I'm running two CARP-mirrored firewalls, and want to configure an IPSec VPN. Naturally, the virtual WAN address should be used for all traffic, so I configured only the virtual IP as "Local addresses".
When initiating a connection via the IPSec status page, the logfile shows "sending packet: from <virtual IP>[500] to <remote IP>[500]", but this is a blatant lie: checking with "tcpdump -ni <wanif> port 500" on the WAN interface, actual traffic is using the primary WAN IP address, not the VIF.
As a workaround, I added all WAN IPs on the remote FW as well, which seems to work:
- When initiating from the remote FW, phase 1 and phase 2 will use the virtual IP as expected
- When initiating on the CARP master FW(*), phase1 traffic uses the primary IP, while phase2 uses the Virtual IP
(*)note: Starting the connection by pressing the connect button in "Status Overview" doesn't work (nothing logged on any loglevel); to initiate the connection, the setting needs to be disabled and re-enabled.
Anything that I might miss?
Quote from: Andreas_ on November 06, 2025, 08:20:35 PMI'm running two CARP-mirrored firewalls, and want to configure an IPSec VPN. Naturally, the virtual WAN address should be used for all traffic
So you have to translate the outbound traffic with NAT rule.