Hi,
I have to prepare an investigation on IPSec High Availability as an
assignment at my College.
After investigating various possibilities ranging between implementations of
VRRP, HSRP and CARP (+ I took a look at Linux-HA too), I set up a test
environment using pfSense and CARP. Following is a schematic overview of the
net config I'm using (best viewed with fixed size fonts):
----
Internet
|
|
WAN virtual IP: 192.168.201.250
|
192.168.201.0/24
|
+- x.x.x.251 ----------------------+-------------------- x.x.x.252 -+
| |
| |
pfSense-1 -- x.x.x.251 ------ 10.250.250.0/24 ----- x.x.x.252 -- pfSense-2
| |
| |
+- x.x.x.251 ----------------------+-------------------- x.x.x.252 -+
|
192.168.30.0/24
|
LAN virtual IP: 192.168.30.250
----
I tested the above configuration both with the pfSense v1.2.1 and Aug 26th
alpha snapshot.
Of course I unchecked the 'filter out private networks' checkbox on the WAN
interface.
I'm using the Shrew Soft Windows VPN client for testing on Windows XP sp2.
Following are the findings using pfSense v1.2.1
- The WAN and IPSec fail over seems to work pfSense transits from CARP
Backup to CARP Active after pfSense-1 is turned off;
- I'm able to connect to the pfSense* VPN using any of the WAN IPs;
however, the trafic passes the VPN tunnel ONLY if I connect using the real
IP-s (192.168.201.251 and 192.168.201.252), whiles when connection to the
virtual one (192.168.201.250) all pings to 192.168.30.250, 192.168.30.251and
192.168.30.252 are failing. The packed tracking at pfSense-1 of a
connection to the virtual IP shows ping Echo Req. are coming in, but there
is no reply.
- An additional note is I was unable to get the DHCP fail over working,
but this isn't critical to my tests.
- BTW: I didn't set any MAC address manually. I realized the virtual IP-s
are supposed to use MAC from the 00-00-5e-00-01-XX scope; however, I didn't
see this. The 'arp -a' executed on Windows showed the pfSense interfaces use
the MAC address bb-bb-bb-bb-bb-00 (both the real and the virtual one).
Using the last alpha snapshot I first bumped in a bug when trying to
configure the WAN interface IP-s. I workaround it by modifying the
interfaces_wan.php script which overides the $if variable after calling an
include.
I was unable to connect to the VPN using the last pfSense alpha. After few
hours of testing I gave up.
I would appreciate hints how to get the demo working :)
Additionally any hint on following topics will be welcome too:
- I'm wondering if a TCP connection over VPN to IPSec-HA gateway would
survive a fail over? Let say I have a SSH connection open + I'm copying a
file from an IntrAnet server to my Windows machine using CIFS (Windows
sharing). At this point the pfSense-1 is turned off (please correct me) -
the IPSec connection will be reestablished meaning the VPN tunnel will be
turned off and on again (well ... this is my understanding of data
encryption - I guess the current encrypted data isn't synced between the HA
nodes and so the encryption can't continue). If the VPN tunnel
reestablishment will NOT bring down the Windows network interface, the
copying and SSH session will just continue after the IPSec Phase-2 will be
reestablished (guess Phase-1 don't need to be reestablished).
- Doesn't AH and ESP have any IP payload (their packets) flow control
built in like TCP has? << I'm wondering how the IPSec-HA takes care of just
continuing the IPSec session if e.g. a sequence number is embedded into the
AH / ESP packets?
Thanks,
Damir Dezeljin
