Hi, Is there a way to sync only SAs created on CARP interfaces, without syncing those created on physical, non-CARP interfaces? Something like no-sync option in pf.conf for pfsync?
I'm asking because I have a pair of firewalls where majority of IPsec peers connect directly to non-CARP interfaces (GRE tunnels connected with transport mode IPsec + OSPF), and just a few of them connect to CARP interface (passive tunnel mode IPsec because of dynamic IP address on peers). sasyncd now syncs everything, so CARP peers get SAS for physical interfaces of other CARP member, which is undesirable, and I guess also prolongs time to re-negotiate SAs. Any other way how OpenBSD admins handle this situation? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
