Re: Carp, isakmpd & sasyncd
Hi, On Thu, 16.03.2006 at 00:41:16 -0700, Theo de Raadt <[EMAIL PROTECTED]> wrote: > There are serious bugs in sasyncd. Please do not use it yet. Instead > perhaps (like me) you can encourage the developers who wrote it to... > finish it. thanks for the heads-up. Can "we" please all have some release notes of sort that explain which stuff is for the more adventurous user, like there was for ospfd when it was first rolled out? I have no trouble seeing, and in parts also using, unfinished software, but I have trouble when it's talked about like being finished already, because then I don't know when to keep my big mouth shut. Thank you! Best, --Toni++
Re: Carp, isakmpd & sasyncd
Theo's e-mail wasn't too encouraging, but I have VPN's with both a Cisco PIX and another OpenBSD 3.8 box. The OpenBSD box is the one I'm getting the most logs for. -Steve S. Odd, I rechecked my HA pair connecting to the GNAT / OBSD boxes defo no entries in the logs. Yes Theo's note gave me pause for thought, however for me at least SASYNCD is doing what I need and appears 'stable enough' I'm eagerly waiting to see how the Dev's move this forward, elegant fail over back to a recovered primary would be nirvana.
Re: Carp, isakmpd & sasyncd
Simon Slaytor wrote: > > I have two logical external firewalls, each configured as > 3.8-stable HA > pairs using PFSync, CARP, SASync etc. > ... > I have used the traditional isakmpd.conf method of configuring the > VPN's. In both cases the OBSD boxes replaced Checkpoint R55 boxes, > during my extensive testing with a R55 box at one end, non HA > and OBSD > at the other I again saw no such entries. I therefore wonder > if it could > be a R60 thing or a CP HA thing? > > What IPSec device(s) are at the other end of your VPN(s)? ... Theo's e-mail wasn't too encouraging, but I have VPN's with both a Cisco PIX and another OpenBSD 3.8 box. The OpenBSD box is the one I'm getting the most logs for. -Steve S.
Re: Carp, isakmpd & sasyncd
On 3/16/06, Steven S <[EMAIL PROTECTED]> wrote: > Are these messages "normal" for a carped pair of firewalls running isakmpd > with sasyncd (3.8-stable)? This happened to me until I changed the default lifetimes in isakmpd.conf. I have a road-runner setup, so exchanges are always initiated by the remote peer. What happened after a fail-over was that the Main Mode exchange was still valid, but isakmpd on the new master didn't have a clue (sasyncd has nothing to do with isakmpd). Setting Default-phase-1-lifetime < Default-phase-2-lifetime forces a new main mode exchange in case of a fail-over. /martin > FW1/master - /var/log/message: > Mar 16 01:37:40 fw1 isakmpd[32692]: message_recv: invalid cookie(s) > 222729dc227c8f28 a0d29ef92ee65243 > Mar 16 01:37:40 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port > 500 due to notification type INVALID_COOKIE > Mar 16 01:37:45 fw1 isakmpd[32692]: message_recv: invalid cookie(s) > 222729dc227c8f28 a0d29ef92ee65243 > Mar 16 01:37:45 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port > 500 due to notification type INVALID_COOKIE > > FW2/backup - /var/log/message: > Mar 16 01:35:49 fw2 isakmpd[5980]: transport_send_messages: giving up on > exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 > Mar 16 01:37:49 fw2 isakmpd[5980]: transport_send_messages: giving up on > exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 > > -Steve S.
Re: Carp, isakmpd & sasyncd
Hey Steve, I have two logical external firewalls, each configured as 3.8-stable HA pairs using PFSync, CARP, SASync etc. One my first firewall I see exactly this with 1 VPN terminating to a Checkpoint R60 (NGX) HA Cluster. However the VPN is 100% stable and VPN fail over works 9 out of 10 times, on the 10th occasion failover appears to work but no traffic flows. On my second firewall I see no such entries, 3 x VPN's 2 terminating on a GNAT1000 boxes (FreeSwan?) the other a single 3.8-stable box. 100% stable VPN failover works everytime. I have used the traditional isakmpd.conf method of configuring the VPN's. In both cases the OBSD boxes replaced Checkpoint R55 boxes, during my extensive testing with a R55 box at one end, non HA and OBSD at the other I again saw no such entries. I therefore wonder if it could be a R60 thing or a CP HA thing? What IPSec device(s) are at the other end of your VPN(s)? Steven S wrote: Are these messages "normal" for a carped pair of firewalls running isakmpd with sasyncd (3.8-stable)? FW1/master - /var/log/message: Mar 16 01:37:40 fw1 isakmpd[32692]: message_recv: invalid cookie(s) 222729dc227c8f28 a0d29ef92ee65243 Mar 16 01:37:40 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port 500 due to notification type INVALID_COOKIE Mar 16 01:37:45 fw1 isakmpd[32692]: message_recv: invalid cookie(s) 222729dc227c8f28 a0d29ef92ee65243 Mar 16 01:37:45 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port 500 due to notification type INVALID_COOKIE FW2/backup - /var/log/message: Mar 16 01:35:49 fw2 isakmpd[5980]: transport_send_messages: giving up on exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 Mar 16 01:37:49 fw2 isakmpd[5980]: transport_send_messages: giving up on exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 -Steve S.
Re: Carp, isakmpd & sasyncd
There are serious bugs in sasyncd. Please do not use it yet. Instead perhaps (like me) you can encourage the developers who wrote it to... finish it. > Are these messages "normal" for a carped pair of firewalls running isakmpd > with sasyncd (3.8-stable)? > > FW1/master - /var/log/message: > Mar 16 01:37:40 fw1 isakmpd[32692]: message_recv: invalid cookie(s) > 222729dc227c8f28 a0d29ef92ee65243 > Mar 16 01:37:40 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port > 500 due to notification type INVALID_COOKIE > Mar 16 01:37:45 fw1 isakmpd[32692]: message_recv: invalid cookie(s) > 222729dc227c8f28 a0d29ef92ee65243 > Mar 16 01:37:45 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port > 500 due to notification type INVALID_COOKIE > > FW2/backup - /var/log/message: > Mar 16 01:35:49 fw2 isakmpd[5980]: transport_send_messages: giving up on > exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 > Mar 16 01:37:49 fw2 isakmpd[5980]: transport_send_messages: giving up on > exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 > > -Steve S.
Carp, isakmpd & sasyncd
Are these messages "normal" for a carped pair of firewalls running isakmpd with sasyncd (3.8-stable)? FW1/master - /var/log/message: Mar 16 01:37:40 fw1 isakmpd[32692]: message_recv: invalid cookie(s) 222729dc227c8f28 a0d29ef92ee65243 Mar 16 01:37:40 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port 500 due to notification type INVALID_COOKIE Mar 16 01:37:45 fw1 isakmpd[32692]: message_recv: invalid cookie(s) 222729dc227c8f28 a0d29ef92ee65243 Mar 16 01:37:45 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port 500 due to notification type INVALID_COOKIE FW2/backup - /var/log/message: Mar 16 01:35:49 fw2 isakmpd[5980]: transport_send_messages: giving up on exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 Mar 16 01:37:49 fw2 isakmpd[5980]: transport_send_messages: giving up on exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 -Steve S.
ISAKMPD / SASYNCD
Hi Folks, Sorry but I need to ask what some will see as an obvious and stupid question, so feel free to shoot me down in flames but please answer the question :-) I have a pair of 3.8 boxes, each with 3 interfaces xl0,xl1 and rl0 configured as a redundant firewall using CARP, PFSYNC and SASYNCD (for my ipsec VPN's configured with isakmpd.conf & .policy) Carp0 (Internet) is bound to XL0 on both firewalls, CARP1 (Internal) is bound to XL1 with rl0 being used for PFSYNC and SASYNCD traffic, with me so far? Ok the pair work like a charm, fail over and recovery work, SA & SPD's are synced on both boxes, I couldn't be happier. Now for the silly question: I know SASYNCD doesn't do any fail over so by default I have ISAKMPD started on both machines. No looking at the message log on the 'secondary' box I see ISAKMPD logging lots of messages about no response from the remote peer, which sounds right as the VPN's established with the ISAKMPD daemon running on the primary box. Looking at the primary box I get a lot of 'bad cookie' errors which seem to correspond to the secondary's attempts to connect to the remote peer. Although the VPN is running sweetly. Is this right or should I instead use ifstated to monitor the CARP0 interface and start ISAKMPD on the secondary box only when the primary fails? During my testing phase using only OBSD boxes for local and remote peers IPSec fail over worked, now in the 'live' config where the remote peer is a Checkpoint R56 HA pair the primary VPN works but fail over doesn't appear to. Many thanks, asbestos undies at the ready ;-) Simon