On Tue 2.Aug'16 at 7:54:08 +0000, C. L. Martinez wrote:
> On Mon 1.Aug'16 at 7:54:57 +0000, C. L. Martinez wrote:
> > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> > > On 28/07/16 22:47, C. L. Martinez wrote:
> > > > Hi all,
> > > >
> > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > > > (fully patched). According to ifconfig(8) man page:
> > > >
> > > > carppeer peer_address
> > > > Send the carp advertisements to a specified point-to-point peer or
> > > > multicast group instead of sending the messages to the default carp
> > > > multicast group. The peer_address is the IP address of the other host
> > > > taking part in the carp cluster. With this option, carp(4) traffic can
> > > > be protected using ipsec(4) and it may be desired in networks that do
> > > > not allow or have problems with IPv4 multicast traffic.
> > > >
> > > > And the last sentence describes the type of problem that I want to
> > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > > > desired in networks that do not allow or have problems with IPv4
> > > > multicast traffic".
> > > >
> > > > But I don't see how to implement this feature. If I am not wrong, I
> > > > need to configure ipsec in transport mode. But how to encrypt carp
> > > > protocol only and keep all others services and protocols out of ipsec
> > > > tunnels??
> > > >
> > > > Any tip or sample??
> > > >
> > >
> > >
> > > check proto (from protocol) in ipsec.conf(5)
> > >
> > > G
> > >
> >
> > Ok, after doing several tests these days, I have configured ipsec.conf
> > instead of iked.conf. But carp interfaces remains in MASTER mode in both
> > firewalls:
> >
> > FwA:
> >
> > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:01
> > priority: 15
> > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
> > state MASTER vhid 1 advskew 100
> > state MASTER vhid 2 advskew 0
> > groups: carp
> > status: master
> > inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
> > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:03
> > priority: 15
> > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
> > state MASTER vhid 3 advskew 100
> > state MASTER vhid 4 advskew 0
> > groups: carp
> > status: master
> > inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
> >
> > ....
> >
> >
> > FwB:
> >
> > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:01
> > priority: 15
> > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
> > state MASTER vhid 1 advskew 0
> > state MASTER vhid 2 advskew 100
> > groups: carp
> > status: master
> > inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
> > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:03
> > priority: 15
> > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
> > state MASTER vhid 3 advskew 0
> > state MASTER vhid 4 advskew 100
> > groups: carp
> > status: master
> > inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
> >
> >
> > IPsec flows are established in both firewalls:
> >
> > FwA:
> >
> > FLOWS:
> > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3
> > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type use
> > flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3
> > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require
> > flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3
> > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type use
> > flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3
> > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require
> > flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13
> > srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use
> > flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13
> > srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require
> > flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3
> > srcid 172.30.77.2/32 dstid 172.30.77.3/32 type use
> > flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3
> > srcid 172.30.77.2/32 dstid 172.30.77.3/32 type require
> > flow esp in proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.3
> > srcid 172.22.54.2/32 dstid 172.22.54.3/32 type use
> > flow esp out proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.3
> > srcid 172.22.54.2/32 dstid 172.22.54.3/32 type require
> > flow esp in proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.3
> > srcid 172.22.56.2/32 dstid 172.22.56.3/32 type use
> > flow esp out proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.3
> > srcid 172.22.56.2/32 dstid 172.22.56.3/32 type require
> >
> > SAD:
> > esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.55.13 to 172.22.55.12 spi 0x54d57373 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.57.2 to 172.22.57.3 spi 0x57f09d05 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.56.2 to 172.22.56.3 spi 0x5a171e12 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.30.77.2 to 172.30.77.3 spi 0x5e1cc51a auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.54.2 to 172.22.54.3 spi 0x6a7415a2 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.30.77.3 to 172.30.77.2 spi 0x77435d2a auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.55.12 to 172.22.55.13 spi 0x8a0d95c7 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.56.3 to 172.22.56.2 spi 0x906dd7fd auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.58.2 to 172.22.58.3 spi 0xab88d522 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.57.3 to 172.22.57.2 spi 0xca1ba00f auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.58.3 to 172.22.58.2 spi 0xe66ba82a auth
> > hmac-sha2-256 enc aes
> >
> > FwB:
> >
> > FLOWS:
> > flow esp in proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.2
> > srcid 172.22.58.3/32 dstid 172.22.58.2/32 type use
> > flow esp out proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.2
> > srcid 172.22.58.3/32 dstid 172.22.58.2/32 type require
> > flow esp in proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.2
> > srcid 172.22.57.3/32 dstid 172.22.57.2/32 type use
> > flow esp out proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.2
> > srcid 172.22.57.3/32 dstid 172.22.57.2/32 type require
> > flow esp in proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.2
> > srcid 172.22.56.3/32 dstid 172.22.56.2/32 type use
> > flow esp out proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.2
> > srcid 172.22.56.3/32 dstid 172.22.56.2/32 type require
> > flow esp in proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.2
> > srcid 172.22.54.3/32 dstid 172.22.54.2/32 type use
> > flow esp out proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.2
> > srcid 172.22.54.3/32 dstid 172.22.54.2/32 type require
> > flow esp in proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.2
> > srcid 172.30.77.3/32 dstid 172.30.77.2/32 type use
> > flow esp out proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.2
> > srcid 172.30.77.3/32 dstid 172.30.77.2/32 type require
> > flow esp in proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.12
> > srcid 172.22.55.13/32 dstid 172.22.55.12/32 type use
> > flow esp out proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.12
> > srcid 172.22.55.13/32 dstid 172.22.55.12/32 type require
> >
> > SAD:
> > esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.55.13 to 172.22.55.12 spi 0x54d57373 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.57.2 to 172.22.57.3 spi 0x57f09d05 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.56.2 to 172.22.56.3 spi 0x5a171e12 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.30.77.2 to 172.30.77.3 spi 0x5e1cc51a auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.54.2 to 172.22.54.3 spi 0x6a7415a2 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.30.77.3 to 172.30.77.2 spi 0x77435d2a auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.55.12 to 172.22.55.13 spi 0x8a0d95c7 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.56.3 to 172.22.56.2 spi 0x906dd7fd auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.58.2 to 172.22.58.3 spi 0xab88d522 auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.57.3 to 172.22.57.2 spi 0xca1ba00f auth
> > hmac-sha2-256 enc aes
> > esp transport from 172.22.58.3 to 172.22.58.2 spi 0xe66ba82a auth
> > hmac-sha2-256 enc aes
> >
> >
> > ..But I see a lof of "bad ip cksum 0!" messages on both firewalls ...
> >
> > root@obsdfw:~# tcpdump -ttt -env -i enc0
> > Aug 01 07:40:58.546678 (authentic,confidential): SPI 0x5e1cc51a: carp
> > 172.30.77.2 > 172.30.77.3: CARPv2-advertise 36: vhid=4 advbase=1 advskew=0
> > demote=0 (DF) [tos 0x10] (ttl 255, id 64496, len 56, bad ip cksum 0! ->
> > 8d12)
> > Aug 01 07:40:58.546703 (authentic,confidential): SPI 0x8a0d95c7: carp
> > 172.22.55.12 > 172.22.55.13: CARPv2-advertise 36: vhid=2 advbase=1
> > advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 22255, len 56, bad ip cksum
> > 0! -> 5e10)
> > Aug 01 07:40:58.556680 (authentic,confidential): SPI 0x5a171e12: carp
> > 172.22.56.2 > 172.22.56.3: CARPv2-advertise 36: vhid=8 advbase=1 advskew=0
> > demote=0 (DF) [tos 0x10] (ttl 255, id 56036, len 56, bad ip cksum 0! ->
> > d82e)
> > Aug 01 07:40:58.556704 (authentic,confidential): SPI 0x6a7415a2: carp
> > 172.22.54.2 > 172.22.54.3: CARPv2-advertise 36: vhid=6 advbase=1 advskew=0
> > demote=0 (DF) [tos 0x10] (ttl 255, id 8717, len 56, bad ip cksum 0! -> 9506)
> > Aug 01 07:40:58.566679 (authentic,confidential): SPI 0xab88d522: carp
> > 172.22.58.2 > 172.22.58.3: CARPv2-advertise 36: vhid=12 advbase=1 advskew=0
> > demote=0 (DF) [tos 0x10] (ttl 255, id 37779, len 56, bad ip cksum 0! ->
> > 1b80)
> > Aug 01 07:40:58.566704 (authentic,confidential): SPI 0x57f09d05: carp
> > 172.22.57.2 > 172.22.57.3: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0
> > demote=0 (DF) [tos 0x10] (ttl 255, id 53311, len 56, bad ip cksum 0! ->
> > e0d3)
> > Aug 01 07:40:59.036637 (authentic,confidential): SPI 0x5e1cc51a: carp
> > 172.30.77.2 > 172.30.77.3: CARPv2-advertise 36: vhid=3 advbase=1
> > advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 31401, len 56, bad ip
> > cksum 0! -> e5a)
> > Aug 01 07:40:59.036662 (authentic,confidential): SPI 0x8a0d95c7: carp
> > 172.22.55.12 > 172.22.55.13: CARPv2-advertise 36: vhid=1 advbase=1
> > advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 3795, len 56, bad ip
> > cksum 0! -> a62c)
> > Aug 01 07:40:59.046674 (authentic,confidential): SPI 0x5a171e12: carp
> > 172.22.56.2 > 172.22.56.3: CARPv2-advertise 36: vhid=7 advbase=1
> > advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 11562, len 56, bad ip
> > cksum 0! -> 85e9)
> > Aug 01 07:40:59.046698 (authentic,confidential): SPI 0x6a7415a2: carp
> > 172.22.54.2 > 172.22.54.3: CARPv2-advertise 36: vhid=5 advbase=1
> > advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 15246, len 56, bad ip
> > cksum 0! -> 7b85)
> > Aug 01 07:40:59.066676 (authentic,confidential): SPI 0xab88d522: carp
> > 172.22.58.2 > 172.22.58.3: CARPv2-advertise 36: vhid=11 advbase=1
> > advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 41397, len 56, bad ip
> > cksum 0! -> d5e)
> > Aug 01 07:40:59.066700 (authentic,confidential): SPI 0x57f09d05: carp
> > 172.22.57.2 > 172.22.57.3: CARPv2-advertise 36: vhid=9 advbase=1
> > advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 55275, len 56, bad ip
> > cksum 0! -> d927)
> > Aug 01 07:40:59.111564 (authentic,confidential): SPI 0x77435d2a: carp
> > 172.30.77.3 > 172.30.77.2: CARPv2-advertise 36: vhid=4 advbase=1
> > advskew=100 demote=0 [tos 0x10] (ttl 255, id 687, len 56)
> > Aug 01 07:40:59.111580 (authentic,confidential): SPI 0x54d57373: carp
> > 172.22.55.13 > 172.22.55.12: CARPv2-advertise 36: vhid=2 advbase=1
> > advskew=100 demote=0 [tos 0x10] (ttl 255, id 52601, len 56)
> > Aug 01 07:40:59.121572 (authentic,confidential): SPI 0x906dd7fd: carp
> > 172.22.56.3 > 172.22.56.2: CARPv2-advertise 36: vhid=8 advbase=1
> > advskew=100 demote=0 [tos 0x10] (ttl 255, id 49105, len 56)
> > Aug 01 07:40:59.121589 (authentic,confidential): SPI 0x1ee8aacd: carp
> > 172.22.54.3 > 172.22.54.2: CARPv2-advertise 36: vhid=6 advbase=1
> > advskew=100 demote=0 [tos 0x10] (ttl 255, id 33217, len 56)
> > Aug 01 07:40:59.131609 (authentic,confidential): SPI 0xe66ba82a: carp
> > 172.22.58.3 > 172.22.58.2: CARPv2-advertise 36: vhid=12 advbase=1
> > advskew=100 demote=0 [tos 0x10] (ttl 255, id 61641, len 56)
> > Aug 01 07:40:59.131626 (authentic,confidential): SPI 0xca1ba00f: carp
> > 172.22.57.3 > 172.22.57.2: CARPv2-advertise 36: vhid=10 advbase=1
> > advskew=100 demote=0 [tos 0x10] (ttl 255, id 19054, len 56)
> > Aug 01 07:40:59.341642 (authentic,confidential): SPI 0x77435d2a: carp
> > 172.30.77.3 > 172.30.77.2: CARPv2-advertise 36: vhid=3 advbase=1 advskew=0
> > demote=0 [tos 0x10] (ttl 255, id 3431, len 56)
> > Aug 01 07:40:59.341658 (authentic,confidential): SPI 0x54d57373: carp
> > 172.22.55.13 > 172.22.55.12: CARPv2-advertise 36: vhid=1 advbase=1
> > advskew=0 demote=0 [tos 0x10] (ttl 255, id 31759, len 56)
> > Aug 01 07:40:59.351583 (authentic,confidential): SPI 0x906dd7fd: carp
> > 172.22.56.3 > 172.22.56.2: CARPv2-advertise 36: vhid=7 advbase=1 advskew=0
> > demote=0 [tos 0x10] (ttl 255, id 907, len 56)
> > Aug 01 07:40:59.351613 (authentic,confidential): SPI 0x1ee8aacd: carp
> > 172.22.54.3 > 172.22.54.2: CARPv2-advertise 36: vhid=5 advbase=1 advskew=0
> > demote=0 [tos 0x10] (ttl 255, id 34989, len 56)
> >
> > And I think that could be te reason why carp interfaces are in MASTER mode
> > in both firewalls ...
> >
> > Disabling IPsec, carp interfaces shows the correct state:
> >
> > FwA:
> >
> > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:01
> > priority: 15
> > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
> > state BACKUP vhid 1 advskew 100
> > state MASTER vhid 2 advskew 0
> > groups: carp
> > status: backup
> > inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
> > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:03
> > priority: 15
> > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
> > state BACKUP vhid 3 advskew 100
> > state MASTER vhid 4 advskew 0
> > groups: carp
> > status: backup
> > inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
> >
> > FwB:
> >
> > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:01
> > priority: 15
> > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
> > state MASTER vhid 1 advskew 0
> > state BACKUP vhid 2 advskew 100
> > groups: carp
> > status: master
> > inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
> > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:03
> > priority: 15
> > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
> > state MASTER vhid 3 advskew 0
> > state BACKUP vhid 4 advskew 100
> > groups: carp
> > status: master
> > inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
> >
> >
> > Arrived to this point, what am I doing wrong?? Or maybe is it a bug?
> >
> > Thanks.
> >
>
I have done more tests under an ESXi 6 host (using e1000 nics) and results are
the same. Reading pfsync(4) man page:
BUGS
pfsync does not currently work with ipsec(4).
OpenBSD 5.9 June 25, 2015 OpenBSD 5.9
Maybe is the same problem with carp??
Thanks.
--
Greetings,
C. L. Martinez
