IPSec over CARP at pfsense 2.2.4 unable to setup a tunnel



  • I installed two PFsense boxes, running both PFsense 2.2.4.
    Both are configured as VM's on a ESX VMware server.
    Each machine is running with 3 em interfaces, 16 Gb Hd and 8 Gb ram.

    All three interfaces are configured for CARP, so the WAN and LAN interfaces have both a CARP-address assigned.
    I'm using the LAN as sync interface. Later on i would like to add traffic from the third interface to the tunnel.
    As soon as i configure IPsec for a site-to-site tunnel, and choose for the WAN carp address as external address and
    CARP ip-address as identifier i assumed that the tunnel should be build from the master pfsense node to the other
    endpoint of the VPN.

    setkey -DP shows a configured VPN even as that the config could be displayed with ipsec configall at the shell prompt.

    i added a few general filter rules to the following tabs:

    ipsec tab:

    allow ipv4 local LAN -> remote LAN
    allow ipv4 remote LAN -> local LAN

    LAN tab:

    allow ipv4 local LAN -> remote LAN
    allow ipv4 remote LAN -> local LAN

    Wan tab:

    allow ipv4 esp local external CARP-address -> remote external IP
    allow ipv4 esp remote external IP -> local external CARP-address

    allow ipv4 udp remote external IP -> local external CARP-address port 500
    allow ipv4 udp local external CARP-address -> remote external port 500
    allow ipv4 udp remote external IP -> local external CARP-address port 4500
    allow ipv4 udp local external CARP-address -> remote external port 4500

    allow ipv4 local LAN -> remote LAN    // probably unneeded
    allow ipv4 remote LAN -> local LAN    // this one as well

    I didn't configure any NAT rules, it's a site-to-site connection, it's a routing network to network through IPsec tunnel.

    The CARP addresses look like aliases to the WAN and LAN interfaces, i tried CARP- addressess with netmask /32 but
    also with the same netmask as the standard external IP.

    Ping -S LAN-ip remote-LAN-ip is generating some traffic at the external interface but no tunnel will be build up.
    so setkey -DD will stay empty.

    As soon as i remove the External-CARP IP from the external interface, disable pf filtering temporary and add
    exact the same external IP-address at the outside interface again, the tunnel will be build to the remote site
    and ipsec is working.

    cmd's:
    setkey -DP
    ifconfig em0 -alias ext-CARP-IP
    pfctl -d
    ifconfig em0 alias ext-CARP-IP
    ping -S 192.168.1.1 192.168.2.254
    setkey -DD
    pfctl -e
    ping will still functioning…..

    The tunnel i like to configure should act between a Checkpoint FW and two pfsense (running in CARP).
    the tunnel configuration is working when i use the ext IP as a real alias configured to the outside interface.
    the tunnel isn't coming up when using the same IP-address at the outside interface as a CARP address.

    Does anyone have seen this problem at FreeBSD 10.1/pfsense 2.2.4?
    when ipsec is working with the external IP-address as a alias, what's the real difference compared to
    the CARP external IP address? It's visible, no ( vhid 0) at the end of the line.

    It's maybe something small or stupid what i forgot, but currently it looks like i'm unable to use two VM's
    as a virtual firewall to setup a failover IPsec endpoint.

    I'm open for suggestions, i started with 2.2-release and to be sure it's running the latest version i
    updated the boxes to 2.2.4 and started all over... same results :-(



  • Changed the Interfaces under ESX into promisious mode.
    I left NAT still disabled and no changes into firewall rules.
    After a reboot the tunnel came up from the CARP address.
    Now syncing the tunnel configuration to the second node, thanks for the hint wikidd :)

    i can continue testing and look how stable it will be.