Project

General

Profile

Actions
Copy link

Bug #15664

closed

IPsec VTI firewall rules not syncing in HA setup

Added by Mike Moore over 1 year ago. Updated over 1 year ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.2
Affected Architecture:

Description

Seems to be a failure in the way the sycing is done with pfSense in High Availability

Two systems in HA.
On Master, i can create a IPsec tunnel with phase2 VTI settings. Static routes are created on the Master. Firewall rules are created under the newly assigned VTI interface.

All changes are synced to Backup except interface creation which is expected. IPsecX interface is assigned with the same name as it is on the secondary.
Firewall rules are not sync'd across.

Testing failover, the failover works as expected as the Backup does bring up the IPsec tunnel but because there are not rules under the IPsecX interface no traffic is able to cross.

You cant assign the VTI interface for CARP

This seems like a limitation in how IPsec VTI tunnels are done within pfSense.

Actions
Copy link

Also available in: Atom PDF