I have a working VPN setup between two openbsd 4.2 firewalls. I'm
trying to add some redundancy (carp, sasyncd, pfsyncd) at site A by
adding a redundant gateway and configuring ipsec to use the external
carp address When I do this I'm unable to bring up the VPN. I've
been banging my head against the wall trying to determine why the VPN
won't come up when I use the carp address. I've searched for and
used all the available resources I could find. I'm aware of the
"local" keyword used by ipsec but I must be missing something. I've
included my ipsec.conf and pf.conf files from both gateways.
Debugs from isakmpd -KvdD A=10 are below. I would greatly appreciate
any advice or pointers from anyone.
Carp is configured correctly, gateway1a is the MASTER for both
interfaces and gateway1b is the BACKUP.
>From the debugs it appears as if the gateway using carp doesn't get a
response from the peer but I'm unable to identify any blocked packets
with tcpdump on pflog0.
Help/suggestions greatly appreciated. I don't know where to look next.
192.168.2.0/24 .254 x.x.x.4
(Site A) --- bge1[OpenBSD gateway 1a] bge0 -----+
carp1 .252 x.x.x.3 carp0
bge1[OpenBSD gateway 1b] bge0 -----+
.253 x.x.x.5
|
(Internet)
|
(Site B) --- em0[OpenBSD gateway2]em0 -----+
172.16.2.0/24 .10 x.x.x.x232
ipsec.conf from gateway 1a:
ike esp from 192.168.2.0/24 to 172.16.0.0/16 local X.X.X.3 peer X.X.X.232
ike esp from X.X.X.3 to 172.16.0.0/16 local X.X.X.X peer X.X.X.232
ike esp from X.X.X.3 to X.X.X.232
pf.conf from gateway1a:
ext_if="bge0"
int_if="bge1"
sync_if="em0"
ipsec_peer="X.X.X.232"
set skip on { lo $int_if enc0 }
#scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
#nat on $ext_if from !($ext_if) -> carp0
#antispoof quick for lo
block in log
pass on $sync_if keep state ( no-sync )
pass on { $int_if $ext_if } proto carp keep state
pass out all keep state
pass in on $ext_if proto icmp keep state
pass quick on $ext_if from $ipsec_peer # $ext_if of remote peer
pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in on $ext_if proto tcp to carp0 port ssh
ipsec.conf from gateway2
ike passive esp from 172.16.0.0/16 to 192.168.2.0/24 peer X.X.X.3
ike passive esp from X.X.X.232 to 192.168.2.0/24 peer X.X.X.3
ike passive esp from X.X.X.232 to X.X.X.3
pf.conf from gateway2:
ext_if="em0"
int_if="em1"
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) -> ($ext_if:0)
pass quick on $int_if
block in log
pass out keep state
# required for VPN
pass quick on $ext_if from X.X.X.3 (carp address of remote peer)
pass quick on $ext_if from X.X.X.4 ($ext_if address of remote peer)
pass in on $ext_if proto icmp keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh
isakmpd debug from gateway1a
213702.351659 Default log_debug_cmd: log level changed from 0 to 10
for class 0 [priv]
213702.351787 Default log_debug_cmd: log level changed from 0 to 10
for class 1 [priv]
213702.351845 Default log_debug_cmd: log level changed from 0 to 10
for class 2 [priv]
213702.351900 Default log_debug_cmd: log level changed from 0 to 10
for class 3 [priv]
213702.351956 Default log_debug_cmd: log level changed from 0 to 10
for class 4 [priv]
213702.352033 Default log_debug_cmd: log level changed from 0 to 10
for class 5 [priv]
213702.352089 Default log_debug_cmd: log level changed from 0 to 10
for class 6 [priv]
213702.352145 Default log_debug_cmd: log level changed from 0 to 10
for class 7 [priv]
213702.352224 Default log_debug_cmd: log level changed from 0 to 10
for class 8 [priv]
213702.352280 Default log_debug_cmd: log level changed from 0 to 10
for class 9 [priv]
213702.352353 Default log_debug_cmd: log level changed from 0 to 10
for class 10 [priv]
213702.400373 Misc 10 monitor_init: privileges dropped for child process
213728.717213 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added
last, expiration in 5s
213728.718339 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0)
213728.718425 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added
last, expiration in 5s
213728.718807 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0)
213728.718876 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added
last, expiration in 5s
213728.719236 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0)
213728.719305 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added
last, expiration in 5s
213728.719643 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0)
213728.719711 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added
last, expiration in 5s
213733.720875 Timr 10 timer_handle_expirations: event ui_conn_reinit(0x0)
213733.720958 Timr 10 timer_add_event: event
connection_checker(0x8749b8b0) added last, expiration in 0s
213733.721066 Timr 10 timer_add_event: event
connection_checker(0x8749bae0) added last, expiration in 0s
213733.721159 Timr 10 timer_add_event: event
connection_checker(0x8749b430) added last, expiration in 0s
213733.721272 Timr 10 timer_add_event: event
connection_checker(0x8749bcb0) added last, expiration in 0s
213733.721380 Timr 10 timer_add_event: event
connection_checker(0x8749bd60) added last, expiration in 0s
213733.721478 Timr 10 timer_handle_expirations: event
connection_checker(0x8749b8b0)
213733.721550 Timr 10 timer_add_event: event
connection_checker(0x8749b8b0) added last, expiration in 60s
213733.721688 Timr 10 timer_add_event: event
exchange_free_aux(0x86a4e800) added last, expiration in 120s
213733.721777 Exch 10 exchange_establish_p1: 0x86a4e800
peer-X.X.X..232 mm-X.X.X.232 policy initiator phase 1 doi 1 exchange 2
step 0
213733.721855 Exch 10 exchange_establish_p1: icookie 8281230f864863db
rcookie 0000000000000000
213733.721913 Exch 10 exchange_establish_p1: msgid 00000000
213733.722167 Timr 10 timer_handle_expirations: event
connection_checker(0x8749bae0)
213733.722239 Timr 10 timer_add_event: event
connection_checker(0x8749bae0) added before
exchange_free_aux(0x86a4e800), expiration in 60s
213733.722303 Timr 10 timer_handle_expirations: event
connection_checker(0x8749b430)
213733.722371 Timr 10 timer_add_event: event
connection_checker(0x8749b430) added before
exchange_free_aux(0x86a4e800), expiration in 60s
213733.722434 Timr 10 timer_handle_expirations: event
connection_checker(0x8749bcb0)
213733.722524 Timr 10 timer_add_event: event
connection_checker(0x8749bcb0) added before
exchange_free_aux(0x86a4e800), expiration in 60s
213733.722588 Timr 10 timer_handle_expirations: event
connection_checker(0x8749bd60)
213733.722675 Timr 10 timer_add_event: event
connection_checker(0x8749bd60) added before
exchange_free_aux(0x86a4e800), expiration in 60s
213733.722812 Timr 10 timer_add_event: event
message_send_expire(0x87a34300) added before
connection_checker(0x8749b8b0), expiration in 7s
213733.754997 Timr 10 timer_add_event: event
exchange_free_aux(0x86a4ea00) added last, expiration in 120s
213733.755079 Exch 10 exchange_setup_p1: 0x86a4ea00 <unnamed> <no
policy> policy responder phase 1 doi 1 exchange 5 step 0
213733.755138 Exch 10 exchange_setup_p1: icookie a30a8f95d2f12e8d
rcookie 952b9c0e8af0883d
213733.755193 Exch 10 exchange_setup_p1: msgid 00000000
213733.755270 Exch 10 ipsec_responder: got NOTIFY of type NO_PROPOSAL_CHOSEN
213733.755329 Exch 10 exchange_finalize: 0x86a4ea00 <unnamed> <no
policy> policy responder phase 1 doi 1 exchange 5 step 0
213733.755404 Exch 10 exchange_finalize: icookie a30a8f95d2f12e8d
rcookie 952b9c0e8af0883d
213733.755460 Exch 10 exchange_finalize: msgid 00000000
213733.755515 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x86a4ea00)
213740.730999 Timr 10 timer_handle_expirations: event
message_send_expire(0x87a34300)
213740.731223 Timr 10 timer_add_event: event
message_send_expire(0x87a34300) added before
connection_checker(0x8749b8b0), expiration in 9s
213749.741159 Timr 10 timer_handle_expirations: event
message_send_expire(0x87a34300)
213749.741390 Timr 10 timer_add_event: event
message_send_expire(0x87a34300) added before
connection_checker(0x8749b8b0), expiration in 11s
213800.751353 Timr 10 timer_handle_expirations: event
message_send_expire(0x87a34300)
213800.751568 Default transport_send_messages: giving up on exchange
peer-X.X.X..232, no response from peer X.X.X.232:500
213833.726073 Timr 10 timer_handle_expirations: event
connection_checker(0x8749b8b0)
213833.726156 Timr 10 timer_add_event: event
connection_checker(0x8749b8b0) added last, expiration in 60s
213833.726223 Timr 10 timer_handle_expirations: event
connection_checker(0x8749bae0)
213833.726291 Timr 10 timer_add_event: event
connection_checker(0x8749bae0) added last, expiration in 60s
213833.726355 Timr 10 timer_handle_expirations: event
connection_checker(0x8749b430)
213833.726443 Timr 10 timer_add_event: event
connection_checker(0x8749b430) added last, expiration in 60s
213833.726507 Timr 10 timer_handle_expirations: event
connection_checker(0x8749bcb0)
213833.726593 Timr 10 timer_add_event: event
connection_checker(0x8749bcb0) added last, expiration in 60s
213833.726657 Timr 10 timer_handle_expirations: event
connection_checker(0x8749bd60)
213833.726724 Timr 10 timer_add_event: event
connection_checker(0x8749bd60) added last, expiration in 60s
Other side of connection:
213708.101541 Default log_debug_cmd: log level changed from 0 to 10
for class 0 [priv]
213708.101767 Default log_debug_cmd: log level changed from 0 to 10
for class 1 [priv]
213708.101829 Default log_debug_cmd: log level changed from 0 to 10
for class 2 [priv]
213708.101898 Default log_debug_cmd: log level changed from 0 to 10
for class 3 [priv]
213708.101958 Default log_debug_cmd: log level changed from 0 to 10
for class 4 [priv]
213708.102026 Default log_debug_cmd: log level changed from 0 to 10
for class 5 [priv]
213708.102093 Default log_debug_cmd: log level changed from 0 to 10
for class 6 [priv]
213708.102151 Default log_debug_cmd: log level changed from 0 to 10
for class 7 [priv]
213708.102218 Default log_debug_cmd: log level changed from 0 to 10
for class 8 [priv]
213708.102277 Default log_debug_cmd: log level changed from 0 to 10
for class 9 [priv]
213708.102346 Default log_debug_cmd: log level changed from 0 to 10
for class 10 [priv]
213708.105684 Misc 10 monitor_init: privileges dropped for child process
213721.894044 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added
last, expiration in 5s
213721.895626 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0)
213721.895713 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added
last, expiration in 5s
213721.896054 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0)
213721.896122 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added
last, expiration in 5s
213721.896490 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0)
213721.896559 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added
last, expiration in 5s
213721.896892 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0)
213721.896961 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added
last, expiration in 5s
213726.903492 Timr 10 timer_handle_expirations: event ui_conn_reinit(0x0)
213733.723194 Timr 10 timer_add_event: event
exchange_free_aux(0x7c158900) added last, expiration in 120s
213733.723343 Exch 10 exchange_setup_p1: 0x7c158900 Default-phase-1
Default-phase-1-configuration policy responder phase 1 doi 1 exchange
2 step 0
213733.723409 Exch 10 exchange_setup_p1: icookie 8281230f864863db
rcookie 8a5a71a3170b74fc
213733.723479 Exch 10 exchange_setup_p1: msgid 00000000
213733.723569 Exch 10 check_vendor_openbsd: OpenBSD (OpenBSD-4.0)
213733.723633 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
213733.723695 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
213733.723756 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
213733.723826 Exch 10 dpd_check_vendor_payload: DPD capable peer detected
213733.723906 Default attribute_unacceptable: ENCRYPTION_ALGORITHM:
got AES_CBC, expected 3DES_CBC
213733.723978 Default message_negotiate_sa: no compatible proposal found
213733.724049 Default dropped message from X.X.X.4 port 63065 due to
notification type NO_PROPOSAL_CHOSEN
213733.724122 Timr 10 timer_add_event: event
exchange_free_aux(0x7c158b00) added last, expiration in 120s
213733.724191 Exch 10 exchange_establish_p1: 0x7c158b00 <unnamed> <no
policy> policy initiator phase 1 doi 1 exchange 5 step 0
213733.724254 Exch 10 exchange_establish_p1: icookie a30a8f95d2f12e8d
rcookie 0000000000000000
213733.724325 Exch 10 exchange_establish_p1: msgid 00000000
213733.724492 Exch 10 exchange_finalize: 0x7c158b00 <unnamed> <no
policy> policy initiator phase 1 doi 1 exchange 5 step 1
213733.724555 Exch 10 exchange_finalize: icookie a30a8f95d2f12e8d
rcookie 0000000000000000
213733.724613 Exch 10 exchange_finalize: msgid 00000000
213733.724681 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x7c158b00)
