Re: ipsec or iked to deploy under openbsd carp fws

Wed, 04 Dec 2013 02:23:11 -0800 

On Wed 04 Dec 2013 00:18:40 GMT, Stuart Henderson wrote:

On 2013-12-02, C. L. Martinez <carlopm...@gmail.com> wrote:

Hi all,

  I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients
like linux and windows) under two openbsd carp firewalls.


..


  What option can be best to deploy in these firewalls: ipsec
(ipsec.conf and isakmpd) or iked?


This depends which protocols your clients support and whether you
want to pay attention to the warning at the bottom of the iked manual.


  Searching in google and reading some docs, I have several doubts
about which one to choose. If I am not wrong, iked doesn't supports
sasyncd, is it correct??


I am *much* happier with my use of isakmpd since I got rid of sasyncd
and just rely on dead peer detection (DPD), I use ifstated to kill
isakmpd and flush ipsec if the state of the carp interface changes to
backup, or start isakmpd and load ipsec rules when the state changes
to master. When I used sasyncd I got into various situations where
things wouldn't work until I disabled it and rebooted both vpn
gateways.. Obviously this only works if your clients support DPD.



Hi Stuart,
Yea I had the same problem with sasynd but I found a simple solution that allows for faster failover than DPD.
The issue I found was that when isakmpd starts on the carp 'backup', the -S stops it from chatting which is great, but, I also found it also seems to stop it from reading the ipsec.conf file! So when you switch over isakmpd doesn't know about the policies even though it has the phase 1 and phase 2 policies from the master. 

The solution I found was to edit /etc/rc.d/sasyncd adding;

rc_start() {
   sleep 10
   ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
   sleep 5
   ipsecctl -f /etc/ipsec.conf
}
It is still not perfect as a VPN failover as it still seems to take a few seconds as the trust relationship cannot be fully replicated by sasyncd, so some sort of renegotiation is still needed, but not a full rebuild.
I've been meaning to look at testing this more and maybe adding this to the code if I can prove it (allong with many other things I want to contribute, but I'm so busy and the learning curve of a new code base means all the things I want to contribute will take me an age). 

Andy

Reply via email to