Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 16th June 2017
da1 da1 is offline
Fdisk Soldier
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default [SOLVED]IPSEC,CARP,sasyncd -- IPSEC failover is weird

Hello everyone,

Need sasyncd help

Here's the current setup I have:
- 2x OpenBSD 6.1 amd64 redundant firewalls (em0 (ext_if), em1 (int_if), carp0 (carp_if over em0), carp1 (carp_if over em1))
- carp0 has 16 public IP's (ex:>
- carp1 has 1x internal IP (ex:, a /16 subnet)
- the 2x fw's are connected back-to-back (pfsync)
- sysctl.conf (both fw's): net.inet.carp.preempt=1, net.inet.ip.forwarding=1, net.inet.ipcomp.enable=1
- pf.conf (both fw's): block all in, allow all out, allow pfsync and carp, antispoof, allow proto esp and udp port 4500 and 500; (the rules are fine)

IPSEC setup (google cloud on the other side):
- ipsec.conf (identical on both fw's):

# me->gcp
ike esp from $my_gw to $gcp_gw local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>
ike esp from $my_gw to $gcp_net local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>ike esp from $my_net to $gcp_net local $my_gw peer $gcp_gw main enc aes group modp1024 psk <super_secret_psk>
- isakmpd has the "-S -K" flag
- sasyncd.conf (fw2 has "peer <fw1_ip>"):
# carp(4) interface to track state changes on
interface carp0
# Interface group to use to suppress carp(4) preemption during boot
group carp
# sasyncd(8) peer IP address or hostname. Multiple 'peer' statements are allowed
peer <fw2_ip>
# Shared AES key used to encrypt messages between sasyncd(8) hosts. It can be
# generated with the openssl(1) command 'openssl rand -hex 16'
sharedkey <sasync_super_duper_pass>
On fw1, I start the VPN in this order:
- rcctl start isakmpd
- ipsecctl -f /etc/ipsec.conf
- rcctl start sasyncd
- all good, works

On fw2, I omit the ipsecctl command and start only isakmpd and sasyncd. If I check the SA's and flows, they will be synced from fw1 but is this how it should be or do I need to have ipsec.conf on fw2 as well and issue the "ipsecctl -f /etc/ipsec.conf" cmd when starting the IPSEC VPN? From the scars documentation I found online, ipsec.conf does not need to be present on the 2nd fw and it seems that the way I have it setup is the intended purpose. Can anyone confirm this?

The last and most important point is that once the SA's and flows are in sync on both fw's and I carpdemote fw1, I loose the IPSEC connection for 20-30 seconds. I still need to debug this but wasn't the whole sasyncd point to offer redundancy and prevent exactly this type of behavior?

Or have I misconfigured something?

Last edited by da1; 24th June 2017 at 12:09 PM.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with IPSEC roggy OpenBSD Security 12 24th April 2017 07:30 PM
Some help with IPSEC / VPN Daffy OpenBSD Security 1 9th November 2013 12:45 PM
test of application impact with carp(4) failover jggimi OpenBSD General 1 1st November 2013 02:44 PM
IPsec/pf setup denta OpenBSD Security 1 25th May 2012 09:08 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM

All times are GMT. The time now is 07:51 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick