Hello,
Intro:
I am using isakmpd+sasyncd+carp+pf+pfsync to have a redundant
firewall setup (OpenBSD 4.0). I have two firewall that carp-advertise at the
same rate, and not preempt each other. This works fine. isakmpd is using
x509 certificates to establish SAs. This is working fine. sasyncd is
running on both and they share the SAs properly. pfsync has been
configured and it is working well.
I have the following setup (netmask is /24 everywhere):
Redundant end
FW1: Ext IP: 172.16.140.2 (static) Int IP: 172.16.36.2 (static)
FW2: Ext IP: 172.16.140.3 (static) Int IP: 172.16.36.3 (static)
FW1 and FW2 shared IP addresses (carp)
Ext IP: 172.16.140.1
Int IP: 172.16.36.1
Non-redundant end:
Ext IP: 172.16.142.1 (static)
Int IP: 172.16.40.1 (static)
Problem:
Assume the gateway that has static IP 172.16.36.2 is the master. I
ping from 172.16.40.1 to 172.16.36.1 (or 172.16.36.2) and the ping goes
through. The moment I ping the backup (ping -c 1 -I 172.16.40.1 172.16.36.3) I
get a reply, but I can no longer ping 172.16.36.2. Now I can only ping
the second gateway (goes in through the master, goes out through the
backup). Everything goes back to normal (I can ping 172.16.36.2) the moment a
new quick mode is finished and new SAs are established.
Question:
Why is this happening? I would like to have remote access to the
backup gateway, for instance for live status polling (that's why I have the
static IP addresses), or sync NTP time on firewalls (time source over
secure tunnel). I don't mind if when I ping 172.16.36.3 the packet goes
in through the first gateway and goes out through the second (because
the flows are already set). I just don't want to block the communication
on messages to the backup gateway.
Can anyone help with this issue?
./catalin
---------------------------------
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot
with the All-new Yahoo! Mail
