How to IPSec Route 0.0.0.0 without breaking the CARP

mliebherr · April 18, 2024, 12:31:02 PM

Hello,

a customers remote site wants to have 0.0.0.0 as remote net in IPSec.
However, if we set this, the Carp Traffic will follow that route, too.

Therefore my HA-Setup breaks becaue the HA Nodes do not reach each other any more.

How do you set up IPsec with a remote net 0.0.0.0 without breaking the local Carp Address?

Thanks,
Michael

Monviech (Cedrik) · April 18, 2024, 02:03:46 PM

A policy based VPN with 0.0.0.0? It installs policies with kernel routes.

What you need is probably a VTI based IPsec Tunnel, with that you can manually control the routes.

https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html

How to IPSec Route 0.0.0.0 without breaking the CARP

mliebherr

April 18, 2024, 12:31:02 PM

Monviech (Cedrik)

April 18, 2024, 02:03:46 PM #1