Hello Jasper,
I wanted to use iked in a redundant configuration too and wasn't sure
whether iked and sasyncd play nice together.
I contacted Reyk Floeter (the main developer of iked) and it turns out
there is room for improvement.
We use OpenBSD for the Muniam managed firewalls and need redundant iked
for our customers.
We will be sponsoring Reyk's work to improve iked redundancy. I expect
that Reyk will have something soon but the timing depends on him.
Daniel
Jasper Siepkes wrote on 28-9-2016 11:07:
Hi everyone @ misc!
I'm trying to determine what the state is of using iked (OpenIKED) with
redundancy (with CARP). Should such a setup work in OpenBSD 6.0?
The iked.conf (5) man page implies that using CARP for
redundancy is a supported configuration: "This option is used for
setups using sasyncd(8) and carp(4) to provide redundancy.".
However after some digging I'm leaning towards it was something that
used to work but doesn't work anymore (at least not in 6.0).
The issue I bumped into; I'm using OpenBSD 6.0 (fully patched) and CARP
and iked by themselves work fine. The problems start when trying to
have iked use the CARP IP address instead of the IP of the host it
self. iked says in it's logs that it uses the CARP IP as source IP in
the messages it sends but in reality (checked with tcpdump) it doesn't.
It uses the IP of the interface with the default route. After some
digging I found someone on the list who encountered the same
problem: "IKED/carp/sasyncd: Wrong source ip address/No IKEv2 response"
[1]. The response is: "iked generates some packets before binding,
so they have whatever source address is on the interface that holds the
outgoing route to the destination.".
I also found a post in the list called "iked+CARP/ active,
passive"[2] which implies that iked + CARP actually does work. But
since that post is from 2011 I'm guessing it broke somewhere between
2011 and 2016.
If the current state is indeed that using CARP with iked is not an
working option perhaps we should modify the iked.conf (5) man page to
clearly state that?
On a related note; I got bitten by the bug fixed in the patch:
"Fix an infinite loop in iked"[3]. I manually patched my build with it
but perhaps it's a good candidate for inclusion in the 6.0 patch
branch?
Regards,
Jasper
[1] https://marc.info/?l=openbsd-misc&m=145924380931352&w=2
[2] https://marc.info/?l=openbsd-misc&m=131850193524708&w=2
[3] https://marc.info/?l=openbsd-tech&m=147348976311128&w=2
