Actions
Bug #8359
closed
Packets from phase1 bound to CARP VIP do not have the right source address
Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
03/05/2018
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.2_1
Affected Architecture:
Description
Hello,
I have a cluster with one member having a wan IP of 192.168.0.1. I have configured a CARP VIP of 192.168.0.10 on the wan interface.
I have several phase1 configurations, all of them are bound to the VIP Interface and the ipsec logs show:
charon: 05[NET] <con73000|1> sending packet: from 192.168.0.10[500] to xxxxxxxx[500] (360 bytes)
However, running tcpdump on the wan interface shows that the packets are not sent from the VIP but from the interface address:
IP 192.168.0.1.500 > xxxxxxx.500: isakmp: phase 1 I agg
I had to force an outbound NAT in order for my packets to originate from the VIP and not the interface address.
I have a similar setup in a 2.3 cluster and I don't see this behaviour. The mismatch between the logs and the actual packet makes me think that this is a bug.
Updated by
Actions