IPSec over CARP at pfsense 2.2.4 unable to setup a tunnel
-
I installed two PFsense boxes, running both PFsense 2.2.4.
Both are configured as VM's on a ESX VMware server.
Each machine is running with 3 em interfaces, 16 Gb Hd and 8 Gb ram.All three interfaces are configured for CARP, so the WAN and LAN interfaces have both a CARP-address assigned.
I'm using the LAN as sync interface. Later on i would like to add traffic from the third interface to the tunnel.
As soon as i configure IPsec for a site-to-site tunnel, and choose for the WAN carp address as external address and
CARP ip-address as identifier i assumed that the tunnel should be build from the master pfsense node to the other
endpoint of the VPN.setkey -DP shows a configured VPN even as that the config could be displayed with ipsec configall at the shell prompt.
i added a few general filter rules to the following tabs:
ipsec tab:
allow ipv4 local LAN -> remote LAN
allow ipv4 remote LAN -> local LANLAN tab:
allow ipv4 local LAN -> remote LAN
allow ipv4 remote LAN -> local LANWan tab:
allow ipv4 esp local external CARP-address -> remote external IP
allow ipv4 esp remote external IP -> local external CARP-addressallow ipv4 udp remote external IP -> local external CARP-address port 500
allow ipv4 udp local external CARP-address -> remote external port 500
allow ipv4 udp remote external IP -> local external CARP-address port 4500
allow ipv4 udp local external CARP-address -> remote external port 4500allow ipv4 local LAN -> remote LAN // probably unneeded
allow ipv4 remote LAN -> local LAN // this one as wellI didn't configure any NAT rules, it's a site-to-site connection, it's a routing network to network through IPsec tunnel.
The CARP addresses look like aliases to the WAN and LAN interfaces, i tried CARP- addressess with netmask /32 but
also with the same netmask as the standard external IP.Ping -S LAN-ip remote-LAN-ip is generating some traffic at the external interface but no tunnel will be build up.
so setkey -DD will stay empty.As soon as i remove the External-CARP IP from the external interface, disable pf filtering temporary and add
exact the same external IP-address at the outside interface again, the tunnel will be build to the remote site
and ipsec is working.cmd's:
setkey -DP
ifconfig em0 -alias ext-CARP-IP
pfctl -d
ifconfig em0 alias ext-CARP-IP
ping -S 192.168.1.1 192.168.2.254
setkey -DD
pfctl -e
ping will still functioning…..The tunnel i like to configure should act between a Checkpoint FW and two pfsense (running in CARP).
the tunnel configuration is working when i use the ext IP as a real alias configured to the outside interface.
the tunnel isn't coming up when using the same IP-address at the outside interface as a CARP address.Does anyone have seen this problem at FreeBSD 10.1/pfsense 2.2.4?
when ipsec is working with the external IP-address as a alias, what's the real difference compared to
the CARP external IP address? It's visible, no ( vhid 0) at the end of the line.It's maybe something small or stupid what i forgot, but currently it looks like i'm unable to use two VM's
as a virtual firewall to setup a failover IPsec endpoint.I'm open for suggestions, i started with 2.2-release and to be sure it's running the latest version i
updated the boxes to 2.2.4 and started all over... same results :-( -
Changed the Interfaces under ESX into promisious mode.
I left NAT still disabled and no changes into firewall rules.
After a reboot the tunnel came up from the CARP address.
Now syncing the tunnel configuration to the second node, thanks for the hint wikidd :)i can continue testing and look how stable it will be.