On Wed, 2025-03-05 at 16:23 -0700, Devin Reade wrote:
> [...] the iked configuration seems to be interfering with proper
> carp operations on Site2.
I've made some progress on this, but it isn't quite right, yet.
By restricting the iked protocols to tcp/udp/icmp I've managed
to avoid the carp interference, so now I only have one of FW2a
and FW2b acting as master on carp5, at least.
However, pings from offsite work only to b.b.b.193 and b.b.b.194
(when FW2a is master); pings to other IPs in that netblock end
up getting sent to sec0 instead of vlan5 (and subsequently FW1
reflects back an icmp unreachable).
I thought by adding a second selector with 'skip' would resolve
that, but apparently not:
======== FW2a and FW2b /etc/iked.conf:
ikev2 'g65' passive esp \
proto { tcp, udp, icmp } \
from 192.168.48.2 to 192.168.48.1 \
from b.b.b.192/26 to any \
local d.d.d.114 peer c.c.c.c \
srcid g65.example.com
ikev2 'g65-local' skip \
proto { tcp, udp, icmp } \
from b.b.b.192/26 to b.b.b.192/26
