Comments on: IPsec synchronization with OpenBSD http://bsd.dischaos.com/2008/04/10/ipsec-synchronization-with-openbsd/ just some random notes on BSDs, linux and web development Tue, 10 Mar 2009 10:36:40 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: abnamro.chris http://bsd.dischaos.com/2008/04/10/ipsec-synchronization-with-openbsd/comment-page-1/#comment-6 abnamro.chris Mon, 14 Apr 2008 01:38:06 +0000 http://bsd.dischaos.com/2008/04/10/ipsec-synchronization-with-openbsd/#comment-6 I am trying to get a similar setup to work. I have two BSD behind a BSD external gateway, and an IPSec peer establishes connection to at the moment one BSD peer behind that BSD external gateway, we use pf to pass the traffic straight through to the internal BSD machine. The new work mainly focuses on building a failover IPSec peer using another BSD machine. I have some plans as what I needed to do. But at the moment it is quite unclear yet. Maybe you can shed some light if you could please. I think there are three things I needed to do. 1. setup the failover BSD machine with CARP 2. copy all IPSec conf from the first BSD peer behind that external BSD firewall to this new BSD to be built 3. change the pf (NAT) rule on the external gateway, such that when traffic comes from the peer outside the external gateway, forward the traffic to the virtual address. (shared between the old BSD peer and the new one) 4. change the destination address on the outside BSD peer to the virtual address Is there anything else I missed out? Thanks for writing this up by the way, there is a severe shortage of howto on IPSec+CARP. I am trying to get a similar setup to work. I have two BSD behind a BSD external gateway, and an IPSec peer establishes connection to at the moment one BSD peer behind that BSD external gateway, we use pf to pass the traffic straight through to the internal BSD machine. The new work mainly focuses on building a failover IPSec peer using another BSD machine.

I have some plans as what I needed to do. But at the moment it is quite unclear yet. Maybe you can shed some light if you could please. I think there are three things I needed to do.
1. setup the failover BSD machine with CARP
2. copy all IPSec conf from the first BSD peer behind that external BSD firewall to this new BSD to be built
3. change the pf (NAT) rule on the external gateway, such that when traffic comes from the peer outside the external gateway, forward the traffic to the virtual address. (shared between the old BSD peer and the new one)
4. change the destination address on the outside BSD peer to the virtual address

Is there anything else I missed out? Thanks for writing this up by the way, there is a severe shortage of howto on IPSec+CARP.

]]>