Hi everyone @ misc! I'm trying to determine what the state is of using iked (OpenIKED) with redundancy (with CARP). Should such a setup work in OpenBSD 6.0?
The iked.conf (5) man page implies that using CARP for redundancy is a supported configuration: "This option is used for setups using sasyncd(8) and carp(4) to provide redundancy.". However after some digging I'm leaning towards it was something that used to work but doesn't work anymore (at least not in 6.0). The issue I bumped into; I'm using OpenBSD 6.0 (fully patched) and CARP and iked by themselves work fine. The problems start when trying to have iked use the CARP IP address instead of the IP of the host it self. iked says in it's logs that it uses the CARP IP as source IP in the messages it sends but in reality (checked with tcpdump) it doesn't. It uses the IP of the interface with the default route. After some digging I found someone on the list who encountered the same problem: "IKED/carp/sasyncd: Wrong source ip address/No IKEv2 response" [1]. The response is: "iked generates some packets before binding, so they have whatever source address is on the interface that holds the outgoing route to the destination.". I also found a post in the list called "iked+CARP/ active, passive"[2] which implies that iked + CARP actually does work. But since that post is from 2011 I'm guessing it broke somewhere between 2011 and 2016. If the current state is indeed that using CARP with iked is not an working option perhaps we should modify the iked.conf (5) man page to clearly state that? On a related note; I got bitten by the bug fixed in the patch: "Fix an infinite loop in iked"[3]. I manually patched my build with it but perhaps it's a good candidate for inclusion in the 6.0 patch branch? Regards, Jasper [1] https://marc.info/?l=openbsd-misc&m=145924380931352&w=2 [2] https://marc.info/?l=openbsd-misc&m=131850193524708&w=2 [3] https://marc.info/?l=openbsd-tech&m=147348976311128&w=2
