On 28/07/16 22:47, C. L. Martinez wrote: > Hi all, > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > (fully patched). According to ifconfig(8) man page: > > carppeer peer_address > Send the carp advertisements to a specified point-to-point peer or > multicast group instead of sending the messages to the default carp > multicast group. The peer_address is the IP address of the other host > taking part in the carp cluster. With this option, carp(4) traffic can > be protected using ipsec(4) and it may be desired in networks that do > not allow or have problems with IPv4 multicast traffic. > > And the last sentence describes the type of problem that I want to > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > desired in networks that do not allow or have problems with IPv4 > multicast traffic". > > But I don't see how to implement this feature. If I am not wrong, I > need to configure ipsec in transport mode. But how to encrypt carp > protocol only and keep all others services and protocols out of ipsec > tunnels?? > > Any tip or sample?? >
check proto (from protocol) in ipsec.conf(5) G