Hi Folks,
Sorry but I need to ask what some will see as an obvious and stupid
question, so feel free to shoot me down in flames but please answer the
question :-)
I have a pair of 3.8 boxes, each with 3 interfaces xl0,xl1 and rl0
configured as a redundant firewall using CARP, PFSYNC and SASYNCD (for
my ipsec VPN's configured with isakmpd.conf & .policy)
Carp0 (Internet) is bound to XL0 on both firewalls, CARP1 (Internal) is
bound to XL1 with rl0 being used for PFSYNC and SASYNCD traffic, with me
so far?
Ok the pair work like a charm, fail over and recovery work, SA & SPD's
are synced on both boxes, I couldn't be happier.
Now for the silly question:
I know SASYNCD doesn't do any fail over so by default I have ISAKMPD
started on both machines.
No looking at the message log on the 'secondary' box I see ISAKMPD
logging lots of messages about no response from the remote peer, which
sounds right as the VPN's established with the ISAKMPD daemon running
on the primary box.
Looking at the primary box I get a lot of 'bad cookie' errors which seem
to correspond to the secondary's attempts to connect to the remote peer.
Although the VPN is running sweetly.
Is this right or should I instead use ifstated to monitor the CARP0
interface and start ISAKMPD on the secondary box only when the primary
fails?
During my testing phase using only OBSD boxes for local and remote peers
IPSec fail over worked, now in the 'live' config where the remote peer
is a Checkpoint R56 HA pair the primary VPN works but fail over doesn't
appear to.
Many thanks, asbestos undies at the ready ;-)
Simon
