On Mon, 2025-03-10 at 14:43 +0000, Stuart Henderson wrote:
> IIUC 'skip' is for exclusions for IKEv2 connections, not for which
> packets get sent over the tunnel.
Thanks for the clarification.
With that in mind I've managed to get a mostly working solution
(there are still failover problems) by taking a different approach:
1. Eliminate the use of sec(4)
2. In iked.conf, switch to using transport mode, and restrict it to the
gre protocol. For example, on FW2a/b:
ikev2 'g65' passive transport esp \
proto gre \
from d.d.d.114 to c.c.c.c \
peer c.c.c.c \
srcid g65.example.com
3. Set up a gre(4) tunnel between FW1 and the carp IP on FW2a/b, with
the default route on the latter two set to 192.168.48.1:
rdomain 2
tunneldomain 0
tunnel d.d.d.114 c.c.c.c
inet 192.168.48.2 255.255.255.255 192.168.48.1
up
!route -T2 -n add default 192.168.48.1
4. Put gre0, vlan5, and carp5 into rdomain 2
5. On FW2a/b, use "rtable 2" on pf rules as necessary in order to
allow hosts on the RFC1918 networks to reach the Net2 in rdomain 2.
I think the only thing still not working (as mentioned above) is failover,
specifically for the SAs. I see that there have been other postings on
this list in the past that also indicated this as a problematic area.
In my case, even the initial failover fails; it's not just a problem with
failing back to the original master.
Two clues so far include the following on both FW2a and FW2b:
sasyncd[98164]: pfkey: msg ADD write() failed on socket 4: Operation not
permitted
And also this on the backup FW2b:
iked[49636]: ikev2_child_sa_acquire: flow wasn't found
