OPNsense Forum

English Forums => High availability => Topic started by: iislas18 on August 23, 2021, 10:03:27 pm

Title: IPsec with HA and Carp failover issue
Post by: iislas18 on August 23, 2021, 10:03:27 pm

Running into an issue with IPsec: I have a pair of firewalls with HA and a single opnsense firewall, the IPsec tunnel is able to establish on the primary firewall with the WAN1 VIP but when I enter CARP maintenance mode the IPsec tunnel does not establish on the standby firewall when it's active. The only way I can get this to work is utilizing DPD with time of 1 second and action of restart on the stand alone firewall. I do have MOBIKE disabled on the HA pair and the stand alone firewall.

Firewall version: 21.7.1

Any help is appreciated.

Title: Re: IPsec with HA and Carp failover issue
Post by: skydiablo on December 21, 2022, 12:23:59 pm

old topic, but same problem! so you mentioned some workarounds in your question, is this the way to go?

regards, volker.

Title: Re: IPsec with HA and Carp failover issue
Post by: groiser_sm on February 02, 2023, 02:48:50 pm

Hello All,

I have a slightly different question but in the same area (HA and IPsec VPN)

Could you guys help me with the idea to pick a method to disable IPsec on the standby node?

The only idea I have is to configure FRR and run OSPF with upstream router. After that it will be possible to advertise 0.0.0.0/0 to both active and standby OPNsenses and to disable FRR on standby, so VPN establishment process could be started only from active node with default route.

Kind regards,
Serg GR

Title: Re: IPsec with HA and Carp failover issue
Post by: renow on February 09, 2023, 09:04:45 pm

Hi,

You just have to attach IPSEC tunnel to VIP interface, so it won't be able to go up if doesn't own the VIP.

Regards,
Renaud.