Re: ipsec with carp

Heinrich Rebehn schrieb: > Patrick Hemmen wrote: >> Ok. >> >> Before using carp/sasyncd the IPSEC tunnel had worked. >> The isakmpd daemon listen on all interfaces/ip addresses. >> >> I am illustrating my set up >> >> vpngw01: 10.10.10.101 >> carp: 10.10.10.1 <-- INTERNET --> remote gate

Re: ipsec with carp

Heinrich Rebehn schrieb: > Patrick Hemmen wrote: >> Ok. >> >> Before using carp/sasyncd the IPSEC tunnel had worked. >> The isakmpd daemon listen on all interfaces/ip addresses. >> >> I am illustrating my set up >> >> vpngw01: 10.10.10.101 >> carp: 10.10.10.1 <-- INTERNET --> remote gate

Re: ipsec with carp

Patrick Hemmen wrote: Ok. Before using carp/sasyncd the IPSEC tunnel had worked. The isakmpd daemon listen on all interfaces/ip addresses. I am illustrating my set up vpngw01: 10.10.10.101 carp: 10.10.10.1 <-- INTERNET --> remote gateway: 192.168.1.1 vpngw02: 10.10.10.102 Rem

Re: ipsec with carp

Hi The one time I remember getting that error was when I _thought_ I was using certificates from /etc/isakmpd/{certsB&private}, but still had a local.pub and local.key from the installation lying around that got used instead. Some more debug info (/var/log/daemon) would be helpful indeed. krgds /

Re: ipsec with carp

You should be able to easily restrict the binding of the UDP/500 isakmp port in isakmpd(8) to the CARP HA ipaddr. Even if it has to bind as wildcard, you should be able to specify the source address to bind to transmit from. I just had this issue with mountd(8) on FreeBSD. Check the man pages fo

Re: ipsec with carp

Ok. Before using carp/sasyncd the IPSEC tunnel had worked. The isakmpd daemon listen on all interfaces/ip addresses. I am illustrating my set up vpngw01: 10.10.10.101 carp: 10.10.10.1 <-- INTERNET --> remote gateway: 192.168.1.1 vpngw02: 10.10.10.102 My machines are vpngw01 and 0

Re: ipsec with carp

Also: 1) Does the documentation in ipsec(4) / isakmpd.conf(5) / sasyncd.conf(5) imply that all policies / security associations should be between the CARP HA L3 address? 2) Is your isakmpd(8) binding to wildcard address? 3) Did this problem evolve with the implementation of sasyncd(8) or did you

Re: ipsec with carp

Patrick Hemmen wrote: Hello all, I have two OpenBSD machines for a redundancy VPN-Gateway. They use carp to share one IP-Address and sasyncd to synchronize SAs and SPDs. I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't established and the error "PAYLOAD_MALFORMED" appears in the logs.