tech notes

April 10, 2008

IPsec synchronization with OpenBSD

Filed under: bsd — admin @ 12:03 am

The goal is to have two IPsec hubs, one master and one slave, where the slave can take over when the master goes down and it can do it without losing all established IPsec tunnels.

With OpenBSD it’s really straight forward, as all features needed to do it are in the base system. They are: carp, pfsync and sasyncd.

We start with two hosts - master with IP 192.168.1.1 and slave with 192.168.1.2.

First we set up carp so both servers will share one IP address. This IP will be used as the end point for establishing all IPsec tunnels.

master# echo “inet 192.168.1.10 255.255.255.0 192.168.1.255 vhid 1 pass yoursecretpasswd” > /etc/hostname.carp0

and

slave# echo “inet 192.168.1.10 255.255.255.0 192.168.1.255 vhid 1 pass yoursecretpasswd advskew 100″ > /etc/hostname.carp0

We also need pfsync, not only to synchronize pf states but we will also need it to synchronize SA replay counters. Ideally pf states should be synchronized over a dedicated interface and a crossover cable (in case of 2 failover boxes).

master# echo ” up syncdev rl0 syncpeer 172.16.31.2″ > /etc/hostname.pfsync0
slave# echo “up syncdev rl0 syncpeer 172.16.31.1″ > /etc/hostname.pfsync0

And now it’s time to set up sasyncd. In this simple configuration sasyncd only needs information about peer name, carp interface which state it will follow (acting as the master sasyncd if the carp interface is in MASTER state or as a slave when the carp interface is in BACKUP state) and a shared key which will be used to encrypt SA updates.

Edit /etc/sasyncd.conf , on master:

peer 172.16.31.2
interface carp0
sharedkey 0×078433394b762e8c526d5921768e633676a8733db242c7ddd49993c0dca5092a

use openssl rand -hex 32 to generate your shared key.

and on slave:

peer 172.16.32.1
interface carp0
sharedkey 0×078433394b762e8c526d5921768e633676a8733db242c7ddd49993c0dca5092a

Now on both servers enable sasyncd by adding sasyncd_flags=”" to your /etc/rc.conf.local files.

At this moment you can either reboot your servers to get everything started or do

# sh /etc/netstart
# sasyncd

Test it on your slave box, after a second you should be able to see exactly the same flows and SAD entries with ipsecctl -sa

One Response to “IPsec synchronization with OpenBSD”

  1. abnamro.chris Says:
    April 14th, 2008 at 1:38 am

    I am trying to get a similar setup to work. I have two BSD behind a BSD external gateway, and an IPSec peer establishes connection to at the moment one BSD peer behind that BSD external gateway, we use pf to pass the traffic straight through to the internal BSD machine. The new work mainly focuses on building a failover IPSec peer using another BSD machine.

    I have some plans as what I needed to do. But at the moment it is quite unclear yet. Maybe you can shed some light if you could please. I think there are three things I needed to do.
    1. setup the failover BSD machine with CARP
    2. copy all IPSec conf from the first BSD peer behind that external BSD firewall to this new BSD to be built
    3. change the pf (NAT) rule on the external gateway, such that when traffic comes from the peer outside the external gateway, forward the traffic to the virtual address. (shared between the old BSD peer and the new one)
    4. change the destination address on the outside BSD peer to the virtual address

    Is there anything else I missed out? Thanks for writing this up by the way, there is a severe shortage of howto on IPSec+CARP.

Leave a Reply

You must be logged in to post a comment.

Powered by WordPress