Hi, I think this is a fairly simple one.
Our firewalls are growing in complexity and the number of interfaces and IPs as time goes on, and we recently hit an isakmpd limit. When isakmpd starts it tries to bind to *every* single IP on the system. We have a LOT of IPs and isakmpd now fails to initialise; 2014-02-12T10:40:29.386318+00:00 brfw1 isakmpd[404]: udp_encap_make: socket (2, 2, 17): Too many open files 2014-02-12T10:40:29.386352+00:00 brfw1 isakmpd[404]: virtual_bind_if: failed to create a socket on 10.2.8.254 2014-02-12T10:40:29.386657+00:00 brfw1 isakmpd[404]: virtual_init: could not bind the ISAKMP port(s) on all interfaces: Too many open files More log at bottom.. We only want isakmpd to listen on the CARP IP address on the external interface (and probably the physical IPs on the external interface), not *all* IPs. The work around for now was to add '-4' to the isakmpd daemon to restrict it to our v4 addresses. However we will very soon have even too many v4 addresses for isakmpd to cope and so need a way to instruct isakmpd to only bind the necessary IPs. This would also provide a security enhancement?? Others have reported this limitation before; http://www.monkey.org/openbsd/archive2/misc/200502/msg00686.html Also if someone else finds these useful (I will commit to source one day..), I have two primitive but *very* effective enhancements I have made to /etc/rc.d/sasyncd and /etc/rc.d/isakmpd to share when running IPSec on a carp pair (I am absolutely sure these could be more elegant in implementation, but they work and you should get the idea).. First enhancement, when running isakmpd with carp and sasyncd, you must use the -S and -K flags on isakmpd. This ensures isakmpd starts in passive mode and does not start negotiating with the other side *unless* it is the carp master. Makes perfect sense.. On the master, isakmpd starts in passive, discovers it is master and so reads and loads ipsec.conf, and starts negotiating with other side On the backup, isakmod starts in passive, does nothing more. If a failover occurs however, the VPNs do not work for a loooong time! (this is because isakmpd on the backup never read the ipsec.conf file so when it is made active it doesn't know what to do..) /etc/rc.d/sasyncd; #!/bin/sh # # $OpenBSD: sasyncd,v 1.1 2011/07/06 18:55:36 robert Exp $ daemon="/usr/sbin/sasyncd" . /etc/rc.d/rc.subr pexp="sasyncd: \[priv\]" rc_start() { sleep 10 ${rcexec} "${daemon} ${daemon_flags} ${_bg}" sleep 5 ipsecctl -f /etc/ipsec.conf } rc_cmd $1 This fix simply ensures that the carp-backup isakmpd reads the ipsec.conf after starting in passive mode and has settled. VPN failover's now happen in ~2-3 seconds. Second enhancement, when stopping isakmpd on the master or backup with '/etc/rc.d/isakmpd' stop or restart, subsequent starting of the tunnels can take a very long time. This seems to be because stopping isakmpd simply tears the daemon down without deconstructing the trust keys / policies. Leaving obsolete expiring policies on the remote side. So restarting isakmpd can take a long time until the other side flushes or times out. /etc/rc.d/isakmpd; #!/bin/sh # # $OpenBSD: isakmpd,v 1.1 2011/07/06 18:55:36 robert Exp $ daemon="/sbin/isakmpd" . /etc/rc.d/rc.subr pexp="isakmpd: monitor \[priv\]" rc_pre() { [ X"${sasyncd_flags}" != X"NO" ] && \ daemon_flags="-S ${daemon_flags}" return 0 } rc_stop() { if [ `ifconfig | grep "status: master" | wc -l` > 0 ]; then ipsecctl -d -f /etc/ipsec.conf; fi sleep 1 if [ `ifconfig | grep "status: master" | wc -l` > 0 ]; then ipsecctl -d -f /etc/ipsec.conf; fi if [ `ifconfig | grep "status: master" | wc -l` > 0 ]; then ipsecctl -F -f /etc/ipsec.conf; fi pkill -f "^${pexp}" } rc_cmd $1 This fix simply gracefully deletes the flows (and informs the other side to do the same), and flushes the SPD's and SAD's cleanly before destroying the daemon. Subsequent restarts now allow IPSec tunnels to come up immediately.. Hope this helps someone :) Cheers, Andy. isakmpd binding error; 2014-02-12T10:40:29.382031+00:00 brfw1 isakmpd[404]: udp_encap_make: transport 0x20615b500 socket 120 ip fe80:14::200:5eff:fe00:103 port 4500 2014-02-12T10:40:29.382242+00:00 brfw1 isakmpd[404]: udp_make: transport 0x20615bd00 socket 121 ip 10.0.1.254 port 500 2014-02-12T10:40:29.382423+00:00 brfw1 isakmpd[404]: udp_encap_make: transport 0x20615ba80 socket 122 ip 10.0.1.254 port 4500 2014-02-12T10:40:29.382655+00:00 brfw1 isakmpd[404]: udp_make: transport 0x20615bc80 socket 123 ip 10.2.3.254 port 500 2014-02-12T10:40:29.382873+00:00 brfw1 isakmpd[404]: udp_encap_make: transport 0x20615bf80 socket 124 ip 10.2.3.254 port 4500 2014-02-12T10:40:29.383485+00:00 brfw1 isakmpd[404]: udp_make: transport 0x20615b880 socket 127 ip fe80:15::200:5eff:fe00:104 port 500 2014-02-12T10:40:29.383524+00:00 brfw1 isakmpd[404]: udp_encap_make: socket (24, 2, 17): Too many open files 2014-02-12T10:40:29.383549+00:00 brfw1 isakmpd[404]: virtual_bind_if: failed to create a socket on fe80:15::200:5eff:fe00:104 2014-02-12T10:40:29.383728+00:00 brfw1 isakmpd[404]: udp_make: transport 0x20615b300 socket 127 ip 10.0.2.254 port 500 2014-02-12T10:40:29.383742+00:00 brfw1 isakmpd[404]: udp_encap_make: socket (2, 2, 17): Too many open files 2014-02-12T10:40:29.383772+00:00 brfw1 isakmpd[404]: virtual_bind_if: failed to create a socket on 10.0.2.254 2014-02-12T10:40:29.383977+00:00 brfw1 isakmpd[404]: udp_make: transport 0x20615b880 socket 127 ip 10.2.5.254 port 500 2014-02-12T10:40:29.383990+00:00 brfw1 isakmpd[404]: udp_encap_make: socket (2, 2, 17): Too many open files 2014-02-12T10:40:29.384069+00:00 brfw1 isakmpd[404]: virtual_bind_if: failed to create a socket on 10.2.5.254 2014-02-12T10:40:29.384786+00:00 brfw1 isakmpd[404]: udp_make: transport 0x20615bb00 socket 127 ip fe80:16::200:5eff:fe00:105 port 500 2014-02-12T10:40:29.384800+00:00 brfw1 isakmpd[404]: udp_encap_make: socket (24, 2, 17): Too many open files 2014-02-12T10:40:29.384828+00:00 brfw1 isakmpd[404]: virtual_bind_if: failed to create a socket on fe80:16::200:5eff:fe00:105 2014-02-12T10:40:29.385092+00:00 brfw1 isakmpd[404]: udp_make: transport 0x20615b080 socket 127 ip 10.0.3.254 port 500 2014-02-12T10:40:29.385120+00:00 brfw1 isakmpd[404]: udp_encap_make: socket (2, 2, 17): Too many open files 2014-02-12T10:40:29.385253+00:00 brfw1 isakmpd[404]: virtual_bind_if: failed to create a socket on 10.0.3.254 2014-02-12T10:40:29.385488+00:00 brfw1 isakmpd[404]: udp_make: transport 0x20615b080 socket 127 ip 10.2.7.254 port 500 2014-02-12T10:40:29.385506+00:00 brfw1 isakmpd[404]: udp_encap_make: socket (2, 2, 17): Too many open files 2014-02-12T10:40:29.385526+00:00 brfw1 isakmpd[404]: virtual_bind_if: failed to create a socket on 10.2.7.254 2014-02-12T10:40:29.385999+00:00 brfw1 isakmpd[404]: udp_make: transport 0x20615b200 socket 127 ip fe80:17::200:5eff:fe00:108 port 500 2014-02-12T10:40:29.386014+00:00 brfw1 isakmpd[404]: udp_encap_make: socket (24, 2, 17): Too many open files 2014-02-12T10:40:29.386073+00:00 brfw1 isakmpd[404]: virtual_bind_if: failed to create a socket on fe80:17::200:5eff:fe00:108 2014-02-12T10:40:29.386300+00:00 brfw1 isakmpd[404]: udp_make: transport 0x20615b080 socket 127 ip 10.2.8.254 port 500 2014-02-12T10:40:29.386318+00:00 brfw1 isakmpd[404]: udp_encap_make: socket (2, 2, 17): Too many open files 2014-02-12T10:40:29.386352+00:00 brfw1 isakmpd[404]: virtual_bind_if: failed to create a socket on 10.2.8.254 2014-02-12T10:40:29.386657+00:00 brfw1 isakmpd[404]: virtual_init: could not bind the ISAKMP port(s) on all interfaces: Too many open files
