pfSense

Hello,
it happens this. When I create a IPSec tunnel I set as interface a CARP ip address in order to let the tunnel work with both machines. If the primary machine fails the backup machine will initiate the IPSec session using the shared IP. This has undoubt advantages managing IPSec VPNs, expecially when you have to deal with other companies that can't change your endpoint easily or that can't manage a "failover double endpoint".

What happens is that the secondary machine is trying to negotiate the IPSec session all the times, even if the interface choosen as local endpoint is a CARP interface in backup state. Actually the only real problem of this is "annoying" the remote endpoint (in case they have a IDS installed can bring to ban the primary ip of the secondary machine or the network), then just in principle, this is an operation that the secondary machine should not do... this is why I set a low priority on this issue.

Do you think that would be useful for the IPSec service to check if the local endpoint is a "backup state interface" then just ends the attempt to establish an IPSec session?

Thanks,
Michele