Hello everyone, I'm in dire need of sasyncd help
Here's the current setup I have: - 2x OpenBSD 6.1 amd64 redundant firewalls (em0 (ext_if), em1 (int_if), carp0 (carp_if over em0), carp1 (carp_if over em1)) - carp0 has 16 public IP's (ex: 1.1.1.1->1.1.1.16) - carp1 has 1x internal IP (ex: 10.10.10.1, a /16 subnet) - the 2x fw's are connected back-to-back (pfsync) - sysctl.conf (both fw's): net.inet.carp.preempt=1, net.inet.ip.forwarding=1, net.inet.ipcomp.enable=1 - pf.conf (both fw's): block all in, allow all out, allow pfsync and carp, antispoof, allow proto esp and udp port 4500 and 500; (the rules are fine) IPSEC setup (google cloud on the other side with ikev1): - ipsec.conf (identical on both fw's): my_gw="1.1.1.16" my_net="10.10.0.0/16" gcp_gw="x.x.x.x" gcp_net="10.x.x.x/20" # me->gcp ike esp from $my_gw to $gcp_gw local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk> ike esp from $my_gw to $gcp_net local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>ike esp from $my_net to $gcp_net local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk> - isakmpd has the "-S -K" flag - sasyncd.conf (fw2 has "peer <fw1_ip>"): # carp(4) interface to track state changes on interface carp0 # Interface group to use to suppress carp(4) preemption during boot group carp # sasyncd(8) peer IP address or hostname. Multiple 'peer' statements are allowed peer <fw2_ip> # Shared AES key used to encrypt messages between sasyncd(8) hosts. It can be # generated with the openssl(1) command 'openssl rand -hex 16' sharedkey <sasync_super_duper_pass> On fw1, I start the VPN in this order: - rcctl start isakmpd - ipsecctl -f /etc/ipsec.conf - rcctl start sasyncd - all good, the IPSEC VPN works Now some question: 1) On fw2, I omit the ipsecctl command and start only isakmpd and sasyncd. If I check the SA's and flows, they will be synced from fw1 but is this how it should be or do I need to have ipsec.conf on fw2 as well and issue the "ipsecctl -f /etc/ipsec.conf" cmd when starting the IPSEC VPN? 2) Once the SA's and flows are in sync and I carpdemote fw1, I loose the IPSEC connection. When running isakmpd in debug mode, it looks like it doesn't adhere to the SA's and flows "ipsecctl -sa" shows (a.k.a I need to copy the ipsec.conf to fw2 and ipsecctl -f ipsec.conf). What am I doing wrong? -- Best regards, Claudiu Vasadi