View Single Post
  #1   (View Single Post)  
Old 16th June 2017
da1 da1 is offline
Fdisk Soldier
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default [SOLVED]IPSEC,CARP,sasyncd -- IPSEC failover is weird

Hello everyone,

Need sasyncd help

Here's the current setup I have:
- 2x OpenBSD 6.1 amd64 redundant firewalls (em0 (ext_if), em1 (int_if), carp0 (carp_if over em0), carp1 (carp_if over em1))
- carp0 has 16 public IP's (ex:>
- carp1 has 1x internal IP (ex:, a /16 subnet)
- the 2x fw's are connected back-to-back (pfsync)
- sysctl.conf (both fw's): net.inet.carp.preempt=1, net.inet.ip.forwarding=1, net.inet.ipcomp.enable=1
- pf.conf (both fw's): block all in, allow all out, allow pfsync and carp, antispoof, allow proto esp and udp port 4500 and 500; (the rules are fine)

IPSEC setup (google cloud on the other side):
- ipsec.conf (identical on both fw's):

# me->gcp
ike esp from $my_gw to $gcp_gw local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>
ike esp from $my_gw to $gcp_net local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>ike esp from $my_net to $gcp_net local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>
- isakmpd has the "-S -K" flag
- sasyncd.conf (fw2 has "peer <fw1_ip>"):
# carp(4) interface to track state changes on
interface carp0
# Interface group to use to suppress carp(4) preemption during boot
group carp
# sasyncd(8) peer IP address or hostname. Multiple 'peer' statements are allowed
peer <fw2_ip>
# Shared AES key used to encrypt messages between sasyncd(8) hosts. It can be
# generated with the openssl(1) command 'openssl rand -hex 16'
sharedkey <sasync_super_duper_pass>
On fw1, I start the VPN in this order:
- rcctl start isakmpd
- ipsecctl -f /etc/ipsec.conf
- rcctl start sasyncd
- all good, works

On fw2, I omit the ipsecctl command and start only isakmpd and sasyncd. If I check the SA's and flows, they will be synced from fw1 but is this how it should be or do I need to have ipsec.conf on fw2 as well and issue the "ipsecctl -f /etc/ipsec.conf" cmd when starting the IPSEC VPN? From the scars documentation I found online, ipsec.conf does not need to be present on the 2nd fw and it seems that the way I have it setup is the intended purpose. Can anyone confirm this?

The last and most important point is that once the SA's and flows are in sync on both fw's and I carpdemote fw1, I loose the IPSEC connection for 20-30 seconds. I still need to debug this but wasn't the whole sasyncd point to offer redundancy and prevent exactly this type of behavior?

Or have I misconfigured something?

Last edited by da1; 24th June 2017 at 12:09 PM.
Reply With Quote