OpenBSD, ipsec and sasyncd issue

Wed, 24 Apr 2013 11:34:48 -0700 

Hello misc,

A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd.
I searching at google and misc, read the man pages and I do a review of
configurations many times to do work something that apparently is very very
simple.

my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with
OpenBSD current too )

match out on em0 from 10.50.60.0/24 nat-to (carp0:0)
pass log

ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 )

ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \
        peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \
        quick auth hmac-sha2-256 enc blowfish psk 'sapeca'


sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface
dedicate to firewalls comunicate between self

interface carp0
group carp
listen on 10.20.30.1 inet
peer 10.20.30.2
sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5


sasyncd.conf ( firewall slave )

interface carp0
group carp
listen on 10.20.30.2 inet
peer 10.20.30.1
sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5


ip forward and carp preempt enabled on both firewalls


steps to initiate on both firewalls

isakmpd -K -S
ipsecctl -f /etc/ipsec.conf
sasyncd


other openbsd peer without HA ( OpenBSD 5.2 )

ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer
10.10.20.29 \
        main auth hmac-sha2-256 enc blowfish \
        quick auth hmac-sha2-256 enc blowfish \
        psk 'sapeca'


Alright,

Let me explain what is ocurring:


VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in
OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa )

if I force a FailOver ( OpenBSD Master ) with:
ifconfig -g carp carpdemote 10

Another Node assume, connections continues working perfectly ( example
download of OpenBSD ISO, continue beautifull :) ) but:

ipsec VPN not , it freezes and  take between 25s to 30s to vpn reestablish
connection

and if I move the service again to old OpenBSD master ( ifconfig -g carp
-carpdemote 10)

VPN freezes completely and not back, I need kill isakmpd and start again


I expected it to be transparent like as beautifull failover and without
IPSEC disruption.

In my configuration, Am I doing something wrong ? Am I forgeting something ?

Please, someone can put me on correctly way ?

Regards,

Reply via email to