Ok.
Before using carp/sasyncd the IPSEC tunnel had worked.
The isakmpd daemon listen on all interfaces/ip addresses.
I am illustrating my set up
vpngw01: 10.10.10.101
carp: 10.10.10.1 <-- INTERNET --> remote gateway: 192.168.1.1
vpngw02: 10.10.10.102
My machines are vpngw01 and 02.
The IPSEC tunnel is negotiated between the addresses
10.10.10.1 and 192.168.1.1. But my master (vpngw01) tries to establish
the IPSEC connection with the non-carp address 10.10.10.101. The other
side is in passive mode.
Thanks for the replies.
Patrick
Brian A. Seklecki schrieb:
> Also:
>
> 1) Does the documentation in ipsec(4) / isakmpd.conf(5) /
> sasyncd.conf(5) imply that all policies / security associations should
> be between the CARP HA L3 address?
>
> 2) Is your isakmpd(8) binding to wildcard address?
>
> 3) Did this problem evolve with the implementation of sasyncd(8) or did
> your IPSEC never work?
>
> ~BAS
>
>
> On Mon, 2007-10-01 at 08:16 -0700, Dag Richards wrote:
>> Patrick Hemmen wrote:
>>> Hello all,
>>>
>>> I have two OpenBSD machines for a redundancy VPN-Gateway. They use
>>> carp to share one IP-Address and sasyncd to synchronize SAs and SPDs.
>>> I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't
>>> established and the error "PAYLOAD_MALFORMED" appears in the logs.
>>> With tcpdump I can see that the initial packet (isakmp v1.0 exchange
>>> ID_PROT) to establish the tunnel come from the host IP-Address and not
>>> from the carp address.
>>>
>>> Thanks in advance.
>>> Patrick
>>>
>> Maybe it's the humidity.
>> Maybe it's something in your ipsec.conf file.
>> Based on the info you have provided so far, both seem to be about as
>> like as each other .... ;)
>>
>> ipsec.conf
>> ifconfig -A
>>
>> maybe a quote from your dumps
>> and perhaps a bit of logging info ....
