Project

General

Profile

Bug #8359

Packets from phase1 bound to CARP VIP do not have the right source address

Added by Louis Sautier over 2 years ago. Updated over 2 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
03/05/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.2_1
Affected Architecture:

Description

Hello,
I have a cluster with one member having a wan IP of 192.168.0.1. I have configured a CARP VIP of 192.168.0.10 on the wan interface.
I have several phase1 configurations, all of them are bound to the VIP Interface and the ipsec logs show:

charon: 05[NET] <con73000|1> sending packet: from 192.168.0.10[500] to xxxxxxxx[500] (360 bytes)

However, running tcpdump on the wan interface shows that the packets are not sent from the VIP but from the interface address:
IP 192.168.0.1.500 > xxxxxxx.500: isakmp: phase 1 I agg

I had to force an outbound NAT in order for my packets to originate from the VIP and not the interface address.

I have a similar setup in a 2.3 cluster and I don't see this behaviour. The mismatch between the logs and the actual packet makes me think that this is a bug.

History

#1 Updated by Jim Pingle over 2 years ago

  • Status changed from New to Not a Bug

It is working fine here sourcing from a CARP VIP, you likely have some other configuration error causing this (like using outbound NAT with a source of 'any' or another too-broad source that NATs WAN itself).

Follow up on the forum, pfSense subreddit, or mailing list for help with your configuration.

Also available in: Atom PDF