Scott Let me explain the chain of events...
I set up two pfsense boxes as a high-availability pair. They have a number of CARP addresses configured, the ones on the WAN are mostly passed through to the LAN via 1:1 NAT. One single address is used for the logical firewall itself CARP-FW. I tried to setup an IPsec tunnel from a remote box to the LAN network using the CARP-FW address as the tunnel end-point address. I then set this in the Failover IPsec dialog (along with the LAN address of the peer). I saved this config, but the tunnel failed to come up - Phase 1 not completed. I then decided to just setup a tunnel to the real WAN address of one of the firewalls and test this worked OK, then try the CARP approach again. To do this I disabled the Failover IPsec settings via the tickbox and reconfigured the tunnel endpoint address on both systems. No luck with this config so I checked the firewall logs, and sure enough incoming UDP/500 packets are being rejected between the tunnel endpoints. I then used status.php to look at the firewall config 'in the raw' and saw that the rules are like this... pass out quick on em3 proto udp from x.x.x.235 to y.y.y.153 port = 500 keep state label "IPSEC: Close Consultants - outbound isakmp" pass in quick on em3 proto udp from y.y.y.153 to x.x.x.235 port = 500 keep state label "IPSEC: Close Consultants - inbound isakmp" pass out quick on em3 proto esp from x.x.x.235 to y.y.y.153 keep state label "IPSEC: Close Consultants - outbound esp proto" pass in quick on em3 proto esp from y.y.y.153 to x.x.x.235 keep state label "IPSEC: Close Consultants - inbound esp proto" pass out quick on em3 proto ah from x.x.x.235 to y.y.y.153 keep state label "IPSEC: Close Consultants - outbound ah proto" pass in quick on em3 proto ah from y.y.y.153 to x.x.x.235 keep state label "IPSEC: Close Consultants - inbound ah proto" The x.x.x.235 address is the CARP-FW address (supposedly disabled) not the real FW address. I zeroed all the Failover IPsec boxes and saved the config, the tunnel came up immediately and the firewall rules are just fine. This is BETA-2. Incidentally, this is only one of a small plagure of problems with CARP - I am trying to reproduce some of the problens know so I can document them correctly. Cheers /Peter On Saturday 18 March 2006 18:02, Scott Ullrich wrote: > Not sure what you mean. Can you show me an example of the rule? > > On 3/18/06, Peter Curran <[EMAIL PROTECTED]> wrote: > > The firewall rules to manage IPsec are being based on the (CARP) address > > entered in the Failover IPsec dialog irrespective of the setting of the > > Enable checkbox in the Failover IPsec dialog. > > > > The only way to stop it doing this has been to remove all the entries. > > > > /Peter > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
