Hi Misc.
I have two location A i B in my lab.
In the location A there is isakmpd + carp + pfsync + sasync cluster on
which there is installed OpenBSD 5.2 GENERIC.MP#339 i386
In the location B there is single OpenBSD 5.2 GENERIC#278 i386 installation.
I have successfully established IPsec site-to-site connection between
those two location and everything works fine until failover occurs in
the cluster in location A ( I am using ifconfig -g carp carpdemote 128
command on the MASTER node to force the failover).
When failover occurs pfsync increase sequence number on the new MASTER
node by 16384 and cluster continues sending ESP packets with the new,
increased value (for example if the last seq number on the old MASTER
was sent with the value equal to 100 the new MASTER will send his first
packet with seq number equal to 16484).
On the OpenBSD 5.2 in location B, using tcpdump I am able to see ESP
packets, with the new increased seq number, on the phisical interface,
but I do not see any transmition on enc0 interface. The ESP packets are
continuously going out of the cluster A and are continuously, silently
dropped on OpenBSD in location B. All IPsec transmition is broken until
new SA are established and seq number is reset to 0.
I noted that starting from version OpenBSD 5.2 there is added support
for Extended Sequence Numbers in the IPsec stack, so I go back with the
version of OpenBSD on the server located in B from 5.2 to 5.1
GENERIC#160 i386, copied all configuration files to it, established once
again IPsec beetwen A and B and from that point everything started to
work perfectly. Now I am able to switch nodes in cluster A (ofcourse seq
number, everytime I switch nodes is increased by 16384) and OpenBSD 5.1
in location B successfully decrypt and encrypt connection. I am able to
see packets, going in both directions, on interface enc0 as well I am
able to see ESP packet on phisical interface on OpenBSD 5.1.
Is there bug in inplementation ESN in new IPsec stack on OpenBSD 5.2 or
do I need additional configuration to make above setup to started to
work properly.
Please let me know if You need any additional information.
Thanks for advise regards,
Bartosz Brzozowski