I have two firewalls running OpenBSD 4.2 x86. I've set up an ipsec tunnel
using ipsec.conf. These
machines also serve up a shared ip address using a carp interface. Here's
hostname.carp1 on machine1:
inet 10.40.31.225 255.255.255.224 10.40.31.255 carpdev vr1 vhid 2 pass ...
And on machine2:
inet 10.40.31.225 255.255.255.224 10.40.31.255 carpdev vr1 vhid 2 pass ...
advskew 100
And ipsec.conf on both machines:
local_ip = "a.a.a.a"
peer_ip = "b.b.b.b"
local_net = "10.40.31.224/27"
ike esp from $local_net to any local $local_ip peer $peer_ip \
quick enc blowfish
flow esp from $local_net to $local_net type bypass
Everything worked great until isakmpd brought up the ipsec tunnel. Both
firewalls showed "MASTER"
for the carp interface, and pretty much nothing worked over the internal net.
Using tcpdump on the
enc0 interface at the far end of the tunnel I determined that all the carp
traffic was getting sent
over the tunnel. Also, the backup firewall was inexplicably advertising about
ten times as often as
the master, despite the higher advskew. I thought this would fix it:
flow esp proto carp from any to any type bypass
But it had no effect. After some trial and error, I found that the solution
was to only allow some
protocols through the tunnel:
ike esp proto icmp from $local_net to any local $local_ip peer $peer_ip \
quick enc blowfish
ike esp proto tcp from $local_net to any local $local_ip peer $peer_ip \
quick enc blowfish
ike esp proto udp from $local_net to any local $local_ip peer $peer_ip \
quick enc blowfish
Now everything seems to work, though the icmp flow doesn't come up sometimes,
for some reason.
Unfortunately, this syntax is not correct:
ike esp proto { tcp udp icmp } from $local_net to any local $local_ip peer
$peer_ip \
quick enc blowfish
This would clean up my file quite a bit. Why doesn't "flow esp proto carp from
any to any type
bypass" work?
Thanks,
Jose.
