pfSense

After failing over to a backup WAN interface, the clients were unable to connect using the backup WAN's IP address. Upon inspection of the swanctl.conf file, it was discovered that the local_addrs parameter still contained the IP address of the Primary WAN.

After failing over to the backup WAN interface, the following logs document the clients' attempted connections.

Aug 15 15:42:14    charon    39479    14[NET] <23> received packet: from 172.21.10.11[500] to 172.21.10.103[500] (370 bytes)
Aug 15 15:42:14    charon    39479    14[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Aug 15 15:42:14    charon    39479    14[CFG] <23> looking for an IKEv2 config for 172.21.10.103...172.21.10.11
Aug 15 15:42:14    charon    39479    14[IKE] <23> no IKE config found for 172.21.10.103...172.21.10.11, sending NO_PROPOSAL_CHOSEN
Aug 15 15:42:14    charon    39479    14[ENC] <23> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 15 15:42:14    charon    39479    14[NET] <23> sending packet: from 172.21.10.103[500] to 172.21.10.11[500] (36 bytes)
Aug 15 15:42:14    charon    39479    14[IKE] <23> IKE_SA (unnamed)[23] state change: CREATED => DESTROYING

After restarting the IPsec service under VPN/IPsec/Tunnels, the issue was resolved. Following the service restart, the swanctl.conf file contained the correct local_addrs entry.

The config file used for testing is attached.