Netgate SG-1000 microFirewall

Author Topic: Packets from phase1 bound to CARP VIP do not have the right source address  (Read 50 times)

0 Members and 1 Guest are viewing this topic.

Offline slatt

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
I reported an issue which apparently isn't a bug:
I have a cluster with one member having a wan IP of I have configured a CARP VIP of on the wan interface.
I have several phase1 configurations, all of them are bound to the VIP Interface and the ipsec logs show:
Code: [Select]
charon: 05[NET] <con73000|1> sending packet: from[500] to xxxxxxxx[500] (360 bytes)

However, running tcpdump on the wan interface shows that the packets are not sent from the VIP but from the interface address:
Code: [Select]
IP > xxxxxxx.500: isakmp: phase 1 I agg
I had to force an outbound NAT in order for my packets to originate from the VIP and not the interface address. Before I added this rule, I had no outbound NATs defined.

I have a similar setup in a 2.3 cluster and I don't see this behaviour.