On Thu, Jan 18 2007 at 14:16, Kai Mosebach wrote: > we are using 3 Soekris firewall pairs in our companies setup to provide > failover IPSec connections between 3 sites using OpenBSD 4.0 RELEASE. > The big picture looks like this : > > A -> B (passive) > A -> C (passive) > B -> C (passive) > > By now its basically working fine, but with the IPSec failover we have > several problems which i cannot come by after several days of testing. > > The main problem is, that if MASTER is rebooted, the SLAVE takes over, > fine. > Once the MASTER comes up again, it takes over the SAs of the SLAVE but > as soon as its carp interfaces get demoted (and he becomes an isakmpd > master) he acquires new SAs which leads to an failure in the IPSec > tunnel, as there are twice as much SAs in the SA-DB than before and > (supposedly) the newly created SAs of the MASTER are used which leads to > an "invalid cookie" on the remote site. I tweaked the /etc/rc script to > do the demotion later (or i do it manually) and its directly related to > the point where the isakmpd is becoming master again.
I have a smaller setup (1 carp cluster and a single box at the other end) and also noted the duplicate SAs. I updated to current in order to see a resolution of this problem with no luck. I didn't see the "invalid Cookie" message in log files. Claer