We are running productive already, hence an update to -current is too
good at the moment. Please let me know if it brings some enhancements. I
will setup another test scenario then.
cheers Kai
On Thu, Jan 18 2007 at 14:16, Kai Mosebach wrote:
we are using 3 Soekris firewall pairs in our companies setup to provide
failover IPSec connections between 3 sites using OpenBSD 4.0 RELEASE.
The big picture looks like this :
A -> B (passive)
A -> C (passive)
B -> C (passive)
By now its basically working fine, but with the IPSec failover we have
several problems which i cannot come by after several days of testing.
The main problem is, that if MASTER is rebooted, the SLAVE takes over,
fine.
Once the MASTER comes up again, it takes over the SAs of the SLAVE but
as soon as its carp interfaces get demoted (and he becomes an isakmpd
master) he acquires new SAs which leads to an failure in the IPSec
tunnel, as there are twice as much SAs in the SA-DB than before and
(supposedly) the newly created SAs of the MASTER are used which leads to
an "invalid cookie" on the remote site. I tweaked the /etc/rc script to
do the demotion later (or i do it manually) and its directly related to
the point where the isakmpd is becoming master again.
I have a smaller setup (1 carp cluster and a single box at the other
end) and also noted the duplicate SAs. I updated to current
in order to see a resolution of this problem with no luck.
I didn't see the "invalid Cookie" message in log files.
Claer