-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello
I have two problems with SA-sync and failover between a pair of obsd gateways (which likely aren't related, but I'm not sure, so I'm posting them in one thread): After an ipsec tunnel is created from outside to the external common carp address, the SAs get synced between the two machines by sasyncd as designed. problem 1) When the master goes down, the slave takes over carp interface, ipsec sessions, pf states and all - it just works perfectly. But as soon as the box comes back up, it comes back with the carp interfaces in MASTER state, which is being monitored by sasyncd, who then sees itself as master and never tries to get the SAs back from the other box. So after carp fails back over to the original master, it doesn't know of any SA and the tunnel stalls. I then have to manually set an interface down, so that the box is SLAVE again, then restart sasyncd to have it fetch the SAs from the other gateway and bring the interface back up. I'm not sure if there's a way around this. If anybody sees one, please shed a light for a lost soul. What came to my mind was to set something like a startup delay on the carp interface, so that it would stay in INIT or BACKUP for, say, 60 seconds after the physical interface came up, so that sasyncd would come up as SLAVE and initially fetch SAs from the second box. problem 2) is a bit strange. I'll start with the network layout: ~ _______ ~ |OBSD 1 | ~ 192.168.43.0/24 .49 |_______| .101 192.168.16.0/24 Client A .111 --- --- .50 (carp1)(carp0) .100 --- --- .21 Client B ~ .48 _______ .102 Tunnel ~ |OBSD 2 | ~ |_______| The ipsec tunnel is from Client B (192.168.16.21) to carp0 (192.168.16.100). isakmpd listens on this interface, and sasyncd monitors it every 1 second. OBSD 1 is the master. Packets from Client B to Client A can travel only through the ipsec tunnel. Test was mutual pings from Client A to B and back and an ssh session from B to A. isakmpd, tunnel establishment and all work fine, as does pfsync and carp. Now if I: - - unplug cable on OBSD 1 (.101) : carp&ipsec fails over to OBSD 2 - - plug cable back in : fails back over to OBSD 1 - ssh+ping ok - - unplug cable on OBSD 1 (.49) : carp&ipsec fails over to OBSD 2 - - plug cable back in : carp fails back over to OBSD 1, but ipsec does so only on carp0 - i.e.: packets from Client A to B go through carp0 on OBSD 1, replies go through carp 1 on OBSD 2. This lasts for exactly 30 seconds, but Client B will not decrypt the packets. tcpdump on Client B shows the replies (esp) coming from OBSD 2's MAC address. Then ipsec also goes back to OBSD 1, and pings resume. The ssh session established before the failover doesn't work anymore (replies are no longer passed on to ssh client on Client B). New sessions can be established though. - - take down interface .49 on OBSD 1 with ifconfig : carp&ipsec fails over to OBSD 2 - - bring back up interface .49 on OBSD 1 with ifconfig : fails back over to OBSD 1 - ssh+ping ok - - reboot OBSD 1 : problem 1 kicks in now this problem 2 might be a totally different issue and I reckon that my debugging capabilities are not quite up to the problem. So I would be very grateful for any hint as to where to look further (as the logfiles obviously show no error). System: 2 x OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 2 carp interfaces each pfsync sasyncd This is still a lab installation at the moment, hence the rfc1918. If dmesg is required, pls. let me know (I thought this post was long enough without it) tia for any hints /markus PS: And let me do my kudos to the developpers of pf, carp, sasyncd, and ... oh, well, the whole system. Your software puts all "enterprise class" software that I know to shame. /m -----BEGIN PGP SIGNATURE----- iD8DBQFDJfdi8BX/d8pVi/cRAlXnAKClCwO6WAJAf88xuoOiqmn6IWAaBwCgpHH6 0Hk4ZB/ZerEzJIuC2HGdOp0= =iT/v -----END PGP SIGNATURE-----
