DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th June 2017
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default [SOLVED]IPSEC,CARP,sasyncd -- IPSEC failover is weird

Hello everyone,

Need sasyncd help

Here's the current setup I have:
- 2x OpenBSD 6.1 amd64 redundant firewalls (em0 (ext_if), em1 (int_if), carp0 (carp_if over em0), carp1 (carp_if over em1))
- carp0 has 16 public IP's (ex: 1.1.1.1->1.1.1.16)
- carp1 has 1x internal IP (ex: 10.10.10.1, a /16 subnet)
- the 2x fw's are connected back-to-back (pfsync)
- sysctl.conf (both fw's): net.inet.carp.preempt=1, net.inet.ip.forwarding=1, net.inet.ipcomp.enable=1
- pf.conf (both fw's): block all in, allow all out, allow pfsync and carp, antispoof, allow proto esp and udp port 4500 and 500; (the rules are fine)

IPSEC setup (google cloud on the other side):
- ipsec.conf (identical on both fw's):
Code:
my_gw="1.1.1.16"
my_net="10.10.0.0/16"
gcp_gw="x.x.x.x"
gcp_net="10.x.x.x/20"

# me->gcp
ike esp from $my_gw to $gcp_gw local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>
ike esp from $my_gw to $gcp_net local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>ike esp from $my_net to $gcp_net local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>
- isakmpd has the "-S -K" flag
- sasyncd.conf (fw2 has "peer <fw1_ip>"):
Code:
# carp(4) interface to track state changes on
interface carp0
# Interface group to use to suppress carp(4) preemption during boot
group carp
# sasyncd(8) peer IP address or hostname. Multiple 'peer' statements are allowed
peer <fw2_ip>
# Shared AES key used to encrypt messages between sasyncd(8) hosts. It can be
# generated with the openssl(1) command 'openssl rand -hex 16'
sharedkey <sasync_super_duper_pass>
On fw1, I start the VPN in this order:
- rcctl start isakmpd
- ipsecctl -f /etc/ipsec.conf
- rcctl start sasyncd
- all good, works

On fw2, I omit the ipsecctl command and start only isakmpd and sasyncd. If I check the SA's and flows, they will be synced from fw1 but is this how it should be or do I need to have ipsec.conf on fw2 as well and issue the "ipsecctl -f /etc/ipsec.conf" cmd when starting the IPSEC VPN? From the scars documentation I found online, ipsec.conf does not need to be present on the 2nd fw and it seems that the way I have it setup is the intended purpose. Can anyone confirm this?

The last and most important point is that once the SA's and flows are in sync on both fw's and I carpdemote fw1, I loose the IPSEC connection for 20-30 seconds. I still need to debug this but wasn't the whole sasyncd point to offer redundancy and prevent exactly this type of behavior?

Or have I misconfigured something?

Last edited by da1; 24th June 2017 at 12:09 PM.
Reply With Quote
  #2   (View Single Post)  
Old 17th June 2017
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

UPDATE:

When running isakmpd and sasyncd in debugging mode on fw2, I see that the SAD's and flows are not applied to it, once fw2 becomes master. This is weird considering sasyncd syncs them from fw1.

Anyone?
Reply With Quote
  #3   (View Single Post)  
Old 17th June 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,884
Default

Quote:
Anyone?
I think your best option is to reach out to the misc@ mailing list. This small forum doesn't see frequent activity with knowledgeable IPSec users. On misc@, you are more likely to obtain a rapid response.
Reply With Quote
  #4   (View Single Post)  
Old 18th June 2017
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

Will do that, thx
Reply With Quote
  #5   (View Single Post)  
Old 24th June 2017
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

no luck at misc@ but here's what I did:

copy ipsec.conf from fw1 to fw2 and
Code:
rcctl enable ipsec
on both fw's.

I've established the VPN on fw1, demoted the carp, fw2 took over, the VPN continued working. Rebooted fw1 and did the same steps on fw2.

out of 200 ping packets through the VPN, we've lost 2x. Pretty good if you ask me.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with IPSEC roggy OpenBSD Security 12 24th April 2017 07:30 PM
Some help with IPSEC / VPN Daffy OpenBSD Security 1 9th November 2013 12:45 PM
test of application impact with carp(4) failover jggimi OpenBSD General 1 1st November 2013 02:44 PM
IPsec/pf setup denta OpenBSD Security 1 25th May 2012 09:08 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM


All times are GMT. The time now is 11:31 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick