Bug #8359
closed
Packets from phase1 bound to CARP VIP do not have the right source address
0%
Description
Hello,
I have a cluster with one member having a wan IP of 192.168.0.1. I have configured a CARP VIP of 192.168.0.10 on the wan interface.
I have several phase1 configurations, all of them are bound to the VIP Interface and the ipsec logs show:
charon: 05[NET] <con73000|1> sending packet: from 192.168.0.10[500] to xxxxxxxx[500] (360 bytes)
However, running tcpdump on the wan interface shows that the packets are not sent from the VIP but from the interface address:
IP 192.168.0.1.500 > xxxxxxx.500: isakmp: phase 1 I agg
I had to force an outbound NAT in order for my packets to originate from the VIP and not the interface address.
I have a similar setup in a 2.3 cluster and I don't see this behaviour. The mismatch between the logs and the actual packet makes me think that this is a bug.
Updated by Jim Pingle about 6 years ago
- Status changed from New to Not a Bug
It is working fine here sourcing from a CARP VIP, you likely have some other configuration error causing this (like using outbound NAT with a source of 'any' or another too-broad source that NATs WAN itself).
Follow up on the forum, pfSense subreddit, or mailing list for help with your configuration.