Hi
On Mon, Jul 22, 2013 at 12:56:38PM +0100, Andy wrote:
> Hi,
>
> I hope this is helpful to someone else and maybe a dev could add
> this solution (or an improvement thereof) into the code as standard.
>
> - I found an issue with IPSec and OpenBSD with CARP during
> fail-over, whereby a fail over with the default recommended set-up
> results in broken IPSec tunnels for a while.
>
> isakmpd does all the work of setting up phase 1 and phase 2 for the
> VPN and the actual encryption/decryption of packets etc.
>
> isakmpd;
> -K is needed to make isakmpd controlable by ipsecctl or bgpd etc.
> -S is needed to make isakmpd startup in a passive move, and not
> initiate connections or process incoming traffic unless CARP master
> (If sasyncd is enabled in rc.conf.local, rc.d scripts add -S
> automatically).
>
> All sasyncd does is to synchronise the established SA's to the
> backup CARP firewall.
>
> The problem I found is that when the secondary firewall is started
> up/rebooted, isakmpd starts up and does nothing (is passive, but
> does not even know about the tunnel policies). sasyncd starts and
> receives SAs from the master.
>
> The CARP pair now fail-over and the tunnels stop working even though
> the SAs are all present and correct, the problem is simply that
> isakmpd on the secondary was never told to read the policies!
>
> I have simply modified '/etc/rc.d/sasyncd' so after it starts,
> isakmpd reads the policies.
>
> /etc/rc.d/sasyncd;
> #!/bin/sh
> #
> # $OpenBSD: sasyncd,v 1.1 2011/07/06 18:55:36 robert Exp $
>
> daemon="/usr/sbin/sasyncd"
>
> . /etc/rc.d/rc.subr
>
> pexp="sasyncd: \[priv\]"
>
> rc_start() {
> ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
> ipsecctl -f /etc/ipsec.conf
> }
Why don't you use "ipsec=YES" in /etc/rc.conf.local ?
>
> rc_cmd $1
>
> Now when the firewalls fail-over the tunnels work immediately :)
> I'm sure there is a more elegant solution to this, but this works
> well enough.
>
> Cheers, Andrew Lemin
