Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense 2.2.1 - CARP Address as IPsec VPN endpoint does not work

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      Uli4920
      last edited by

      VPN connections using the WAN CARP Address as VPN endpoint can not be established.

      –-----------------
      I've got two pfSense 2.2.1 virtual machines (GW_A, GW_B) running as an HA IPSec VPN Cluster (GW_AB).
      On WAN Interface a virtual IP (CARP IP) is bound. This IP should work as VPN endpoint address.
      GW_A:    WAN_IP=1.0.1.2/24
      GW_B:    WAN_IP=1.0.1.3/24
      GW_AB: CARP_IP=1.0.1.1/24  - VPN Endpoint

      When configuring IPSec Connection "IPsec: Edit Phase 1", it's not possible to set or select the Local Gateway. The Local gateway IP Address will be automatically assigned and it's always the dedicated WAN Address, for example 1.0.1.2.

      In /var/etc/ipsec/ipsec.conf the local IP looks like this:
      conn con1
      ...
      left = 1.0.1.2
      right = gwremote.example.com
              …

      The assigned address is wrong.
      Incoming IKE traffic from remote gateway directed to 1.0.1.1 does not match the IKE config. The requests are rejected.
      Here are the corresponding log events.
      charon: 15[NET] received packet: from 1.0.5.5[500] to 1.0.1.1[500] (440 bytes)
      …
      charon: 15[IKE] no IKE config found for 1.0.1.1…1.0.5.5, sending NO_PROPOSAL_CHOSE
      charon: 15[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

      –----------------

      If it would be possible to set (or select) the entry of Local Gateway, a specific configuration for each connection could be configured. Here's the correct connection description in /var/etc/ipsec/ipsec.conf.

      conn con1
      ...
      left = 1.0.1.1
      right = gwremote.example.com
              …

      How can I set the WAN CARP Address as an Local Gateway Address in one or all IPSec connetions?
      Is there an workaround to add CARP IP Address into ipsec.conf?
      If this has already been addressed, please provide info or link to the fix.

      1 Reply Last reply Reply Quote 0
      • M
        MLIT
        last edited by

        It works for me…...

        In the Phase 1, under "Interface", select the CARP IP that you want to use. Then under "My Identifier", select "IP Address" and enter the IP address for the CARP IP address you've selected above.

        1 Reply Last reply Reply Quote 0
        • U
          Uli4920
          last edited by

          Thank You. That's the advice I needed. It works fine now.
          I've never looked up the list of local interfaces after setting the CARP Addresses.
          What a bad mistake…

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.