Scott

Let me explain the chain of events...

I set up two pfsense boxes as a high-availability pair.  They have a number of 
CARP addresses configured, the ones on the WAN are mostly passed through to 
the LAN via 1:1 NAT.  One single address is used for the logical firewall 
itself CARP-FW.

I tried to setup an IPsec tunnel from a remote box to the LAN network using 
the CARP-FW address as the tunnel end-point address.  I then set this in the 
Failover IPsec dialog (along with the LAN address of the peer).  I saved this 
config, but the tunnel failed to come up - Phase 1 not completed.

I then decided to just setup a tunnel to the real WAN address of one of the 
firewalls and test this worked OK, then try the CARP approach again.  To do 
this I disabled the Failover IPsec settings via the tickbox and reconfigured 
the tunnel endpoint address on both systems.  No luck with this config so I 
checked the firewall logs, and sure enough incoming UDP/500 packets are being 
rejected between the tunnel endpoints.  I then used status.php to look at the 
firewall config 'in the raw' and saw that the rules are like this...

pass out quick on em3 proto udp from x.x.x.235 to y.y.y.153 port = 500 keep 
state label "IPSEC: Close Consultants - outbound isakmp"
pass in quick on em3 proto udp from y.y.y.153 to x.x.x.235 port = 500 keep 
state label "IPSEC: Close Consultants - inbound isakmp"
pass out quick on em3 proto esp from x.x.x.235 to y.y.y.153 keep state label 
"IPSEC: Close Consultants - outbound esp proto"
pass in quick on em3 proto esp from y.y.y.153 to x.x.x.235 keep state label 
"IPSEC: Close Consultants - inbound esp proto"
pass out quick on em3 proto ah from x.x.x.235 to y.y.y.153 keep state label 
"IPSEC: Close Consultants - outbound ah proto"
pass in quick on em3 proto ah from y.y.y.153 to x.x.x.235 keep state label 
"IPSEC: Close Consultants - inbound ah proto"

The x.x.x.235 address is the CARP-FW address (supposedly disabled) not the 
real FW address.

I zeroed all the Failover IPsec boxes and saved the config, the tunnel came up 
immediately and the firewall rules are just fine.

This is BETA-2.

Incidentally, this is only one of a small plagure of problems with CARP - I am 
trying to reproduce some of the problens know so I can document them 
correctly.

Cheers

/Peter

On Saturday 18 March 2006 18:02, Scott Ullrich wrote:
> Not sure what you mean.  Can you show me an example of the rule?
>
> On 3/18/06, Peter Curran <[EMAIL PROTECTED]> wrote:
> > The firewall rules to manage IPsec are being based on the (CARP) address
> > entered in the Failover IPsec dialog irrespective of the setting of the
> > Enable checkbox in the Failover IPsec dialog.
> >
> > The only way to stop it doing this has been to remove all the entries.
> >
> > /Peter
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to