|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
[SOLVED]IPSEC,CARP,sasyncd -- IPSEC failover is weird
Hello everyone,
Need sasyncd help Here's the current setup I have: - 2x OpenBSD 6.1 amd64 redundant firewalls (em0 (ext_if), em1 (int_if), carp0 (carp_if over em0), carp1 (carp_if over em1)) - carp0 has 16 public IP's (ex: 1.1.1.1->1.1.1.16) - carp1 has 1x internal IP (ex: 10.10.10.1, a /16 subnet) - the 2x fw's are connected back-to-back (pfsync) - sysctl.conf (both fw's): net.inet.carp.preempt=1, net.inet.ip.forwarding=1, net.inet.ipcomp.enable=1 - pf.conf (both fw's): block all in, allow all out, allow pfsync and carp, antispoof, allow proto esp and udp port 4500 and 500; (the rules are fine) IPSEC setup (google cloud on the other side): - ipsec.conf (identical on both fw's): Code:
my_gw="1.1.1.16" my_net="10.10.0.0/16" gcp_gw="x.x.x.x" gcp_net="10.x.x.x/20" # me->gcp ike esp from $my_gw to $gcp_gw local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk> ike esp from $my_gw to $gcp_net local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>ike esp from $my_net to $gcp_net local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk> - sasyncd.conf (fw2 has "peer <fw1_ip>"): Code:
# carp(4) interface to track state changes on interface carp0 # Interface group to use to suppress carp(4) preemption during boot group carp # sasyncd(8) peer IP address or hostname. Multiple 'peer' statements are allowed peer <fw2_ip> # Shared AES key used to encrypt messages between sasyncd(8) hosts. It can be # generated with the openssl(1) command 'openssl rand -hex 16' sharedkey <sasync_super_duper_pass> - rcctl start isakmpd - ipsecctl -f /etc/ipsec.conf - rcctl start sasyncd - all good, works On fw2, I omit the ipsecctl command and start only isakmpd and sasyncd. If I check the SA's and flows, they will be synced from fw1 but is this how it should be or do I need to have ipsec.conf on fw2 as well and issue the "ipsecctl -f /etc/ipsec.conf" cmd when starting the IPSEC VPN? From the scars documentation I found online, ipsec.conf does not need to be present on the 2nd fw and it seems that the way I have it setup is the intended purpose. Can anyone confirm this? The last and most important point is that once the SA's and flows are in sync on both fw's and I carpdemote fw1, I loose the IPSEC connection for 20-30 seconds. I still need to debug this but wasn't the whole sasyncd point to offer redundancy and prevent exactly this type of behavior? Or have I misconfigured something? Last edited by da1; 24th June 2017 at 12:09 PM. |
|
|||
UPDATE:
When running isakmpd and sasyncd in debugging mode on fw2, I see that the SAD's and flows are not applied to it, once fw2 becomes master. This is weird considering sasyncd syncs them from fw1. Anyone? |
|
|||
Will do that, thx
|
|
|||
no luck at misc@ but here's what I did:
copy ipsec.conf from fw1 to fw2 and Code:
rcctl enable ipsec I've established the VPN on fw1, demoted the carp, fw2 took over, the VPN continued working. Rebooted fw1 and did the same steps on fw2. out of 200 ping packets through the VPN, we've lost 2x. Pretty good if you ask me. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Help with IPSEC | roggy | OpenBSD Security | 12 | 24th April 2017 07:30 PM |
Some help with IPSEC / VPN | Daffy | OpenBSD Security | 1 | 9th November 2013 12:45 PM |
test of application impact with carp(4) failover | jggimi | OpenBSD General | 1 | 1st November 2013 02:44 PM |
IPsec/pf setup | denta | OpenBSD Security | 1 | 25th May 2012 09:08 PM |
Need Help Please About IPsec | wong_baru | FreeBSD Security | 2 | 21st June 2010 08:00 AM |