Hello!
I'm trying to build a redundant IPSEC VPN concentrator.
What have I done by now:
* I have a working CARP. Verified from each side. 1-2 pings lost.
Works as expected.
* I have a working iked deployment. Test client can connect, sees
internal network as expected.
* I have a working pfsync. Pf states are replicated between nodes.
* I have a working sasyncd. Flows and SADs are replicated between nodes.
What doesn't work:
When the client is connected to a virtual CARP endpoint and I perform
a switchover, the new master doesn't pick up the communication.
NAT-t packages do come to a valid host, they are just not processed.
Iked compains with "ikev2_child_sa_acquire: flow wasn't found"
The full relevant configuration files follow:
Topology:
2 Identical Qemu's, OpenBSD 7.0, no conflicting MAC addresses
em0-s bridged together -> (WAN) -> strongswan on mobile phone
em1-s bridged together -> (LAN) -> IP to ping from mobile
em2-s bridged together -> (sync)
-------------------------------------------------------------------------
sysctl.conf
net.inet.carp.preempt=1
net.inet.ip.forwarding=1
-------------------------------------------------------------------------
hostname.carp0 (differences with | , hosts A|B)
inet 192.168.1.160 255.255.255.0 192.168.1.255 \
carpdev em0 \
group VPN \
pass passwd \
vhid 1 \
advskew 0|100
-------------------------------------------------------------------------
hostname.carp1
inet 10.0.0.254 255.255.255.0 10.0.0.255 \
carpdev em1 \
group VPN \
pass passwd \
vhid 2 \
advskew 0|100
-------------------------------------------------------------------------
hostname.em0
inet 192.168.1.161|162 255.255.255.0 NONE
-------------------------------------------------------------------------
hostname.em1
inet 10.0.0.161|162 255.255.255.0 NONE
-------------------------------------------------------------------------
hostname.em2
inet 10.0.1.161|162 255.255.255.0
-------------------------------------------------------------------------
hostname.enc0
inet 10.1.0.254 255.255.255.0
-------------------------------------------------------------------------
hostname.pfsync0
up \
syncdev em2 \
syncpeer 10.0.1.162|161
-------------------------------------------------------------------------
iked.conf
user "test" "password123"
set mobike
set enforcesingleikesa
set passive
ikev2 "VPN" esp \
from 10.0.0.0/24 to dynamic \
local 192.168.1.160 \
srcid vpn.my.domain \
eap "mschap-v2" \
config address 10.1.0.0/24 \
tag "$name-$id"
-------------------------------------------------------------------------
sasyncd.conf
peer 10.0.1.162|161
control iked
group VPN
interface carp0
listen on em2
sharedkey TAKEN_FROM_EXAMPLE
-------------------------------------------------------------------------
rc.conf.local
iked_flags=
ipsec=YES
sasyncd_flags=
ntpd_flags=NO
-------------------------------------------------------------------------
pf.conf
set skip on lo
pass quick on { em2 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state (no-sync)
block return # block stateless traffic
pass # establish keep-state
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild
pass in on em0 proto udp from any to (em0) port {isakmp, ipsec-nat-t}
tag IKED keep state
pass in on em0 proto esp from any to (em0) tag IKED keep state
pass in on em0 from (em0:network) to any
pass in on em1 from (em1:network) to any
pass in on em2 from (em2:network) to any
-------------------------------------------------------------------------
What do I miss?
Best regards,
--
Paweł Kraszewski
