
    ...
    left = 1.0.1.1
    right = gwremote.example.com
            …

    How can I set the WAN CARP Address as an Local Gateway Address in one or all IPSec connetions?
    Is there an workaround to add CARP IP Address into ipsec.conf?
    If this has already been addressed, please provide info or link to the fix.

    0
  • M

    It works for me…...

    In the Phase 1, under "Interface", select the CARP IP that you want to use. Then under "My Identifier", select "IP Address" and enter the IP address for the CARP IP address you've selected above.

    0
  • U

    Thank You. That's the advice I needed. It works fine now.
    I've never looked up the list of local interfaces after setting the CARP Addresses.
    What a bad mistake…

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy