Face-palm!!! When I tried it before I only created /etc/isakmpd.conf
not; /etc/isakmpd/isakmpd.conf chmod 600 /etc/isakmpd/isakmpd.conf isakmpd.conf [general] listen-on=<pubip1>,<pubip2>,<pubip3> Dohh, Have to miss the obvious in a man page every now and then I guess.. Hopefully my fail-over stability tweaks help someone in return for the misc@ noise Ha Cheers, Andy. Thanks Rogier... On 17/02/14 17:10, Rogier Krieger wrote: > It's been a while since I tried, but I seem to recall my setup ran > happily with a (minimal) isakmpd.conf and ipsec.conf. > > I kept my settings limited to the [General] section, but that should > cover your listen-on test. > > Regards, > > Rogier > > > On Mon, Feb 17, 2014 at 6:03 PM, Andy <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > Does anyone have any ideas on this? How can we configure isakmpd > to only listen on certain IP addresses to avoid this limitation > when it tries to listen on *every* IP address? > > I see listen-on in isakmpd.conf, but we are using ipsec.conf and I > understand these are mutually-exclusive.. > > Cheers, Andy. > > > > On Wed 12 Feb 2014 12:22:57 GMT, andy wrote: > > Hi, > > I think this is a fairly simple one. > > Our firewalls are growing in complexity and the number of > interfaces and > IPs as time goes on, and we recently hit an isakmpd limit. > > When isakmpd starts it tries to bind to *every* single IP on > the system. > We have a LOT of IPs and isakmpd now fails to initialise; > 2014-02-12T10:40:29.386318+00:00 brfw1 isakmpd[404]: > udp_encap_make: > socket (2, 2, 17): Too many open files > 2014-02-12T10:40:29.386352+00:00 brfw1 isakmpd[404]: > virtual_bind_if: > failed to create a socket on 10.2.8.254 > 2014-02-12T10:40:29.386657+00:00 brfw1 isakmpd[404]: > virtual_init: could > not bind the ISAKMP port(s) on all interfaces: Too many open files > > More log at bottom.. > > We only want isakmpd to listen on the CARP IP address on the > external > interface (and probably the physical IPs on the external > interface), not > *all* IPs. > > The work around for now was to add '-4' to the isakmpd daemon > to restrict > it to our v4 addresses. However we will very soon have even > too many v4 > addresses for isakmpd to cope and so need a way to instruct > isakmpd to only > bind the necessary IPs. > > This would also provide a security enhancement?? > > Others have reported this limitation before; > http://www.monkey.org/openbsd/archive2/misc/200502/msg00686.html > > > > Also if someone else finds these useful (I will commit to > source one > day..), I have two primitive but *very* effective enhancements > I have made > to /etc/rc.d/sasyncd and /etc/rc.d/isakmpd to share when > running IPSec on a > carp pair (I am absolutely sure these could be more elegant in > implementation, but they work and you should get the idea).. > > First enhancement, when running isakmpd with carp and sasyncd, > you must > use the -S and -K flags on isakmpd. This ensures isakmpd > starts in passive > mode and does not start negotiating with the other side > *unless* it is the > carp master. Makes perfect sense.. > On the master, isakmpd starts in passive, discovers it is > master and so > reads and loads ipsec.conf, and starts negotiating with other side > On the backup, isakmod starts in passive, does nothing more. > > If a failover occurs however, the VPNs do not work for a > loooong time! > (this is because isakmpd on the backup never read the > ipsec.conf file so > when it is made active it doesn't know what to do..) > > /etc/rc.d/sasyncd; > #!/bin/sh > # > # $OpenBSD: sasyncd,v 1.1 2011/07/06 18:55:36 robert Exp $ > > daemon="/usr/sbin/sasyncd" > > . /etc/rc.d/rc.subr > > pexp="sasyncd: \[priv\]" > > rc_start() { > sleep 10 > ${rcexec} "${daemon} ${daemon_flags} ${_bg}" > sleep 5 > ipsecctl -f /etc/ipsec.conf > } > > rc_cmd $1 > > This fix simply ensures that the carp-backup isakmpd reads the > ipsec.conf > after starting in passive mode and has settled. VPN failover's > now happen > in ~2-3 seconds. > > > > Second enhancement, when stopping isakmpd on the master or > backup with > '/etc/rc.d/isakmpd' stop or restart, subsequent starting of > the tunnels can > take a very long time. This seems to be because stopping > isakmpd simply > tears the daemon down without deconstructing the trust keys / > policies. > Leaving obsolete expiring policies on the remote side. So > restarting > isakmpd can take a long time until the other side flushes or > times out. > > /etc/rc.d/isakmpd; > #!/bin/sh > # > # $OpenBSD: isakmpd,v 1.1 2011/07/06 18:55:36 robert Exp $ > > daemon="/sbin/isakmpd" > > . /etc/rc.d/rc.subr > > pexp="isakmpd: monitor \[priv\]" > > rc_pre() { > [ X"${sasyncd_flags}" != X"NO" ] && \ > daemon_flags="-S ${daemon_flags}" > return 0 > } > > rc_stop() { > if [ `ifconfig | grep "status: master" | wc -l` > 0 ]; > then ipsecctl > -d -f /etc/ipsec.conf; fi > sleep 1 > if [ `ifconfig | grep "status: master" | wc -l` > 0 ]; > then ipsecctl > -d -f /etc/ipsec.conf; fi > if [ `ifconfig | grep "status: master" | wc -l` > 0 ]; > then ipsecctl > -F -f /etc/ipsec.conf; fi > pkill -f "^${pexp}" > } > > rc_cmd $1 > > This fix simply gracefully deletes the flows (and informs the > other side > to do the same), and flushes the SPD's and SAD's cleanly > before destroying > the daemon. Subsequent restarts now allow IPSec tunnels to come up > immediately.. > > > Hope this helps someone :) > Cheers, Andy. > > > > isakmpd binding error; > > 2014-02-12T10:40:29.382031+00:00 brfw1 isakmpd[404]: > udp_encap_make: > transport 0x20615b500 socket 120 ip fe80:14::200:5eff:fe00:103 > port 4500 > 2014-02-12T10:40:29.382242+00:00 brfw1 isakmpd[404]: udp_make: > transport > 0x20615bd00 socket 121 ip 10.0.1.254 port 500 > 2014-02-12T10:40:29.382423+00:00 brfw1 isakmpd[404]: > udp_encap_make: > transport 0x20615ba80 socket 122 ip 10.0.1.254 port 4500 > 2014-02-12T10:40:29.382655+00:00 brfw1 isakmpd[404]: udp_make: > transport > 0x20615bc80 socket 123 ip 10.2.3.254 port 500 > 2014-02-12T10:40:29.382873+00:00 brfw1 isakmpd[404]: > udp_encap_make: > transport 0x20615bf80 socket 124 ip 10.2.3.254 port 4500 > 2014-02-12T10:40:29.383485+00:00 brfw1 isakmpd[404]: udp_make: > transport > 0x20615b880 socket 127 ip fe80:15::200:5eff:fe00:104 port 500 > 2014-02-12T10:40:29.383524+00:00 brfw1 isakmpd[404]: > udp_encap_make: > socket (24, 2, 17): Too many open files > 2014-02-12T10:40:29.383549+00:00 brfw1 isakmpd[404]: > virtual_bind_if: > failed to create a socket on fe80:15::200:5eff:fe00:104 > 2014-02-12T10:40:29.383728+00:00 brfw1 isakmpd[404]: udp_make: > transport > 0x20615b300 socket 127 ip 10.0.2.254 port 500 > 2014-02-12T10:40:29.383742+00:00 brfw1 isakmpd[404]: > udp_encap_make: > socket (2, 2, 17): Too many open files > 2014-02-12T10:40:29.383772+00:00 brfw1 isakmpd[404]: > virtual_bind_if: > failed to create a socket on 10.0.2.254 > 2014-02-12T10:40:29.383977+00:00 brfw1 isakmpd[404]: udp_make: > transport > 0x20615b880 socket 127 ip 10.2.5.254 port 500 > 2014-02-12T10:40:29.383990+00:00 brfw1 isakmpd[404]: > udp_encap_make: > socket (2, 2, 17): Too many open files > 2014-02-12T10:40:29.384069+00:00 brfw1 isakmpd[404]: > virtual_bind_if: > failed to create a socket on 10.2.5.254 > 2014-02-12T10:40:29.384786+00:00 brfw1 isakmpd[404]: udp_make: > transport > 0x20615bb00 socket 127 ip fe80:16::200:5eff:fe00:105 port 500 > 2014-02-12T10:40:29.384800+00:00 brfw1 isakmpd[404]: > udp_encap_make: > socket (24, 2, 17): Too many open files > 2014-02-12T10:40:29.384828+00:00 brfw1 isakmpd[404]: > virtual_bind_if: > failed to create a socket on fe80:16::200:5eff:fe00:105 > 2014-02-12T10:40:29.385092+00:00 brfw1 isakmpd[404]: udp_make: > transport > 0x20615b080 socket 127 ip 10.0.3.254 port 500 > 2014-02-12T10:40:29.385120+00:00 brfw1 isakmpd[404]: > udp_encap_make: > socket (2, 2, 17): Too many open files > 2014-02-12T10:40:29.385253+00:00 brfw1 isakmpd[404]: > virtual_bind_if: > failed to create a socket on 10.0.3.254 > 2014-02-12T10:40:29.385488+00:00 brfw1 isakmpd[404]: udp_make: > transport > 0x20615b080 socket 127 ip 10.2.7.254 port 500 > 2014-02-12T10:40:29.385506+00:00 brfw1 isakmpd[404]: > udp_encap_make: > socket (2, 2, 17): Too many open files > 2014-02-12T10:40:29.385526+00:00 brfw1 isakmpd[404]: > virtual_bind_if: > failed to create a socket on 10.2.7.254 > 2014-02-12T10:40:29.385999+00:00 brfw1 isakmpd[404]: udp_make: > transport > 0x20615b200 socket 127 ip fe80:17::200:5eff:fe00:108 port 500 > 2014-02-12T10:40:29.386014+00:00 brfw1 isakmpd[404]: > udp_encap_make: > socket (24, 2, 17): Too many open files > 2014-02-12T10:40:29.386073+00:00 brfw1 isakmpd[404]: > virtual_bind_if: > failed to create a socket on fe80:17::200:5eff:fe00:108 > 2014-02-12T10:40:29.386300+00:00 brfw1 isakmpd[404]: udp_make: > transport > 0x20615b080 socket 127 ip 10.2.8.254 port 500 > 2014-02-12T10:40:29.386318+00:00 brfw1 isakmpd[404]: > udp_encap_make: > socket (2, 2, 17): Too many open files > 2014-02-12T10:40:29.386352+00:00 brfw1 isakmpd[404]: > virtual_bind_if: > failed to create a socket on 10.2.8.254 > 2014-02-12T10:40:29.386657+00:00 brfw1 isakmpd[404]: > virtual_init: could > not bind the ISAKMP port(s) on all interfaces: Too many open files > > > > > > -- > If you don't know where you're going, any road will get you there.
