On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > On 28/07/16 22:47, C. L. Martinez wrote: > > Hi all, > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > (fully patched). According to ifconfig(8) man page: > > > > carppeer peer_address > > Send the carp advertisements to a specified point-to-point peer or > > multicast group instead of sending the messages to the default carp > > multicast group. The peer_address is the IP address of the other host > > taking part in the carp cluster. With this option, carp(4) traffic can > > be protected using ipsec(4) and it may be desired in networks that do > > not allow or have problems with IPv4 multicast traffic. > > > > And the last sentence describes the type of problem that I want to > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > desired in networks that do not allow or have problems with IPv4 > > multicast traffic". > > > > But I don't see how to implement this feature. If I am not wrong, I > > need to configure ipsec in transport mode. But how to encrypt carp > > protocol only and keep all others services and protocols out of ipsec > > tunnels?? > > > > Any tip or sample?? > > > > > check proto (from protocol) in ipsec.conf(5) > > G >
Thanks Giannis. I have configured iked.conf in both firewalls. FirewallA: ikev2 esp proto carp from 172.22.55.12 to 172.22.55.13 psk "74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0 FirewallB: ikev2 esp proto carp from 172.22.55.13 to 172.22.55.12 psk "74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0 Starting iked from shell, all tunnels are established. But when I add iked_flags= to rc.conf.local and reboot both firewalls, startup process stops in iked process and neves finishes. I need to a hard reset ... Any idea why??