You should be able to easily restrict the binding of the UDP/500 isakmp port in isakmpd(8) to the CARP HA ipaddr.
Even if it has to bind as wildcard, you should be able to specify the source address to bind to transmit from. I just had this issue with mountd(8) on FreeBSD. Check the man pages for both isakmpd.conf(5) and isakmpd(8). ~BAS On Mon, 2007-10-01 at 19:40 +0200, Patrick Hemmen wrote: > Ok. > > Before using carp/sasyncd the IPSEC tunnel had worked. > The isakmpd daemon listen on all interfaces/ip addresses. > > I am illustrating my set up > > vpngw01: 10.10.10.101 > carp: 10.10.10.1 <-- INTERNET --> remote gateway: 192.168.1.1 > vpngw02: 10.10.10.102 > > My machines are vpngw01 and 02. > The IPSEC tunnel is negotiated between the addresses > 10.10.10.1 and 192.168.1.1. But my master (vpngw01) tries to establish > the IPSEC connection with the non-carp address 10.10.10.101. The other > side is in passive mode. > > Thanks for the replies. > Patrick > > Brian A. Seklecki schrieb: > > Also: > > > > 1) Does the documentation in ipsec(4) / isakmpd.conf(5) / > > sasyncd.conf(5) imply that all policies / security associations should > > be between the CARP HA L3 address? > > > > 2) Is your isakmpd(8) binding to wildcard address? > > > > 3) Did this problem evolve with the implementation of sasyncd(8) or did > > your IPSEC never work? > > > > ~BAS > > > > > > On Mon, 2007-10-01 at 08:16 -0700, Dag Richards wrote: > >> Patrick Hemmen wrote: > >>> Hello all, > >>> > >>> I have two OpenBSD machines for a redundancy VPN-Gateway. They use > >>> carp to share one IP-Address and sasyncd to synchronize SAs and SPDs. > >>> I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't > >>> established and the error "PAYLOAD_MALFORMED" appears in the logs. > >>> With tcpdump I can see that the initial packet (isakmp v1.0 exchange > >>> ID_PROT) to establish the tunnel come from the host IP-Address and not > >>> from the carp address. > >>> > >>> Thanks in advance. > >>> Patrick > >>> > >> Maybe it's the humidity. > >> Maybe it's something in your ipsec.conf file. > >> Based on the info you have provided so far, both seem to be about as > >> like as each other .... ;) > >> > >> ipsec.conf > >> ifconfig -A > >> > >> maybe a quote from your dumps > >> and perhaps a bit of logging info .... > > > > > > > -- Brian A. Seklecki <[EMAIL PROTECTED]> Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
