sasyncd and isakmpd faulty failover

[Sven Ulland]

My failover isakmpd setup doesn't fail over transparently when the
master goes down. SAs and flows are properly synced using sasyncd, but
when the backup node becomes master (and isakmpd is set to active
mode), it fails to find any SAs and continues to renegotiate both
phase 1 and 2, resulting in ~25 seconds downtime.
Is this a known issue with sasyncd/isakmpd? There are some mentions
of:

"There are serious bugs in sasyncd. Please do not use it yet."
http://readlist.com/lists/openbsd.org/misc/7/37596.html (2006)

"since phase 1 SAs are not synchronized between fail-over peers, if a
phase 1 SA has been negotiated between the peers prior to fail-over,
future IKE exchanges will fail until a new the phase 1 SA is
negotiated."
http://members.iinet.net.au/~nathanael/OpenBSD/sasyncd.html (2006)
(No mention of phase 2, though. Renegotiating ph1 is no problem.)

To reproduce: Use simple ipsec.conf[1,2] setup together with
sasyncd[3,4] and carp[5,6] to establish vpn. Verify that SAs and flows
are synced to slave node[7]. Run 'halt' on master. Slave takes over
carp IP, sasyncd triggers master/active mode in isakmpd, but isakmpd
fails to find existing SAs, and continues to create new ones[8]. See
debug log[9] below.

[0] Details:
uname: OpenBSD vpn1 4.3 GENERIC#1368 amd64
isakmpd rc.conf args: -S -L -K -f /var/run/isakmpd.fifo
sasyncd rc.conf args: -vvv
Network setup:
  host1 <-> left peer <===> redundant right peer <-> host2
           (20.0.0.11 <===> 10.0.0.11 [failover IP])

[1] Left peer ipsec.conf:
  ike esp from 20.0.0.11 to 10.0.0.11 \
    local 20.0.0.11 peer 10.0.0.11 \
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] \
    psk hulahoop
  ike esp from 20.0.1.5/32 to 10.0.0.5/32 peer 10.0.0.11 \
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED]

[2] Right master *and* slave peer ipsec.conf:
  ike esp from 10.0.0.11 to 20.0.0.11 \
    local 10.0.0.11 peer 20.0.0.11 \
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] \
    psk hulahoop
  ike esp from 10.0.0.5/32 to 20.0.1.5/32 peer 20.0.0.11 \
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED]

[3] Right master sasyncd.conf:
  interface carp0
  group carp
  flushmode startup
  listen on 172.16.0.1 #on dedicated interface
  peer 172.16.0.2
  sharedkey XAue7iaeutia4Apu

[4] Right slave sasyncd.conf:
  interface carp0
  group carp
  flushmode startup
  listen on 172.16.0.2 #on dedicated interface
  peer 172.16.0.1
  sharedkey XAue7iaeutia4Apu

[5] Right master hostname.carp0:
  inet 10.0.0.11 255.255.255.0 10.0.0.255 vhid 8 pass lalaloop

[6] Right slave hostname.carp0:
  inet 10.0.0.11 255.255.255.0 10.0.0.255 vhid 8 advskew 100 pass lalaloop

[7] Right master *and* slave 'ipsecctl -s all' before failover:
  FLOWS:
  flow esp in from 20.0.0.11 to 10.0.0.11 peer 20.0.0.11 \
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] type use
  flow esp out from 10.0.0.11 to 20.0.0.11 peer 20.0.0.11 \
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] type require
  flow esp in from 20.0.1.5 to 10.0.0.5 peer 20.0.0.11
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] type use
  flow esp out from 10.0.0.5 to 20.0.1.5 peer 20.0.0.11
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] type require
  SAD:
  esp tunnel from 20.0.0.11 to 10.0.0.11 spi 0x26087514 \
    auth hmac-sha2-256 enc aes
  esp tunnel from 10.0.0.11 to 20.0.0.11 spi 0xd9c07e5c \
    auth hmac-sha2-256 enc aes
  esp tunnel from 20.0.0.11 to 10.0.0.11 spi 0xe34e079c \
    auth hmac-sha2-256 enc aes
  esp tunnel from 10.0.0.11 to 20.0.0.11 spi 0xf8bbcd63 \
    auth hmac-sha2-256 enc aes

[8] Right slave 'ipsecctl -s all' after failover:
  FLOWS:
  flow esp in from 20.0.0.11 to 10.0.0.11 peer 20.0.0.11 \
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] type use
  flow esp out from 10.0.0.11 to 20.0.0.11 peer 20.0.0.11 \
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] type require
  flow esp in from 20.0.1.5 to 10.0.0.5 peer 20.0.0.11 \
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] type use
  flow esp out from 10.0.0.5 to 20.0.1.5 peer 20.0.0.11 \
    srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] type require
  SAD:
  esp tunnel from 20.0.0.11 to 10.0.0.11 spi 0x25cc7145 \
    auth hmac-sha2-256 enc aes
  esp tunnel from 20.0.0.11 to 10.0.0.11 spi 0x26087514 \
    auth hmac-sha2-256 enc aes
  esp tunnel from 20.0.0.11 to 10.0.0.11 spi 0x58130b71 \
    auth hmac-sha2-256 enc aes
  esp tunnel from 10.0.0.11 to 20.0.0.11 spi 0x8282bbed \
    auth hmac-sha2-256 enc aes
  esp tunnel from 10.0.0.11 to 20.0.0.11 spi 0xd9c07e5c \
    auth hmac-sha2-256 enc aes
  esp tunnel from 10.0.0.11 to 20.0.0.11 spi 0xdbcc67a0 \
    auth hmac-sha2-256 enc aes
  esp tunnel from 20.0.0.11 to 10.0.0.11 spi 0xe34e079c \
    auth hmac-sha2-256 enc aes
  esp tunnel from 10.0.0.11 to 20.0.0.11 spi 0xf8bbcd63 \
    auth hmac-sha2-256 enc aes


[9] Right slave /var/log/daemon with isakmpd high debug level, during
    failover:

51:11 sasyncd: carp_update_state: switching state to MASTER
51:11 sasyncd: net_ctl: peer "172.16.0.1" state change to INIT
51:11 isakmpd: pf_key_v2_read:bad version (2) or PID (3722, mine is 22549),
               ignored
51:11 sasyncd: net_disconnect_peer: peer "172.16.0.1" removed
51:11 isakmpd: ui_setmode: switching to active mode
51:20 isakmpd: timer_handle_expirations: event 
connection_checker(0x40a683e0)
51:20 isakmpd: conf_get_str: configuration value not found
               [General]:check-interval
51:20 isakmpd: timer_add_event: event connection_checker(0x40a683e0) added
               last, expiration in 60s
51:20 isakmpd: sa_find: no SA matched query
51:20 isakmpd: pf_key_v2_connection_check: SA for IPsec-10.0.0.11-20.0.0.11
               missing
51:20 isakmpd: conf_get_str: [IPsec-10.0.0.11-20.0.0.11]:Phase->2
51:20 isakmpd: conf_get_str: [IPsec-10.0.0.11-20.0.0.11]:ISAKMP-peer->
               peer-20.0.0.11
51:20 isakmpd: sa_find: no SA matched query
51:20 isakmpd: conf_get_str: [peer-20.0.0.11]:Phase->1
51:20 isakmpd: conf_get_str: [peer-20.0.0.11]:Phase->1
51:20 isakmpd: conf_get_str: configuration value not found
               [peer-20.0.0.11]:Transport
51:20 isakmpd: conf_get_str: configuration value not found
               [peer-20.0.0.11]:Port
51:20 isakmpd: conf_get_str: [peer-20.0.0.11]:Address->20.0.0.11
51:20 isakmpd: conf_get_str: [peer-20.0.0.11]:Local-address->10.0.0.11
51:20 isakmpd: transport_setup: added 0x4e359200 to transport list
51:20 isakmpd: conf_get_str: configuration value not found
               [peer-20.0.0.11]:Port
51:20 isakmpd: conf_get_str: [peer-20.0.0.11]:Address->20.0.0.11
51:20 isakmpd: conf_get_str: [peer-20.0.0.11]:Local-address->10.0.0.11
51:20 isakmpd: transport_setup: added 0x4e359280 to transport list
51:20 isakmpd: transport_setup: virtual transport 0x4e359300
51:20 isakmpd: conf_get_str: [peer-20.0.0.11]:Configuration->mm-20.0.0.11
51:20 isakmpd: conf_get_str: configuration value not found 
[mm-20.0.0.11]:DOI
51:20 isakmpd: conf_get_str: [mm-20.0.0.11]:EXCHANGE_TYPE->ID_PROT
51:20 isakmpd: conf_get_str: [General]:Exchange-max-time->120
51:20 isakmpd: timer_add_event: event exchange_free_aux(0x44e52c00) added
               last, expiration in 120s
51:20 isakmpd: conf_get_str: [peer-20.0.0.11]:Configuration->mm-20.0.0.11
51:20 isakmpd: conf_get_str: configuration value not found
               [peer-20.0.0.11]:Flags
51:20 isakmpd: hash_get: requested algorithm 1
51:20 isakmpd: exchange_establish_p1: 0x44e52c00 peer-20.0.0.11 mm-20.0.0.11
               policy initiator phase 1 doi 1 exchange 2 step 0
51:20 isakmpd: exchange_establish_p1: icookie 866778fcabdc8cc8
               rcookie 0000000000000000
[.. set up phase 1 and then new phase 2 ..]


sven