Carp creates a wide route if "netmask" is not used when carp is configured

Hi, I am using isakmpd+pf+sasyncd+carp to set a VPN network (OpenBSD 4.0) Recently had a problem with carp... Basically ifconfig carp0 inet 172.16.140.1 255.255.255.0 advbase 1 ... versus ifconfig carp0 inet 172.16.140.1 netmask 255.255.255.0 advbase 1 ... The simple

Carp question and security association mismatch

Hi, I have two firewalls using isakmpd+pf+sasyncd+carp (OpenBSD 4.0) preempt is set to 0 At one end (machine names MAED11 and MAED12) carp0 on external has 172.16.140.145 255.255.255.0 advbase 0 advskew 128 pass gijane vhid 1 carp1 on external has 172.16.160.33 255.255.255.224 advbas

Security associations and SA_FLAG_REPLACED

Hi, I have GW1 and GW2 redundant firewalls (isakmpd+pf+carp+sasyncd) Is there a way to see which security associations are marked as "replaced" on the backup GW? "ipsecctl -s all -v -v" shows a lot but it does not seem to show that. On the master (let's say GW1) echo "S" > /v

main mode produces comm losses

Hi, I am running OpenBSD 4.0 with carp+isakmpd+sasyncd+pf on 166MHz Pentium boards. Everything is working well. There are 6 locations, all clustered (2 redundant firewalls). When I fail one cluster the other one takes over with some packet loss. I see the carp is doing its thing. Aft

Pinging redundant firewall problem (isakmpd+pf+pfsync+sasyncd+carp)

Hello, Intro: I am using isakmpd+sasyncd+carp+pf+pfsync to have a redundant firewall setup (OpenBSD 4.0). I have two firewall that carp-advertise at the same rate, and not preempt each other. Basically I don't care which firewall is master and which is backup. This works fine. isak

Pinging redundant firewall problem (isakmpd+pf+pfsync+sasyncd+carp)

Hello, Intro: I am using isakmpd+sasyncd+carp+pf+pfsync to have a redundant firewall setup (OpenBSD 4.0). I have two firewall that carp-advertise at the same rate, and not preempt each other. This works fine. isakmpd is using x509 certificates to establish SAs. This is working fine. sasy

Re: Pinging redundant firewall problem (isakmpd+pf+pfsync+sasyncd+carp)

catalin visinescu <[EMAIL PROTECTED]> wrote: >>Hello, >> >>Intro: >>I am using isakmpd+sasyncd+carp+pf+pfsync to have a redundant >>firewall setup (OpenBSD 4.0). I have two firewall that carp-advertise at the >>same rate, and not preempt eac

isakmpd on OpenBSD 3.7 and OpenBSD 4.0

Hello, I see that OpenBSD 3.7 isakmpd and OpenBSD 4.0 isakmpd do not establish security associations. I get an INVALID-PAYLOAD-TYPE message. isakmpd 3.7 does not seem to understand payload RESERVED. Is there a way I can run isakmpd 4.0 downgraded or any other way to get the two of th

Re: isakmpd on OpenBSD 3.7 and OpenBSD 4.0

Thanks to Stuart Henderson. On 2007/06/25 11:35, catalin visinescu wrote: > I see that OpenBSD 3.7 isakmpd and OpenBSD 4.0 isakmpd do > not establish security associations. try -T (disable nat-t) on the 4.0 side. If it works, can you post back to misc@ to get it in the ar

OpenBSD 4.0: isakmpd and immediate use of crls (without isakmpd restart)

Hello, I was wondering what is the best way to immediately use a newly received crl that contains a revoked certificate... Basically if I have 3 firewalls and one of them is compromised I will push a new crl on the 2 uncorrupted firewalls. The thing is that (even when I send them a

/usr/ports/net/ntp and VPN (improvement idea and solution)

Hello, This is used in a VPN network to bind the internal IP address and allow ntpd running of firewalls to get the time from a time source in a different protected subnet. I've changed two files ntp_io.c cmd_args.c in /usr/ports/net/ntp See the diffs below. Hope they can