Then there is also a question regarding how quick your CARP will fail over, eg. what is your advskew on the backup node?
On 24 apr 2013, at 22:30, mxb <m...@alumni.chalmers.se> wrote: > > I'd start by looking at sasyncd and if it actually works. > If it works 'netstat -rn' should show flows at the end of its output on the > backup node. > > Encap: > Source Port Destination Port Proto > SA(Address/Proto/Type/Direction) > <flows should be printed here> > > Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do > initial handshake > and check their IP-adresses. Are you sure your carp0 IP is talking and NOT > em0 IP? > > I'd also force isakmpd to bind to specific IP (/etc/isakmpd/isakmpd.conf): > > [General] > Listen-on= <your carp0 IP goes here> > DPD-check-interval= 60 > Default-phase-1-lifetime= 3600,360:86400 > Default-phase-2-lifetime= 1200,160:86400 > > If you do above you might need to specify srcid in your ipsec.conf: > > local_gw="<your carp0 IP goes here>" > > ike active esp…… > main …… > quick ….. > srcid $local_gw > > > //mxb > > On 24 apr 2013, at 20:33, R0me0 *** <knight....@gmail.com> wrote: > >> Hello misc, >> >> A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd. >> I searching at google and misc, read the man pages and I do a review of >> configurations many times to do work something that apparently is very very >> simple. >> >> my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with >> OpenBSD current too ) >> >> match out on em0 from 10.50.60.0/24 nat-to (carp0:0) >> pass log >> >> ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 ) >> >> ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \ >> peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \ >> quick auth hmac-sha2-256 enc blowfish psk 'sapeca' >> >> >> sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface >> dedicate to firewalls comunicate between self >> >> interface carp0 >> group carp >> listen on 10.20.30.1 inet >> peer 10.20.30.2 >> sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 >> >> >> sasyncd.conf ( firewall slave ) >> >> interface carp0 >> group carp >> listen on 10.20.30.2 inet >> peer 10.20.30.1 >> sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 >> >> >> ip forward and carp preempt enabled on both firewalls >> >> >> steps to initiate on both firewalls >> >> isakmpd -K -S >> ipsecctl -f /etc/ipsec.conf >> sasyncd >> >> >> other openbsd peer without HA ( OpenBSD 5.2 ) >> >> ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer >> 10.10.20.29 \ >> main auth hmac-sha2-256 enc blowfish \ >> quick auth hmac-sha2-256 enc blowfish \ >> psk 'sapeca' >> >> >> Alright, >> >> Let me explain what is ocurring: >> >> >> VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in >> OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa ) >> >> if I force a FailOver ( OpenBSD Master ) with: >> ifconfig -g carp carpdemote 10 >> >> Another Node assume, connections continues working perfectly ( example >> download of OpenBSD ISO, continue beautifull :) ) but: >> >> ipsec VPN not , it freezes and take between 25s to 30s to vpn reestablish >> connection >> >> and if I move the service again to old OpenBSD master ( ifconfig -g carp >> -carpdemote 10) >> >> VPN freezes completely and not back, I need kill isakmpd and start again >> >> >> I expected it to be transparent like as beautifull failover and without >> IPSEC disruption. >> >> In my configuration, Am I doing something wrong ? Am I forgeting something ? >> >> Please, someone can put me on correctly way ? >> >> Regards,
