IPsec with HA and Carp failover issue

[iislas18]

Running into an issue with IPsec: I have a pair of firewalls with HA and a single opnsense firewall, the IPsec tunnel is able to establish on the primary firewall with the WAN1 VIP but when I enter CARP maintenance mode the IPsec tunnel does not establish on the standby firewall when it's active. The only way I can get this to work is utilizing DPD with time of 1 second and action of restart on the stand alone firewall. I do have MOBIKE disabled on the HA pair and the stand alone firewall.

Firewall version: 21.7.1

Any help is appreciated.

[skydiablo]

old topic, but same problem! so you mentioned some workarounds in your question, is this the way to go?

regards, volker.

[groiser_sm]

Hello All,

I have a slightly different question but in the same area (HA and IPsec VPN)

Could you guys help me with the idea to pick a method to disable IPsec on the standby node?

The only idea I have is to configure FRR and run OSPF with upstream router. After that it will be possible to advertise 0.0.0.0/0 to both active and standby OPNsenses and to disable FRR on standby, so VPN establishment process could be started only from active node with default route.

Kind regards,
Serg GR

[renow]

Hi,

You just have to attach IPSEC tunnel to VIP interface, so it won't be able to go up if doesn't own the VIP.

Regards,
Renaud.