Hello,
Intro:
I am using isakmpd+sasyncd+carp+pf+pfsync to have a redundant firewall setup
(OpenBSD 4.0). I have two firewall that carp-advertise at the same rate, and
not preempt each other. Basically I don't care which firewall is master and
which is backup. This works fine. isakmpd is using x509 certificates to
establish SAs. This is working fine. sasyncd is running on both and they share
the SAs properly. pfsync has been configured and it is working well.
I have the following setup (netmask is /24 everywhere):
Redundant end
FW1:
Ext IP: 172.16.140.2 (static)
Int IP: 172.16.36.2 (static)
FW2:
Ext IP: 172.16.140.3 (static)
Int IP: 172.16.36.3 (static)
FW1 and FW2 shared IP addresses (carp)
Ext IP: 172.16.140.1
Int IP: 172.16.36.1
Non-redundant end:
Ext IP: 172.16.142.1 (static)
Int IP: 172.16.40.1 (static)
Problem:
Assume the gateway that has static IP 172.16.36.2 is the master. I ping from
172.16.40.1 to 172.16.36.1 (or 172.16.36.2) and the ping goes through.
The moment I ping the backup (ping -c 1 -I 172.16.40.1 172.16.36.3) I get a
reply, but I can no longer ping 172.16.36.2. Now I can only ping the second
gateway (goes in through the master, goes out through the backup).
Everything goes back to normal (I can ping 172.16.36.2) the moment a new
quick mode is finished and new SAs are established.
Question:
Why is this happening? I would like to have remote access to the backup
gateway, for instance for live status polling (that's why I have the static IP
addresses), or sync NTP time on firewalls (time source over secure tunnel). I
don't mind if when I ping 172.16.36.3 the packet goes in through the first
gateway and goes out through the second (because the flows are already set). I
just don't want to block the communication on messages to the backup gateway.
Additional info:
1.
FYI... I wanted a faster switch over with time and I had to change carp a bit
to allow polling rates of under a second. Also there was a bug where setting
the advbase 0 and advskew 100 only set the proper value of advbase the second
time ifconfig command is typed. The patches have been submitted to [EMAIL
PROTECTED] Marco Pfatschbacher was nice and added the changes. The changes will
be found in OpenBSD 4.2. With advbase 0 and advskew 25 the switchover is half a
second to a second.
2.
I have noted that when sasyncd is copying the SAs on the backup, it does not
set the validity of the SAs to the remaining validity time of that SA (for
instance when the backup is booting later). The validity time is set as if the
SA has just been created. This way the backup will still have in its SADB
Security Associations copied from the master that are expired and removed from
the master.
3.
Another problem (rebooting the master/backup in a given order) can get to
pretty bizar situation where a redundant gateway has 4 unidirectional SAs, and
it is using one SA from one the first main mode to send, and one SA from the
latter main-mode to receive. A ping message does not go through, although both
ends have the 4 SAs. This is a topic of its own, if you want to know more I can
give you the detailed information how to reproduce it.
Many thanks,
Catalin
---------------------------------
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot
with the All-new Yahoo! Mail
