I have two firewalls running OpenBSD 4.2 x86. I've set up an ipsec tunnel using ipsec.conf. These machines also serve up a shared ip address using a carp interface. Here's hostname.carp1 on machine1:
inet 10.40.31.225 255.255.255.224 10.40.31.255 carpdev vr1 vhid 2 pass ... And on machine2: inet 10.40.31.225 255.255.255.224 10.40.31.255 carpdev vr1 vhid 2 pass ... advskew 100 And ipsec.conf on both machines: local_ip = "a.a.a.a" peer_ip = "b.b.b.b" local_net = "10.40.31.224/27" ike esp from $local_net to any local $local_ip peer $peer_ip \ quick enc blowfish flow esp from $local_net to $local_net type bypass Everything worked great until isakmpd brought up the ipsec tunnel. Both firewalls showed "MASTER" for the carp interface, and pretty much nothing worked over the internal net. Using tcpdump on the enc0 interface at the far end of the tunnel I determined that all the carp traffic was getting sent over the tunnel. Also, the backup firewall was inexplicably advertising about ten times as often as the master, despite the higher advskew. I thought this would fix it: flow esp proto carp from any to any type bypass But it had no effect. After some trial and error, I found that the solution was to only allow some protocols through the tunnel: ike esp proto icmp from $local_net to any local $local_ip peer $peer_ip \ quick enc blowfish ike esp proto tcp from $local_net to any local $local_ip peer $peer_ip \ quick enc blowfish ike esp proto udp from $local_net to any local $local_ip peer $peer_ip \ quick enc blowfish Now everything seems to work, though the icmp flow doesn't come up sometimes, for some reason. Unfortunately, this syntax is not correct: ike esp proto { tcp udp icmp } from $local_net to any local $local_ip peer $peer_ip \ quick enc blowfish This would clean up my file quite a bit. Why doesn't "flow esp proto carp from any to any type bypass" work? Thanks, Jose.