I am running failover ipsec at home and work with no issues.  I am
using a public IP as one of the carp ips but I am not running a 1:1.  
 I almost wonder if the 1:1 is stepping on the IPSEC connection.

On 3/19/06, Peter Curran <[EMAIL PROTECTED]> wrote:
> Scott
>
> Let me explain the chain of events...
>
> I set up two pfsense boxes as a high-availability pair.  They have a number of
> CARP addresses configured, the ones on the WAN are mostly passed through to
> the LAN via 1:1 NAT.  One single address is used for the logical firewall
> itself CARP-FW.
>
> I tried to setup an IPsec tunnel from a remote box to the LAN network using
> the CARP-FW address as the tunnel end-point address.  I then set this in the
> Failover IPsec dialog (along with the LAN address of the peer).  I saved this
> config, but the tunnel failed to come up - Phase 1 not completed.
>
> I then decided to just setup a tunnel to the real WAN address of one of the
> firewalls and test this worked OK, then try the CARP approach again.  To do
> this I disabled the Failover IPsec settings via the tickbox and reconfigured
> the tunnel endpoint address on both systems.  No luck with this config so I
> checked the firewall logs, and sure enough incoming UDP/500 packets are being
> rejected between the tunnel endpoints.  I then used status.php to look at the
> firewall config 'in the raw' and saw that the rules are like this...
>
> pass out quick on em3 proto udp from x.x.x.235 to y.y.y.153 port = 500 keep
> state label "IPSEC: Close Consultants - outbound isakmp"
> pass in quick on em3 proto udp from y.y.y.153 to x.x.x.235 port = 500 keep
> state label "IPSEC: Close Consultants - inbound isakmp"
> pass out quick on em3 proto esp from x.x.x.235 to y.y.y.153 keep state label
> "IPSEC: Close Consultants - outbound esp proto"
> pass in quick on em3 proto esp from y.y.y.153 to x.x.x.235 keep state label
> "IPSEC: Close Consultants - inbound esp proto"
> pass out quick on em3 proto ah from x.x.x.235 to y.y.y.153 keep state label
> "IPSEC: Close Consultants - outbound ah proto"
> pass in quick on em3 proto ah from y.y.y.153 to x.x.x.235 keep state label
> "IPSEC: Close Consultants - inbound ah proto"
>
> The x.x.x.235 address is the CARP-FW address (supposedly disabled) not the
> real FW address.
>
> I zeroed all the Failover IPsec boxes and saved the config, the tunnel came up
> immediately and the firewall rules are just fine.
>
> This is BETA-2.
>
> Incidentally, this is only one of a small plagure of problems with CARP - I am
> trying to reproduce some of the problens know so I can document them
> correctly.
>
> Cheers
>
> /Peter
>
> On Saturday 18 March 2006 18:02, Scott Ullrich wrote:
> > Not sure what you mean.  Can you show me an example of the rule?
> >
> > On 3/18/06, Peter Curran <[EMAIL PROTECTED]> wrote:
> > > The firewall rules to manage IPsec are being based on the (CARP) address
> > > entered in the Failover IPsec dialog irrespective of the setting of the
> > > Enable checkbox in the Failover IPsec dialog.
> > >
> > > The only way to stop it doing this has been to remove all the entries.
> > >
> > > /Peter
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by MailScanner, and is
> > > believed to be clean.
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to