Re: ipsec or iked to deploy under openbsd carp fws

Wed, 04 Dec 2013 07:44:28 -0800 

On Wed 04 Dec 2013 12:40:09 GMT, Stuart Henderson wrote:

On 2013/12/04 10:19, Andy wrote:

Yea I had the same problem with sasynd but I found a simple solution that
allows for faster failover than DPD.

The issue I found was that when isakmpd starts on the carp 'backup', the -S
stops it from chatting which is great, but, I also found it also seems to
stop it from reading the ipsec.conf file! So when you switch over isakmpd
doesn't know about the policies even though it has the phase 1 and phase 2
policies from the master.

The solution I found was to edit /etc/rc.d/sasyncd adding;

rc_start() {
    sleep 10
    ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
    sleep 5
    ipsecctl -f /etc/ipsec.conf
}

It is still not perfect as a VPN failover as it still seems to take a few
seconds as the trust relationship cannot be fully replicated by sasyncd, so
some sort of renegotiation is still needed, but not a full rebuild.

I've been meaning to look at testing this more and maybe adding this to the
code if I can prove it (allong with many other things I want to contribute,
but I'm so busy and the learning curve of a new code base means all the
things I want to contribute will take me an age).

Andy


This is definitely worth investigation, but this seems different to what
I saw: the machines got in a state where not even shutting down ipsec
related daemons and "ipsecctl -F" was enough to get them out of it.

However thinking about this again today, I wonder if some badness was
getting synced by pfsync instead... (this was on quite an old setup though,
and I don't have the kit to test on now).



Hey Stuart,
Yea I did see similar.. I think it was due to synchronisation issues.
I found I had to flush all 4 firewalls at the same time (CARP pairs at both ends) otherwise old SAs would get synchronized confuse things.
With the setup now it seems to stay in sync, as whenever the backup is promoted I'm guessing it has the policies in memory and so doesn't reset the other end.. I can't quite remember how I debugged it. 

Let me know if this works for you too.
It might be good if someone who knows isakmpd could comment on the -S and whether it does do the same as 'ipsecctl -f /etc/ipsec.conf' or not..
Looking at http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/tree/sbin/isakmpd/isakmpd.c quickly I don't think it does which would confirm my findings, but my C foo is weak..

Reply via email to