According to the carp(4): " Assume that host A is the preferred master and 192.168.1.x/24 is configured on one physical interface and 192.168.2.y/24 on another. This is the setup for host A: "
Eg, this means that you have to configure em0 with IP, if em0 is physical NIC used for carp0. On 25 apr 2013, at 13:16, R0me0 *** <knight....@gmail.com> wrote: > mxb - my em's not have any ip only inside hostname.emX "up" > > my advskew is 100 on backup node > > > > > 2013/4/24 mxb <m...@alumni.chalmers.se> > > Then there is also a question regarding how quick your CARP will fail over, eg. what is your advskew on the backup node? > > On 24 apr 2013, at 22:30, mxb <m...@alumni.chalmers.se> wrote: > > > > > I'd start by looking at sasyncd and if it actually works. > > If it works 'netstat -rn' should show flows at the end of its output on the backup node. > > > > Encap: > > Source Port Destination Port Proto SA(Address/Proto/Type/Direction) > > <flows should be printed here> > > > > Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do initial handshake > > and check their IP-adresses. Are you sure your carp0 IP is talking and NOT em0 IP? > > > > I'd also force isakmpd to bind to specific IP (/etc/isakmpd/isakmpd.conf): > > > > [General] > > Listen-on= <your carp0 IP goes here> > > DPD-check-interval= 60 > > Default-phase-1-lifetime= 3600,360:86400 > > Default-phase-2-lifetime= 1200,160:86400 > > > > If you do above you might need to specify srcid in your ipsec.conf: > > > > local_gw="<your carp0 IP goes here>" > > > > ike active esp > > main > > quick .. > > srcid $local_gw > > > > > > //mxb > > > > On 24 apr 2013, at 20:33, R0me0 *** <knight....@gmail.com> wrote: > > > >> Hello misc, > >> > >> A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd. > >> I searching at google and misc, read the man pages and I do a review of > >> configurations many times to do work something that apparently is very very > >> simple. > >> > >> my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with > >> OpenBSD current too ) > >> > >> match out on em0 from 10.50.60.0/24 nat-to (carp0:0) > >> pass log > >> > >> ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 ) > >> > >> ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \ > >> peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \ > >> quick auth hmac-sha2-256 enc blowfish psk 'sapeca' > >> > >> > >> sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface > >> dedicate to firewalls comunicate between self > >> > >> interface carp0 > >> group carp > >> listen on 10.20.30.1 inet > >> peer 10.20.30.2 > >> sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 > >> > >> > >> sasyncd.conf ( firewall slave ) > >> > >> interface carp0 > >> group carp > >> listen on 10.20.30.2 inet > >> peer 10.20.30.1 > >> sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 > >> > >> > >> ip forward and carp preempt enabled on both firewalls > >> > >> > >> steps to initiate on both firewalls > >> > >> isakmpd -K -S > >> ipsecctl -f /etc/ipsec.conf > >> sasyncd > >> > >> > >> other openbsd peer without HA ( OpenBSD 5.2 ) > >> > >> ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer > >> 10.10.20.29 \ > >> main auth hmac-sha2-256 enc blowfish \ > >> quick auth hmac-sha2-256 enc blowfish \ > >> psk 'sapeca' > >> > >> > >> Alright, > >> > >> Let me explain what is ocurring: > >> > >> > >> VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in > >> OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa ) > >> > >> if I force a FailOver ( OpenBSD Master ) with: > >> ifconfig -g carp carpdemote 10 > >> > >> Another Node assume, connections continues working perfectly ( example > >> download of OpenBSD ISO, continue beautifull :) ) but: > >> > >> ipsec VPN not , it freezes and take between 25s to 30s to vpn reestablish > >> connection > >> > >> and if I move the service again to old OpenBSD master ( ifconfig -g carp > >> -carpdemote 10) > >> > >> VPN freezes completely and not back, I need kill isakmpd and start again > >> > >> > >> I expected it to be transparent like as beautifull failover and without > >> IPSEC disruption. > >> > >> In my configuration, Am I doing something wrong ? Am I forgeting something ? > >> > >> Please, someone can put me on correctly way ? > >> > >> Regards,