Re: IPSEC,CARP,sasyncd -- IPSEC failover not working

[Philipp Buehler]

Am 20.06.2017 11:13 schrieb claudiu vasadi:

Now some question:
1) On fw2, I omit the ipsecctl command and start only isakmpd and 
sasyncd.
If I check the SA's and flows, they will be synced from fw1 but is this 
how
it should be or do I need to have ipsec.conf on fw2 as well and issue 
the

"ipsecctl -f /etc/ipsec.conf" cmd when starting the IPSEC VPN?


You need to use ipsecctl on fw2, too. The -S will prevent active 
negotiating

until CARP flips over.

2) Once the SA's and flows are in sync and I carpdemote fw1, I loose 
the

IPSEC connection. When running isakmpd in debug mode, it looks like it
doesn't adhere to the SA's and flows "ipsecctl -sa" shows (a.k.a I need 
to

copy the ipsec.conf to fw2 and ipsecctl -f ipsec.conf).


Without the use of ipsecctl, you've SA data, as you've seen, but no 
routing
information (I think). Thus no more traffic passes (thinking: no route 
with SA

 -> packet dropped).

HTH,
--
pb

IPSEC,CARP,sasyncd -- IPSEC failover not working

[claudiu vasadi]

Hello everyone,

I'm in dire need of sasyncd help

Here's the current setup I have:
- 2x OpenBSD 6.1 amd64 redundant firewalls (em0 (ext_if), em1 (int_if),
carp0 (carp_if over em0), carp1 (carp_if over em1))
- carp0 has 16 public IP's (ex: 1.1.1.1->1.1.1.16)
- carp1 has 1x internal IP (ex: 10.10.10.1, a /16 subnet)
- the 2x fw's are connected back-to-back (pfsync)
- sysctl.conf (both fw's): net.inet.carp.preempt=1,
net.inet.ip.forwarding=1, net.inet.ipcomp.enable=1
- pf.conf (both fw's): block all in, allow all out, allow pfsync and carp,
antispoof, allow proto esp and udp port 4500 and 500; (the rules are fine)

IPSEC setup (google cloud on the other side with ikev1):
- ipsec.conf (identical on both fw's):

my_gw="1.1.1.16"
my_net="10.10.0.0/16"
gcp_gw="x.x.x.x"
gcp_net="10.x.x.x/20"

# me->gcp
ike esp from $my_gw to $gcp_gw local $my_gw peer $gcp_gw main enc aes group
modp1024 psk 
ike esp from $my_gw to $gcp_net local $my_gw peer $gcp_gw main enc aes
group modp1024 psk ike esp from $my_net to $gcp_net local
$my_gw peer $gcp_gw main enc aes group modp1024 psk 

- isakmpd has the "-S -K" flag
- sasyncd.conf (fw2 has "peer "):

# carp(4) interface to track state changes on
interface carp0
# Interface group to use to suppress carp(4) preemption during boot
group carp
# sasyncd(8) peer IP address or hostname. Multiple 'peer' statements are
allowed
peer 
# Shared AES key used to encrypt messages between sasyncd(8) hosts. It can
be
# generated with the openssl(1) command 'openssl rand -hex 16'
sharedkey 

On fw1, I start the VPN in this order:
- rcctl start isakmpd
- ipsecctl -f /etc/ipsec.conf
- rcctl start sasyncd
- all good, the IPSEC VPN works

Now some question:
1) On fw2, I omit the ipsecctl command and start only isakmpd and sasyncd.
If I check the SA's and flows, they will be synced from fw1 but is this how
it should be or do I need to have ipsec.conf on fw2 as well and issue the
"ipsecctl -f /etc/ipsec.conf" cmd when starting the IPSEC VPN?

2) Once the SA's and flows are in sync and I carpdemote fw1, I loose the
IPSEC connection. When running isakmpd in debug mode, it looks like it
doesn't adhere to the SA's and flows "ipsecctl -sa" shows (a.k.a I need to
copy the ipsec.conf to fw2 and ipsecctl -f ipsec.conf).


What am I doing wrong?

-- 
Best regards,
Claudiu Vasadi