On 2013-12-02, C. L. Martinez <[email protected]> wrote: > Hi all, > > I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients > like linux and windows) under two openbsd carp firewalls. > .. > > What option can be best to deploy in these firewalls: ipsec > (ipsec.conf and isakmpd) or iked?
This depends which protocols your clients support and whether you want to pay attention to the warning at the bottom of the iked manual. > Searching in google and reading some docs, I have several doubts > about which one to choose. If I am not wrong, iked doesn't supports > sasyncd, is it correct?? I am *much* happier with my use of isakmpd since I got rid of sasyncd and just rely on dead peer detection (DPD), I use ifstated to kill isakmpd and flush ipsec if the state of the carp interface changes to backup, or start isakmpd and load ipsec rules when the state changes to master. When I used sasyncd I got into various situations where things wouldn't work until I disabled it and rebooted both vpn gateways.. Obviously this only works if your clients support DPD.
