On 01/20/12 19:50, Samuel Martin Moro wrote: > > Hello, list! > > > Using OpenBSD 4.9 GENERIC.MP#819 amd64 - if any relevant. > > I have 3 offices, each of them with a couple firewalls, running > isakmpd/sasyncd, carp/pfsync, ifstated, and of course pf, for firewalls > handling 10 vlans, and 1 ADSL+1 SDSL links. > Both ISP provide us with a single public IP. I configured my public > carps like this: > hostname.emx: up > hostname.carpx: inet...carpdev emx vhid...advbase...advskew...pass... > > > When I attempt to join a remote backup firewall, connection times out. > Also, using master firewall to ssh to the backup one, when I try to > join IPSEC remote networks, tcpdump confirms traffic goes through enc0. > > I still can't join them if, in my ifstated.conf, I add static routes > so carp backup uses carp master as gateway for IPSEC remote networks. > > > I firstly used to kill these IPSEC esp/flows on the carp backup, so > traffic uses my static route. > Then I added a pf rule in both firewalls so traffic going to the other > firewall is natted with master's IP, in the required vlan. This seems > to work just fine, and remain the cleaner way I could think of for now. > > Maybe I could try playing with pf anchors? This way, I might also be > able to allow backup firewall to join remote networks. > Since I managed to configure them as puppet clients, they sometimes try > to update their configuration. Having the backup firewall taking > mastership without its updated configuration is quite a shame. I could > add some puppetd -vdt in my ifstated configuration file, however I'm > not sure this is a good idea. > > Last observation: we also have, in a data-center, an other pair of > openbsd. There, we actually have one public IP per firewall. And > moreover, joining backup firewall from remote networks is not a > problem. > IPSEC traffic leaves backup firewall, announcing its carp IP, traffic > comes back to master, master re-route it to slave, slave talks for > itself, ... and everything works just fine. > > > Whatever. My questions are: > > - is there a way I missed, to configure isakmpd (or sasyncd?) so that > my slaves do not try to actually use its shared tunnels? > > - is anyone here knowing about some 'good practice' I'm missing, > regarding carp using a single IP? > and, isn't this use of carp kinda ugly? > may I add the carp IP as physical interface's IP (in hostname.emx, > instead of 'up', actually configuring my IP)? I'm just thinking about > this one, this looks doable, I'll check about that... > > > Kind regards. Hi again,
I tried configuring my carp IP both in my carp and my physical interfaces. From now on, I'm able to reach remote IPSEC end with backup firewalls. Sorry for the noise. Regards. -- Samuel Martmn Moro EPITECH 2011
