Hello, I'm trying to build a High Availability IPSEC Tunnel between two OpenBSD Clusters. For a start, is this possible ?
For my test, I have the following setup: Desktop1 -----> VPN Cluster <---------> VPN <------- Laptop VPN Cluster has carp interfaces at both sides. I can't find much information how to setup this. My doubts/problems are: - The ipsec.conf configuration is between which peers ? The CARP address and the other VPN server address ? If so, must be an Passive/Active tunnel or it can be Active/Active ? Because the VPN Cluster does not start the tunnel with the CARP address, but with it's own IP address. Do I need source routing ? - sasyncd configuration is only between the cluster machines ? Or I must add the other VPN server ? Adding the other VPN server doesn't make much sense, but, well... I can't get this to work. - If I use sasyncd do I only need to configure ipsec.conf in one of the cluster machines, and the configuration is replicated to the other ? (I have tried this way, and I can see sasyncd replicating the information, but when I turn off the master from the cluster, the backup takes over, but there's is no traffic flow. For what I can see, it seems they get out of sequence). Pf.conf is allowing all traffic to pass, but keeping states synchronized with the other node (pfctl -s state shows sessions synchronized in both machines). Does anyone can provide a configuration example with ipsec.conf/carp/sasyncd ? That would be very helpful, since documentation about this setup is very scarce. Thank you for any help on this and keep up the good work, Pedro Hugo
