Just turn off the carp on the master during your maintenance. The backup should just take over for it. That's what I do. OpenVPN is pretty robust when this happens and just renegotiates the connection.
On Tue, Feb 25, 2014 at 5:26 PM, Adam Williams <[email protected]> wrote: > Hello folks, > > I have 2 pfSense firewall devices with failover using CARP, and a > functioning OpenVPN server working on the master device over the > virtual CARP IP address. I want to have another OpenVPN server running > on the WAN IP address of the secondary device (after disabling XML RPC > sync of VPN configurations), so that we can connect to it directly for > a period of time during a maintenance period. > > I have the second VPN server configured exactly as the functioning > server. However, when I connect, I'm told: > > > Incoming packet rejected from [AF_INET]X.X.X.1:1194[2], expected peer > address: [AF_INET]X.X.X.2:1195 (allow this incoming source address/port by > removing --remote or adding --float) > > So I attempted to use the 'float' option on the client, which allowed > for getting that to be quiet. However, I then received this: > > > TLS Error: local/remote TLS keys are out of sync: [AF_INET]X.X.X.1:1194 > [0] > > When looking at the OpenVPN configuration documentation, I'm told I > can use the 'local X.X.X.2' server setting, which I thought would be > effected by choosing that IP address in the pfSense settings for the > OpenVPN server. In any case, the packets seems to be getting NAT > applied to make them come from the CARP vip X.X.X.1. > > Anyone have any idea what I might be doing wrong? > > Thanks! > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
