Re: ipsec with carp

Fri, 05 Oct 2007 03:45:02 -0700 

Patrick Hemmen wrote:

Ok.

Before using carp/sasyncd the IPSEC tunnel had worked.
The isakmpd daemon listen on all interfaces/ip addresses.

I am illustrating my set up

vpngw01: 10.10.10.101           
    carp: 10.10.10.1 <-- INTERNET --> remote gateway: 192.168.1.1
vpngw02: 10.10.10.102
Remove the IP addresses from the physical interfaces. The master will then use 10.10.10.1 as source address. Use the "carpdev" clause in ifconfig to specify the physical interface used for carp. 

Note however that the machine will no longer respond to broadcast packets.

-- Heinrich


My machines are vpngw01 and 02.
The IPSEC tunnel is negotiated between the addresses
10.10.10.1 and 192.168.1.1. But my master (vpngw01) tries to establish
the IPSEC connection with the non-carp address 10.10.10.101. The other
side is in passive mode.

Thanks for the replies.
Patrick

Brian A. Seklecki schrieb:

Also:

1) Does the documentation in ipsec(4) / isakmpd.conf(5) /
sasyncd.conf(5) imply that all policies / security associations should
be between the CARP HA L3 address?

2) Is your isakmpd(8) binding to wildcard address?

3) Did this problem evolve with the implementation of sasyncd(8) or did
your IPSEC never work?

~BAS


On Mon, 2007-10-01 at 08:16 -0700, Dag Richards wrote:

Patrick Hemmen wrote:

Hello all,

I have two OpenBSD machines for a redundancy VPN-Gateway. They use
carp to share one IP-Address and sasyncd to synchronize SAs and SPDs.
I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't
established and the error "PAYLOAD_MALFORMED" appears in the logs.
With tcpdump I can see that the initial packet (isakmp v1.0 exchange
ID_PROT) to establish the tunnel come from the host IP-Address and not
from the carp address.

Thanks in advance.
Patrick


Maybe it's the humidity.
Maybe it's  something in your ipsec.conf file.
Based on the info you have provided so far, both seem to be about as like as each other .... ;) 

ipsec.conf
ifconfig -A

maybe a quote from your dumps
and perhaps a bit of logging info ....





--

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :            -3341

Reply via email to