Hi all, I will try to encrypt all carp traffic between two OpenBSD 5.9 fws (fully patched). According to ifconfig(8) man page:
carppeer peer_address Send the carp advertisements to a specified point-to-point peer or multicast group instead of sending the messages to the default carp multicast group. The peer_address is the IP address of the other host taking part in the carp cluster. With this option, carp(4) traffic can be protected using ipsec(4) and it may be desired in networks that do not allow or have problems with IPv4 multicast traffic. And the last sentence describes the type of problem that I want to avoid: "carp(4) traffic can be protected using ipsec(4) and it may be desired in networks that do not allow or have problems with IPv4 multicast traffic". But I don't see how to implement this feature. If I am not wrong, I need to configure ipsec in transport mode. But how to encrypt carp protocol only and keep all others services and protocols out of ipsec tunnels?? Any tip or sample??