core

core copied to clipboard

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

IPSec tunnels on a HA-setup are randomly using the wrong interface IP to establish the connection.

I have a /29 public IPv4 subnet on a WAN interface. One IP is set up as a virtual CARP IP between two firewalls in a HA-setup.

FW01 - x.y.z.171 FW02 - x.y.z.172 CARP - x.y.z.170 (allow service binding checked)

To Reproduce

Steps to reproduce the behavior:

1. Configure a IPsec tunnel with a virtual CARP IP
2. After a while it randomly switches to the non-CARP IP of the interface which is wrong

Expected behavior

It should keep using the virtual CARP IP (in my case x.y.z.170).

Describe alternatives you considered

I had to add additional firewall rules to allow incoming connections to these non-CARP IPs of the individual firewalls as workaround.

Screenshots

All IPsec tunnels are using IKEv2 with the x.y.z.170 virtual IP, however some are connected after a while with the x.y.z.171, as seen below:

Relevant log files

IPsec logs show the 171 (wrong) for incoming and outgoing packets as well.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 22.1.10 (amd64, OpenSSL).

I had the same problem. Tick "Disable MOBIKE" and you'll be fine ;-)

@Ketanest Thank you for this tip. It seems to be working so far.