IPSEC with CARP public IP's and Racoon
Scott Ullrich
sullrich at gmail.com
Wed Jul 6 18:34:22 GMT 2005
Greetings list!
I've been playing around with failover VPN and have ran into some
interesting results that I cannot honestly explain.
When trying to setup a failover VPN situation we setup 2 public ip's
with racoon listening on the carp ip, etc. This all works great and
the tunnel gets established when I ping from one firewall to the other
firewalls lan ip.
But for some reason when pinging from clients behind the ipsec tunnel
the kernel seems to get confused and routes the traffic out even with
the setkey policy in place. Changing the public ip's to non-carp
ip's fixes the problem and everything works perfectly.
So my question is, has anyone gotten this situation to work? I have
recently ported sasyncd from open and would love to use it
http://www.pfsense.com/downloads/other/sasyncd.tgz ... ;)
Here's some ASCII art of the setup:
http://www.pfsense.com/failover-vpn.txt
Any pointers, questions would be greatly helpful to try and figure out
why ipsec doesn't play well with CARP.
Thanks again in advance!
Scott
More information about the freebsd-pf
mailing list