Re: [pfSense] HA and OpenVPN

Mon, 25 Apr 2016 11:23:01 -0700 

On 2016-04-26 05:36, Olivier Mascia wrote:

Hello,

I now have a HA cluster of 2 pfSense boxes pretty much well setup,
everything working as expected, excepted one thing.
Connecting to a remote access OpenVPN server on the WAN CARP IP fails here:
Apr 25 19:29:36: Vérification du statut d'accessibilité de la connexion ... 
Apr 25 19:29:36: La connexion est accessible. Tentative de démarrage
de la connexion.
Apr 25 19:29:38: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)]
[LZO] [PKCS11] [MH] [IPv6] built on Mar  2 2016
Apr 25 19:29:38: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Apr 25 19:30:00: Control Channel Authentication: using
'/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.5wkLkh/ta.key'
as a OpenVPN static key file
Apr 25 19:30:00: UDPv4 link local (bound): [undef]
Apr 25 19:30:00: UDPv4 link remote: [AF_INET]w.x.y.z:1194
...
and after a timeout:
Apr 25 19:31:00: TLS Error: TLS key negotiation failed to occur within
60 seconds (check your network connectivity)
Apr 25 19:31:00: TLS Error: TLS handshake failed
Apr 25 19:31:00: SIGUSR1[soft,tls-error] received, process restarting
Apr 25 19:31:01: UDPv4 link local (bound): [undef]
Apr 25 19:31:01: UDPv4 link remote: [AF_INET]w.x.y.z:1194
...

When connecting to either box non CARP WAN address, ie w.x.y.z+1 or
z+2 in this example, it works.
Even accepting UDP OpenVPN on destination Any does not fix it. So this
does not look like a filter rule issue.
Is there something particular to take into account regarding UDP
traffic toward the WAN CARP IP or something specific regarding
OpenVPN?

I can live with having to establish VPN to the primary box and change
it should it fail (this is for maintenance only of the resources
behind the firewall), but I find it strange it does not work on the
CARP IP.

What obvious thing did I miss?
Did you change the OpenVPN configured Interface to be the VIP rather than the WAN? 
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to