Hello, list!
Using OpenBSD 4.9 GENERIC.MP#819 amd64 - if any relevant. I have 3 offices, each of them with a couple firewalls, running isakmpd/sasyncd, carp/pfsync, ifstated, and of course pf, for firewalls handling 10 vlans, and 1 ADSL+1 SDSL links. Both ISP provide us with a single public IP. I configured my public carps like this: hostname.emx: up hostname.carpx: inet...carpdev emx vhid...advbase...advskew...pass... When I attempt to join a remote backup firewall, connection times out. Also, using master firewall to ssh to the backup one, when I try to join IPSEC remote networks, tcpdump confirms traffic goes through enc0. I still can't join them if, in my ifstated.conf, I add static routes so carp backup uses carp master as gateway for IPSEC remote networks. I firstly used to kill these IPSEC esp/flows on the carp backup, so traffic uses my static route. Then I added a pf rule in both firewalls so traffic going to the other firewall is natted with master's IP, in the required vlan. This seems to work just fine, and remain the cleaner way I could think of for now. Maybe I could try playing with pf anchors? This way, I might also be able to allow backup firewall to join remote networks. Since I managed to configure them as puppet clients, they sometimes try to update their configuration. Having the backup firewall taking mastership without its updated configuration is quite a shame. I could add some puppetd -vdt in my ifstated configuration file, however I'm not sure this is a good idea. Last observation: we also have, in a data-center, an other pair of openbsd. There, we actually have one public IP per firewall. And moreover, joining backup firewall from remote networks is not a problem. IPSEC traffic leaves backup firewall, announcing its carp IP, traffic comes back to master, master re-route it to slave, slave talks for itself, ... and everything works just fine. Whatever. My questions are: - is there a way I missed, to configure isakmpd (or sasyncd?) so that my slaves do not try to actually use its shared tunnels? - is anyone here knowing about some 'good practice' I'm missing, regarding carp using a single IP? and, isn't this use of carp kinda ugly? may I add the carp IP as physical interface's IP (in hostname.emx, instead of 'up', actually configuring my IP)? I'm just thinking about this one, this looks doable, I'll check about that... Kind regards. -- Samuel Martmn Moro EPITECH 2011
