Hi, On Fri, Oct 19, 2012 at 8:10 PM, Tyler Morgan <tyl...@tradetech.net> wrote: > On 10/19/2012 1:16 AM, Jim Miller wrote: >> >> Two part question: >> >> 1. Anyone had any success getting iked and carp working on OpenBSD 5.1 >> (amd64)? We can get it working with isakmpd. The issue seems to be >> that iked wants to send out packets as the physical interface IP instead >> of the carp IP. iked documentation eludes to the fact that it should >> work. >
thanks for reporting, I can reproduce the problem. > > In my experience under 5.1 isakmpd wants to use the IP from the real > physical interface instead of the virtual carp interface too, so I have to > use the "local x.x.x.x" command in ipsec.conf, where x.x.x.x = my carp IP -- > this forces it onto the carp IP and all is well. > > iked.conf(5) has a similar "local" command. Does it not work? > It does not work. You can see that iked is setting the carp address correctly but the address on the wire is the primary one. Fail. The code doesn't bind() to the IP used in the "local" command and the kernel uses the primary address for the related route. btw. you can also specify "local carp0" instead of the IP address and it will pick the interface's first address. > and keep in mind the caveat: > > "iked is not yet finished and is missing some important security features. > It should not yet be used in production networks." -- iked(8) > Yeah, but we're working on it. I actually added this comment before mikeb@ added support for SA expiration, lifetimes and retransmits. So iked is still not ready, but the situation is much better now ;-) reyk
