I think that this is not needed :)
2013/4/25 mxb <[email protected]> > > According to the carp(4): > > " Assume that host A is the preferred master and 192.168.1.x/24 is > configured on one physical interface and 192.168.2.y/24 on another. > This > is the setup for host A: " > > Eg, this means that you have to configure em0 with IP, if em0 is physical > NIC used for carp0. > > > On 25 apr 2013, at 13:16, R0me0 *** <[email protected]> wrote: > > mxb - my em's not have any ip only inside hostname.emX "up" > > my advskew is 100 on backup node > > > > > 2013/4/24 mxb <[email protected]> > >> >> Then there is also a question regarding how quick your CARP will fail >> over, eg. what is your advskew on the backup node? >> >> On 24 apr 2013, at 22:30, mxb <[email protected]> wrote: >> >> > >> > I'd start by looking at sasyncd and if it actually works. >> > If it works 'netstat -rn' should show flows at the end of its output on >> the backup node. >> > >> > Encap: >> > Source Port Destination Port Proto >> SA(Address/Proto/Type/Direction) >> > <flows should be printed here> >> > >> > Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do >> initial handshake >> > and check their IP-adresses. Are you sure your carp0 IP is talking and >> NOT em0 IP? >> > >> > I'd also force isakmpd to bind to specific IP >> (/etc/isakmpd/isakmpd.conf): >> > >> > [General] >> > Listen-on= <your carp0 IP goes here> >> > DPD-check-interval= 60 >> > Default-phase-1-lifetime= 3600,360:86400 >> > Default-phase-2-lifetime= 1200,160:86400 >> > >> > If you do above you might need to specify srcid in your ipsec.conf: >> > >> > local_gw="<your carp0 IP goes here>" >> > >> > ike active esp >> > main >> > quick .. >> > srcid $local_gw >> > >> > >> > //mxb >> > >> > On 24 apr 2013, at 20:33, R0me0 *** <[email protected]> wrote: >> > >> >> Hello misc, >> >> >> >> A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd. >> >> I searching at google and misc, read the man pages and I do a review of >> >> configurations many times to do work something that apparently is very >> very >> >> simple. >> >> >> >> my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with >> >> OpenBSD current too ) >> >> >> >> match out on em0 from 10.50.60.0/24 nat-to (carp0:0) >> >> pass log >> >> >> >> ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of >> carp0 ) >> >> >> >> ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \ >> >> peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \ >> >> quick auth hmac-sha2-256 enc blowfish psk 'sapeca' >> >> >> >> >> >> sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface >> >> dedicate to firewalls comunicate between self >> >> >> >> interface carp0 >> >> group carp >> >> listen on 10.20.30.1 inet >> >> peer 10.20.30.2 >> >> sharedkey >> 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 >> >> >> >> >> >> sasyncd.conf ( firewall slave ) >> >> >> >> interface carp0 >> >> group carp >> >> listen on 10.20.30.2 inet >> >> peer 10.20.30.1 >> >> sharedkey >> 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 >> >> >> >> >> >> ip forward and carp preempt enabled on both firewalls >> >> >> >> >> >> steps to initiate on both firewalls >> >> >> >> isakmpd -K -S >> >> ipsecctl -f /etc/ipsec.conf >> >> sasyncd >> >> >> >> >> >> other openbsd peer without HA ( OpenBSD 5.2 ) >> >> >> >> ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer >> >> 10.10.20.29 \ >> >> main auth hmac-sha2-256 enc blowfish \ >> >> quick auth hmac-sha2-256 enc blowfish \ >> >> psk 'sapeca' >> >> >> >> >> >> Alright, >> >> >> >> Let me explain what is ocurring: >> >> >> >> >> >> VPN work perfectly, I access other resources behind 10.15.1.33 peer, >> and in >> >> OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa ) >> >> >> >> if I force a FailOver ( OpenBSD Master ) with: >> >> ifconfig -g carp carpdemote 10 >> >> >> >> Another Node assume, connections continues working perfectly ( example >> >> download of OpenBSD ISO, continue beautifull :) ) but: >> >> >> >> ipsec VPN not , it freezes and take between 25s to 30s to vpn >> reestablish >> >> connection >> >> >> >> and if I move the service again to old OpenBSD master ( ifconfig -g >> carp >> >> -carpdemote 10) >> >> >> >> VPN freezes completely and not back, I need kill isakmpd and start >> again >> >> >> >> >> >> I expected it to be transparent like as beautifull failover and without >> >> IPSEC disruption. >> >> >> >> In my configuration, Am I doing something wrong ? Am I forgeting >> something ? >> >> >> >> Please, someone can put me on correctly way ? >> >> >> >> Regards,
