Hi
On Thu 06 Mar 2014 23:03:58 GMT, Zach Leslie wrote:
On Thu, Mar 06, 2014 at 08:16:34PM +0000, Andy Lemin wrote:
Hi, haven't read your original email but if my assumptions about your setup are
correct is the VPN tunnel dropping every now and then?
Thats correct. Daemons start up quick, negotiations happen, and then
periodically the tunnel is just not available, despite the SAs being
available on the masters and the slaves. Disabling -S on isakmpd and
turning off sasyncd makes the tunnel stay up for much longer, 7 hours
and counting.
You need the static route to point to the internal interface to make sure that
packets generated by the firewall itself have a source IP set to the internal
net thus allowing the IPSec policy route to be used (as it defines both the
source and dest net, not just the dest net like a normal route).
This I have, and packets flow. Still unclear about which route takes
precedence, encap or inet.
encap (I tried to add a route for the remote net on the firewall
pointing to the internal switch, which would bounce the packet back to
the CARP IP, thus getting packets from the backup to the master and
over the VPN. But it doesn't work, the encap route is used first and so
the tunnel drops).
We had to modify all our monitoring scripts to not 'phone home' if the box is a
backup. Only the master firewall can use the VPN.
I've ended up monitoring the host using internal interface, which in
turn tells me the tunnel is available.
I had to disable monitoring of the internal interfaces of both remote
firewalls, as it killed the VPN when you ping'ed the backup firewall.
The packets get there, but the reply is sent back directly from the
backup and not via the master.
To fix that I added a NAT rule, and could then monitor and connect to
the internal interfaces of both remote firewalls again..
(These pf.conf examples and files below are from our remote office
firewalls. carp0 = external, carp1 = internal);
match out on $if_lan from { $hq_lan } to ($if_lan:network) nat-to
(carp1)
pass in quick on enc0 proto ipencap from { $ext_ip_hqfw } to { (carp0)
} keep state (if-bound)
pass in quick on enc0 from { $hq_lan } to { $if_lan:network } keep
state (if-bound)
pass quick on $if_lan from { $hq_lan, (carp1) } to { $if_lan:network }
queue (_wan_vpn,_wan_pri) set prio (2,5)
PS; Also don't forget to restrict the MTU of VPN traffic so it doesn't
fragment (needed on both sides naturally);
match in on $if_lan proto { tcp, udp, icmp } from { $if_lan:network }
to { $hq_lan } scrub (no-df max-mss 1400)
set skip on $if_pfsync
I also submitted some suggested modifications to /etc/rc.d/sasyncd and
/etc/rc.d/isakmpd here in the past which makes the setup and failover of VPNs
much faster and more stable.
I did see those scripts, though they seem to be more solving the startup
time of the daemons. My issue is more keeping the service up than start
time.
Yea they sort the startup, shutdown and also ensure a prompt the
failover. I wrote them during 5.2 so may not be so important but they
add a level of failsafe otherwise.
Keeping the tunnel up should simply be a case of making sure the backup
*never* sends encaped packets itself..
It sounds like your setup is similar to my own. You don't see theses
kinds of instability using sasyncd? If you have a look at my OP, the
sasyncd.conf is in there. Its possible I have a configuration error,
but just reading over the manpage again, I don't know what it would be.
This is really troubling me.
No, none at all. Our tunnels are *really* stable. I can reboot a
firewall and the tunnel only stops for a few seconds before switching
over gracefully.
/etc/sasyncd.conf
peer 192.168.30.253 <- The other IP on the PFSYNC interface (cable
directly connected between firewalls)
interface carp0
group carp
listen on 192.168.30.252 inet port 500 <- This PFSYNC IP etc..
sharedkey 0x<long-hash>
flushmode startup
control isakmpd
/etc/isakmpd.conf
[general]
listen-on=<physical IP>,<The CARP0 IP>
/etc/ipsec.conf
# Macros
local_gw="<local-carp0-ip>"
local_net="<local-LAN-network>"
remote_gw="<remote-carp0-ip>"
remote_net="<remote-LAN-network>"
ike dynamic esp from $local_net to $remote_net \
local $local_gw peer $remote_gw \
main auth hmac-sha2-256 enc aes group modp1024 \
quick auth hmac-sha2-256 enc aes group modp1024 \
srcid $local_gw dstid $remote_gw \
psk <a loooonnng PSK>
/etc/rc.d/isakmpd.conf;
#!/bin/sh
#
# $OpenBSD: isakmpd,v 1.1 2011/07/06 18:55:36 robert Exp $
daemon="/sbin/isakmpd"
. /etc/rc.d/rc.subr
pexp="isakmpd: monitor \[priv\]"
rc_pre() {
[ X"${sasyncd_flags}" != X"NO" ] && \
daemon_flags="-S ${daemon_flags}"
return 0
}
rc_stop() {
if [ `ifconfig | grep "status: master" | wc -l` > 0 ]; then
ipsecctl -d -f /etc/ipsec.conf; fi
sleep 1
if [ `ifconfig | grep "status: master" | wc -l` > 0 ]; then
ipsecctl -d -f /etc/ipsec.conf; fi
if [ `ifconfig | grep "status: master" | wc -l` > 0 ]; then
ipsecctl -F -f /etc/ipsec.conf; fi
pkill -f "^${pexp}"
}
rc_cmd $1
/etc/rc.d/sasyncd
#!/bin/sh
#
# $OpenBSD: sasyncd,v 1.1 2011/07/06 18:55:36 robert Exp $
daemon="/usr/sbin/sasyncd"
. /etc/rc.d/rc.subr
pexp="sasyncd: \[priv\]"
rc_start() {
sleep 10
${rcexec} "${daemon} ${daemon_flags} ${_bg}"
sleep 5
ipsecctl -f /etc/ipsec.conf
}
rc_cmd $1
Hope this helps,
Andy
