According to the carp(4):
"
Assume that host A is the preferred master and 192.168.1.x/24 is
configured on one physical interface and 192.168.2.y/24 on another.
This
is the setup for host A:
"
Eg, this means that you have to configure em0 with IP, if em0 is physical NIC
used for carp0.
On 25 apr 2013, at 13:16, R0me0 *** <knight....@gmail.com> wrote:
> mxb - my em's not have any ip only inside hostname.emX "up"
>
> my advskew is 100 on backup node
>
>
>
>
> 2013/4/24 mxb <m...@alumni.chalmers.se>
>
> Then there is also a question regarding how quick your CARP will fail over,
eg. what is your advskew on the backup node?
>
> On 24 apr 2013, at 22:30, mxb <m...@alumni.chalmers.se> wrote:
>
> >
> > I'd start by looking at sasyncd and if it actually works.
> > If it works 'netstat -rn' should show flows at the end of its output on
the backup node.
> >
> > Encap:
> > Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
> > <flows should be printed here>
> >
> > Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do
initial handshake
> > and check their IP-adresses. Are you sure your carp0 IP is talking and NOT
em0 IP?
> >
> > I'd also force isakmpd to bind to specific IP
(/etc/isakmpd/isakmpd.conf):
> >
> > [General]
> > Listen-on= <your carp0 IP goes here>
> > DPD-check-interval= 60
> > Default-phase-1-lifetime= 3600,360:86400
> > Default-phase-2-lifetime= 1200,160:86400
> >
> > If you do above you might need to specify srcid in your ipsec.conf:
> >
> > local_gw="<your carp0 IP goes here>"
> >
> > ike active esp
> > main
> > quick
..
> > srcid $local_gw
> >
> >
> > //mxb
> >
> > On 24 apr 2013, at 20:33, R0me0 *** <knight....@gmail.com> wrote:
> >
> >> Hello misc,
> >>
> >> A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd.
> >> I searching at google and misc, read the man pages and I do a review of
> >> configurations many times to do work something that apparently is very
very
> >> simple.
> >>
> >> my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with
> >> OpenBSD current too )
> >>
> >> match out on em0 from 10.50.60.0/24 nat-to (carp0:0)
> >> pass log
> >>
> >> ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of
carp0 )
> >>
> >> ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \
> >> peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \
> >> quick auth hmac-sha2-256 enc blowfish psk 'sapeca'
> >>
> >>
> >> sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface
> >> dedicate to firewalls comunicate between self
> >>
> >> interface carp0
> >> group carp
> >> listen on 10.20.30.1 inet
> >> peer 10.20.30.2
> >> sharedkey
0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5
> >>
> >>
> >> sasyncd.conf ( firewall slave )
> >>
> >> interface carp0
> >> group carp
> >> listen on 10.20.30.2 inet
> >> peer 10.20.30.1
> >> sharedkey
0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5
> >>
> >>
> >> ip forward and carp preempt enabled on both firewalls
> >>
> >>
> >> steps to initiate on both firewalls
> >>
> >> isakmpd -K -S
> >> ipsecctl -f /etc/ipsec.conf
> >> sasyncd
> >>
> >>
> >> other openbsd peer without HA ( OpenBSD 5.2 )
> >>
> >> ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer
> >> 10.10.20.29 \
> >> main auth hmac-sha2-256 enc blowfish \
> >> quick auth hmac-sha2-256 enc blowfish \
> >> psk 'sapeca'
> >>
> >>
> >> Alright,
> >>
> >> Let me explain what is ocurring:
> >>
> >>
> >> VPN work perfectly, I access other resources behind 10.15.1.33 peer, and
in
> >> OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa )
> >>
> >> if I force a FailOver ( OpenBSD Master ) with:
> >> ifconfig -g carp carpdemote 10
> >>
> >> Another Node assume, connections continues working perfectly ( example
> >> download of OpenBSD ISO, continue beautifull :) ) but:
> >>
> >> ipsec VPN not , it freezes and take between 25s to 30s to vpn
reestablish
> >> connection
> >>
> >> and if I move the service again to old OpenBSD master ( ifconfig -g carp
> >> -carpdemote 10)
> >>
> >> VPN freezes completely and not back, I need kill isakmpd and start again
> >>
> >>
> >> I expected it to be transparent like as beautifull failover and without
> >> IPSEC disruption.
> >>
> >> In my configuration, Am I doing something wrong ? Am I forgeting
something ?
> >>
> >> Please, someone can put me on correctly way ?
> >>
> >> Regards,
