main mode produces comm losses

Hi, I am running OpenBSD 4.0 with carp+isakmpd+sasyncd+pf on 166MHz Pentium boards. Everything is working well. There are 6 locations, all clustered (2 redundant firewalls). When I fail one cluster the other one takes over with some packet loss. I see the carp is doing its thing. Aft

Security associations and SA_FLAG_REPLACED

Hi, I have GW1 and GW2 redundant firewalls (isakmpd+pf+carp+sasyncd) Is there a way to see which security associations are marked as "replaced" on the backup GW? "ipsecctl -s all -v -v" shows a lot but it does not seem to show that. On the master (let's say GW1) echo "S" > /v

Carp question and security association mismatch

Hi, I have two firewalls using isakmpd+pf+sasyncd+carp (OpenBSD 4.0) preempt is set to 0 At one end (machine names MAED11 and MAED12) carp0 on external has 172.16.140.145 255.255.255.0 advbase 0 advskew 128 pass gijane vhid 1 carp1 on external has 172.16.160.33 255.255.255.224 advbas

Carp creates a wide route if "netmask" is not used when carp is configured

Hi, I am using isakmpd+pf+sasyncd+carp to set a VPN network (OpenBSD 4.0) Recently had a problem with carp... Basically ifconfig carp0 inet 172.16.140.1 255.255.255.0 advbase 1 ... versus ifconfig carp0 inet 172.16.140.1 netmask 255.255.255.0 advbase 1 ... The simple

/usr/ports/net/ntp and VPN (improvement idea and solution)

Hello, This is used in a VPN network to bind the internal IP address and allow ntpd running of firewalls to get the time from a time source in a different protected subnet. I've changed two files ntp_io.c cmd_args.c in /usr/ports/net/ntp See the diffs below. Hope they can

OpenBSD 4.0: isakmpd and immediate use of crls (without isakmpd restart)

Hello, I was wondering what is the best way to immediately use a newly received crl that contains a revoked certificate... Basically if I have 3 firewalls and one of them is compromised I will push a new crl on the 2 uncorrupted firewalls. The thing is that (even when I send them a

Re: isakmpd on OpenBSD 3.7 and OpenBSD 4.0

Thanks to Stuart Henderson. On 2007/06/25 11:35, catalin visinescu wrote: > I see that OpenBSD 3.7 isakmpd and OpenBSD 4.0 isakmpd do > not establish security associations. try -T (disable nat-t) on the 4.0 side. If it works, can you post back to misc@ to get it in the ar

isakmpd on OpenBSD 3.7 and OpenBSD 4.0

Hello, I see that OpenBSD 3.7 isakmpd and OpenBSD 4.0 isakmpd do not establish security associations. I get an INVALID-PAYLOAD-TYPE message. isakmpd 3.7 does not seem to understand payload RESERVED. Is there a way I can run isakmpd 4.0 downgraded or any other way to get the two of th

Re: Pinging redundant firewall problem (isakmpd+pf+pfsync+sasyncd+carp)

catalin visinescu <[EMAIL PROTECTED]> wrote: >>Hello, >> >>Intro: >>I am using isakmpd+sasyncd+carp+pf+pfsync to have a redundant >>firewall setup (OpenBSD 4.0). I have two firewall that carp-advertise at the >>same rate, and not preempt eac

Pinging redundant firewall problem (isakmpd+pf+pfsync+sasyncd+carp)

Hello, Intro: I am using isakmpd+sasyncd+carp+pf+pfsync to have a redundant firewall setup (OpenBSD 4.0). I have two firewall that carp-advertise at the same rate, and not preempt each other. This works fine. isakmpd is using x509 certificates to establish SAs. This is working fine. sasy

Pinging redundant firewall problem (isakmpd+pf+pfsync+sasyncd+carp)

Hello, Intro: I am using isakmpd+sasyncd+carp+pf+pfsync to have a redundant firewall setup (OpenBSD 4.0). I have two firewall that carp-advertise at the same rate, and not preempt each other. Basically I don't care which firewall is master and which is backup. This works fine. isak