Hi,
I hope this is helpful to someone else and maybe a dev could add this
solution (or an improvement thereof) into the code as standard.
- I found an issue with IPSec and OpenBSD with CARP during fail-over,
whereby a fail over with the default recommended set-up results in
broken IPSec tunnels for a while.
isakmpd does all the work of setting up phase 1 and phase 2 for the VPN
and the actual encryption/decryption of packets etc.
isakmpd;
-K is needed to make isakmpd controlable by ipsecctl or bgpd etc.
-S is needed to make isakmpd startup in a passive move, and not initiate
connections or process incoming traffic unless CARP master (If sasyncd
is enabled in rc.conf.local, rc.d scripts add -S automatically).
All sasyncd does is to synchronise the established SA's to the backup
CARP firewall.
The problem I found is that when the secondary firewall is started
up/rebooted, isakmpd starts up and does nothing (is passive, but does
not even know about the tunnel policies). sasyncd starts and receives
SAs from the master.
The CARP pair now fail-over and the tunnels stop working even though the
SAs are all present and correct, the problem is simply that isakmpd on
the secondary was never told to read the policies!
I have simply modified '/etc/rc.d/sasyncd' so after it starts, isakmpd
reads the policies.
/etc/rc.d/sasyncd;
#!/bin/sh
#
# $OpenBSD: sasyncd,v 1.1 2011/07/06 18:55:36 robert Exp $
daemon="/usr/sbin/sasyncd"
. /etc/rc.d/rc.subr
pexp="sasyncd: \[priv\]"
rc_start() {
${rcexec} "${daemon} ${daemon_flags} ${_bg}"
ipsecctl -f /etc/ipsec.conf
}
rc_cmd $1
Now when the firewalls fail-over the tunnels work immediately :)
I'm sure there is a more elegant solution to this, but this works well
enough.
Cheers, Andrew Lemin
