Hi guys,
we are using 3 Soekris firewall pairs in our companies setup to provide
failover IPSec connections between 3 sites using OpenBSD 4.0 RELEASE.
The big picture looks like this :
A -> B (passive)
A -> C (passive)
B -> C (passive)
By now its basically working fine, but with the IPSec failover we have
several problems which i cannot come by after several days of testing.
The main problem is, that if MASTER is rebooted, the SLAVE takes over,
fine.
Once the MASTER comes up again, it takes over the SAs of the SLAVE but
as soon as its carp interfaces get demoted (and he becomes an isakmpd
master) he acquires new SAs which leads to an failure in the IPSec
tunnel, as there are twice as much SAs in the SA-DB than before and
(supposedly) the newly created SAs of the MASTER are used which leads to
an "invalid cookie" on the remote site. I tweaked the /etc/rc script to
do the demotion later (or i do it manually) and its directly related to
the point where the isakmpd is becoming master again.
Questions :
- I've seen some patches from nathanael which seem to address some
similar problems but i am not sure if they are in the 4.0 RELEASE
already? (isakmpd flow deletion, isakmpd phase 2 retry look like this)
- Do i need to set up the flows manually and run the isakmpd -a?
- If i got the concept right, the two carped firewalls are SA-Syncing
and not the 4 VPN endpoints?
- What about the "multimaster mode" nathanael proposed?
My setup:
- pf is passing the required stuff thru (IKE,AH,ESP, pfsync, SASYNC,
ipencap)
- the sasyncd is running and passed thru the firewall
- isakmpd is running by ipsec.conf only and started with
# isakmpd -v -K -S -L -4
The IPSec.conf looks like this (basically from the IPSec in 4 minutes):
# Remote IPSec Gateways
XXXIP ="XXX.XXX.XXX.XXX"
YYYIP ="YYY.YYY.YYY.YYY"
ZZZIP ="ZZZ.ZZZ.ZZZ.ZZZ"
# Remote Networks
XXXNet ="10.0.160.0/23"
YYYNet ="10.0.192.0/23"
ZZZNets ="10.0.96.0/24, 10.0.32.0/21"
#This is used and uncommented on the ZZZ site
# ZZZ - XXX (PASSIVE)
#ike passive esp from {$ZZZNet,$ZZZIP} to $XXXNet
local $ZZZIP peer $XXXIP
#ike passive esp from $ZZZIP to {$XXXIP, $XXXNet} local $ZZZIP
# ZZZ - XXX (PASSIVE)
#ike passive esp from {$ZZZNet,$ZZZIP} to {$YYYNets} local $ZZZIP peer
$YYYIP
#ike passive esp from $ZZZIP to {$XXXIP, $XXXNet} local $ZZZIP
#This is used and uncommented on the XXX site
# XXX - ZZZ (ACTIVE to ZZZ)
#ike esp from {$XXXNet,$XXXIP} to $ZZZNet local $XXXIP peer $ZZZIP
#ike esp from $XXXIP to $ZZZIP local $XXXIP
# XXX - YYY (PASSIVE from YYY)
#ike passive esp from {$XXXNet,$XXXIP} to {$YYYNets} local $XXXIP
peer $YYYIP
#ike passive esp from $XXXIP to $YYYIP local $XXXIP
#This is used and uncommented on the YYY site
# YYY - XXX
ike esp from {$YYYNets} to $XXXNet local $YYYIP peer $XXXIP
ike esp from $YYYIP to $XXXIP local $YYYIP
# YYY - ZZZ
ike esp from {$YYYNets} to $ZZZNet local $YYYIP peer $ZZZIP
ike esp from $YYYIP to $ZZZIP local $YYYIP
