I've been running 3.9 in a CARP pair for my firewalls. So I upgrade the box(well, rebuild it from scratch using the new CD), and things seem fine on the first log in. I fix up all the config files, so that all the 3.9 settings are in place, and make sure to pay attention to the settings that are new (like ipsec=NO in rc.conf).
I test a failover and find that the interfaces are failing over individually. So I check the sysctl.conf setting for carp preempt and it is set to 1, which is good. But also a bit confusing. A little more investigation and I find the system isn't forwarding packets at all. Despite the setting in sysctl.conf, and also in the kernel according to the sysctl command. Check the following console output: # uname -a OpenBSD nuffi.nough.com 4.0 GENERIC#1107 i386 # date Tue Nov 14 02:01:52 EST 2006 # tcpdump -nettt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG ^C 0 packets received by filter 0 packets dropped by kernel # date Tue Nov 14 02:03:29 EST 2006 # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 # sysctl net.inet.ip.forwarding=1 net.inet.ip.forwarding: 1 -> 1 # sysctl net.inet.ip.forwarding=0 net.inet.ip.forwarding: 1 -> 0 # sysctl net.inet.ip.forwarding=1 net.inet.ip.forwarding: 0 -> 1 # cat /etc/sysctl.conf | grep forward | grep -v 6 net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets # sysctl net.inet.carp.preempt net.inet.carp.preempt=1 tcpdump shows the phase 2 vpn traffic coming back into the box from the peers on the external interface, but none are properly established. I thought that the only thing that I needed to turn on for packet forwarding was that setting in sysctl.conf... Is there something that I am missing? If a system you'd built was doing this, what would you do next? TIA Nuffnough
