From owner-freebsd-pf@FreeBSD.ORG Wed Jul 6 18:34:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00B2C16A41C for ; Wed, 6 Jul 2005 18:34:21 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id A476843D45 for ; Wed, 6 Jul 2005 18:34:21 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id g11so12413rne for ; Wed, 06 Jul 2005 11:34:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=CT+Y3slEfUdnYIYa8mgc1o7+zY1cTblX2Svl5TVKHCMITItWLUJdHC6PH8JjyGvX8HMCX3PcXBEmG6m8eKarNFrOmYC2JHCALo172TEiT/weJF+X9seNc3G/c+oa+In8QAMVFbJ0ytW6U0VoywAbex7wpnjusXKaO0UqXphV3fg= Received: by 10.38.24.4 with SMTP id 4mr38175rnx; Wed, 06 Jul 2005 11:34:20 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Wed, 6 Jul 2005 11:34:20 -0700 (PDT) Message-ID: Date: Wed, 6 Jul 2005 14:34:20 -0400 From: Scott Ullrich To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: IPSEC with CARP public IP's and Racoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 18:34:22 -0000 Greetings list! I've been playing around with failover VPN and have ran into some interesting results that I cannot honestly explain. When trying to setup a failover VPN situation we setup 2 public ip's with racoon listening on the carp ip, etc. This all works great and the tunnel gets established when I ping from one firewall to the other firewalls lan ip. But for some reason when pinging from clients behind the ipsec tunnel the kernel seems to get confused and routes the traffic out even with the setkey policy in place. Changing the public ip's to non-carp ip's fixes the problem and everything works perfectly. So my question is, has anyone gotten this situation to work? I have recently ported sasyncd from open and would love to use it http://www.pfsense.com/downloads/other/sasyncd.tgz ... ;) Here's some ASCII art of the setup: http://www.pfsense.com/failover-vpn.txt Any pointers, questions would be greatly helpful to try and figure out why ipsec doesn't play well with CARP. Thanks again in advance! Scott