I'd start by looking at sasyncd and if it actually works.
If it works 'netstat -rn' should show flows at the end of its output on the
backup node.
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
<flows should be printed here>
Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do initial
handshake
and check their IP-adresses. Are you sure your carp0 IP is talking and NOT em0
IP?
I'd also force isakmpd to bind to specific IP (/etc/isakmpd/isakmpd.conf):
[General]
Listen-on= <your carp0 IP goes here>
DPD-check-interval= 60
Default-phase-1-lifetime= 3600,360:86400
Default-phase-2-lifetime= 1200,160:86400
If you do above you might need to specify srcid in your ipsec.conf:
local_gw="<your carp0 IP goes here>"
ike active esp……
main ……
quick …..
srcid $local_gw
//mxb
On 24 apr 2013, at 20:33, R0me0 *** <[email protected]> wrote:
> Hello misc,
>
> A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd.
> I searching at google and misc, read the man pages and I do a review of
> configurations many times to do work something that apparently is very very
> simple.
>
> my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with
> OpenBSD current too )
>
> match out on em0 from 10.50.60.0/24 nat-to (carp0:0)
> pass log
>
> ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 )
>
> ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \
> peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \
> quick auth hmac-sha2-256 enc blowfish psk 'sapeca'
>
>
> sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface
> dedicate to firewalls comunicate between self
>
> interface carp0
> group carp
> listen on 10.20.30.1 inet
> peer 10.20.30.2
> sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5
>
>
> sasyncd.conf ( firewall slave )
>
> interface carp0
> group carp
> listen on 10.20.30.2 inet
> peer 10.20.30.1
> sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5
>
>
> ip forward and carp preempt enabled on both firewalls
>
>
> steps to initiate on both firewalls
>
> isakmpd -K -S
> ipsecctl -f /etc/ipsec.conf
> sasyncd
>
>
> other openbsd peer without HA ( OpenBSD 5.2 )
>
> ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer
> 10.10.20.29 \
> main auth hmac-sha2-256 enc blowfish \
> quick auth hmac-sha2-256 enc blowfish \
> psk 'sapeca'
>
>
> Alright,
>
> Let me explain what is ocurring:
>
>
> VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in
> OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa )
>
> if I force a FailOver ( OpenBSD Master ) with:
> ifconfig -g carp carpdemote 10
>
> Another Node assume, connections continues working perfectly ( example
> download of OpenBSD ISO, continue beautifull :) ) but:
>
> ipsec VPN not , it freezes and take between 25s to 30s to vpn reestablish
> connection
>
> and if I move the service again to old OpenBSD master ( ifconfig -g carp
> -carpdemote 10)
>
> VPN freezes completely and not back, I need kill isakmpd and start again
>
>
> I expected it to be transparent like as beautifull failover and without
> IPSEC disruption.
>
> In my configuration, Am I doing something wrong ? Am I forgeting something ?
>
> Please, someone can put me on correctly way ?
>
> Regards,
