Re: [pfSense] HA and OpenVPN

Mon, 25 Apr 2016 11:04:57 -0700 

Did you select the carp IP as the 'interface' in the openvpn server config? or 
do you just have WAN selected?
I have a similar setup that works fine.  Although if the carp address changes 
to a new machine I do need to reconnect (may be a way around this but my needs 
are simple). Travis Hansen [email protected] 

    On Monday, April 25, 2016 11:34 AM, Olivier Mascia <[email protected]> wrote:
 

 Hello,

I now have a HA cluster of 2 pfSense boxes pretty much well setup, everything 
working as expected, excepted one thing.
Connecting to a remote access OpenVPN server on the WAN CARP IP fails here:

Apr 25 19:29:36: Vérification du statut d'accessibilité de la connexion ...
Apr 25 19:29:36: La connexion est accessible. Tentative de démarrage de la 
connexion.
Apr 25 19:29:38: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] 
[PKCS11] [MH] [IPv6] built on Mar  2 2016
Apr 25 19:29:38: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Apr 25 19:30:00: Control Channel Authentication: using 
'/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.5wkLkh/ta.key' as 
a OpenVPN static key file
Apr 25 19:30:00: UDPv4 link local (bound): [undef]
Apr 25 19:30:00: UDPv4 link remote: [AF_INET]w.x.y.z:1194
...
and after a timeout:
Apr 25 19:31:00: TLS Error: TLS key negotiation failed to occur within 60 
seconds (check your network connectivity)
Apr 25 19:31:00: TLS Error: TLS handshake failed
Apr 25 19:31:00: SIGUSR1[soft,tls-error] received, process restarting
Apr 25 19:31:01: UDPv4 link local (bound): [undef]
Apr 25 19:31:01: UDPv4 link remote: [AF_INET]w.x.y.z:1194
...

When connecting to either box non CARP WAN address, ie w.x.y.z+1 or z+2 in this 
example, it works.
Even accepting UDP OpenVPN on destination Any does not fix it. So this does not 
look like a filter rule issue.
Is there something particular to take into account regarding UDP traffic toward 
the WAN CARP IP or something specific regarding OpenVPN?

I can live with having to establish VPN to the primary box and change it should 
it fail (this is for maintenance only of the resources behind the firewall), 
but I find it strange it does not work on the CARP IP.

What obvious thing did I miss?

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om


_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

  
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to