Discussion:
Encrypting carp traffic with ipsec
(too old to reply)
C. L. Martinez
2016-07-28 19:47:35 UTC
Permalink
Hi all,

I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
(fully patched). According to ifconfig(8) man page:

carppeer peer_address
Send the carp advertisements to a specified point-to-point peer or
multicast group instead of sending the messages to the default carp
multicast group. The peer_address is the IP address of the other host
taking part in the carp cluster. With this option, carp(4) traffic can
be protected using ipsec(4) and it may be desired in networks that do
not allow or have problems with IPv4 multicast traffic.

And the last sentence describes the type of problem that I want to
avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
desired in networks that do not allow or have problems with IPv4
multicast traffic".

But I don't see how to implement this feature. If I am not wrong, I
need to configure ipsec in transport mode. But how to encrypt carp
protocol only and keep all others services and protocols out of ipsec
tunnels??

Any tip or sample??
Kapetanakis Giannis
2016-07-29 07:55:01 UTC
Permalink
Post by C. L. Martinez
Hi all,
I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
carppeer peer_address
Send the carp advertisements to a specified point-to-point peer or
multicast group instead of sending the messages to the default carp
multicast group. The peer_address is the IP address of the other host
taking part in the carp cluster. With this option, carp(4) traffic can
be protected using ipsec(4) and it may be desired in networks that do
not allow or have problems with IPv4 multicast traffic.
And the last sentence describes the type of problem that I want to
avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
desired in networks that do not allow or have problems with IPv4
multicast traffic".
But I don't see how to implement this feature. If I am not wrong, I
need to configure ipsec in transport mode. But how to encrypt carp
protocol only and keep all others services and protocols out of ipsec
tunnels??
Any tip or sample??
check proto (from protocol) in ipsec.conf(5)

G
C. L. Martinez
2016-07-29 12:50:33 UTC
Permalink
Post by Kapetanakis Giannis
Post by C. L. Martinez
Hi all,
I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
carppeer peer_address
Send the carp advertisements to a specified point-to-point peer or
multicast group instead of sending the messages to the default carp
multicast group. The peer_address is the IP address of the other host
taking part in the carp cluster. With this option, carp(4) traffic can
be protected using ipsec(4) and it may be desired in networks that do
not allow or have problems with IPv4 multicast traffic.
And the last sentence describes the type of problem that I want to
avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
desired in networks that do not allow or have problems with IPv4
multicast traffic".
But I don't see how to implement this feature. If I am not wrong, I
need to configure ipsec in transport mode. But how to encrypt carp
protocol only and keep all others services and protocols out of ipsec
tunnels??
Any tip or sample??
check proto (from protocol) in ipsec.conf(5)
G
Thanks Giannis. I have configured iked.conf in both firewalls.

FirewallA:

ikev2 esp proto carp from 172.22.55.12 to 172.22.55.13 psk "74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0


FirewallB:

ikev2 esp proto carp from 172.22.55.13 to 172.22.55.12 psk "74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0

Starting iked from shell, all tunnels are established. But when I add iked_flags= to rc.conf.local and reboot both firewalls, startup process stops in iked process and neves finishes. I need to a hard reset ...

Any idea why??
C. L. Martinez
2016-08-01 07:54:57 UTC
Permalink
Post by Kapetanakis Giannis
Post by C. L. Martinez
Hi all,
I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
carppeer peer_address
Send the carp advertisements to a specified point-to-point peer or
multicast group instead of sending the messages to the default carp
multicast group. The peer_address is the IP address of the other host
taking part in the carp cluster. With this option, carp(4) traffic can
be protected using ipsec(4) and it may be desired in networks that do
not allow or have problems with IPv4 multicast traffic.
And the last sentence describes the type of problem that I want to
avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
desired in networks that do not allow or have problems with IPv4
multicast traffic".
But I don't see how to implement this feature. If I am not wrong, I
need to configure ipsec in transport mode. But how to encrypt carp
protocol only and keep all others services and protocols out of ipsec
tunnels??
Any tip or sample??
check proto (from protocol) in ipsec.conf(5)
G
Ok, after doing several tests these days, I have configured ipsec.conf instead of iked.conf. But carp interfaces remains in MASTER mode in both firewalls:

FwA:

carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
state MASTER vhid 1 advskew 100
state MASTER vhid 2 advskew 0
groups: carp
status: master
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
state MASTER vhid 3 advskew 100
state MASTER vhid 4 advskew 0
groups: carp
status: master
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7

....


FwB:

carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
state MASTER vhid 1 advskew 0
state MASTER vhid 2 advskew 100
groups: carp
status: master
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
state MASTER vhid 3 advskew 0
state MASTER vhid 4 advskew 100
groups: carp
status: master
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7


IPsec flows are established in both firewalls:

FwA:

FLOWS:
flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid 172.22.57.2/32 dstid 172.22.57.3/32 type use
flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require
flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid 172.22.58.2/32 dstid 172.22.58.3/32 type use
flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require
flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use
flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require
flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid 172.30.77.2/32 dstid 172.30.77.3/32 type use
flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 srcid 172.30.77.2/32 dstid 172.30.77.3/32 type require
flow esp in proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.3 srcid 172.22.54.2/32 dstid 172.22.54.3/32 type use
flow esp out proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.3 srcid 172.22.54.2/32 dstid 172.22.54.3/32 type require
flow esp in proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.3 srcid 172.22.56.2/32 dstid 172.22.56.3/32 type use
flow esp out proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.3 srcid 172.22.56.2/32 dstid 172.22.56.3/32 type require

SAD:
esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth hmac-sha2-256 enc aes
esp transport from 172.22.55.13 to 172.22.55.12 spi 0x54d57373 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.2 to 172.22.57.3 spi 0x57f09d05 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.2 to 172.22.56.3 spi 0x5a171e12 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.2 to 172.30.77.3 spi 0x5e1cc51a auth hmac-sha2-256 enc aes
esp transport from 172.22.54.2 to 172.22.54.3 spi 0x6a7415a2 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.3 to 172.30.77.2 spi 0x77435d2a auth hmac-sha2-256 enc aes
esp transport from 172.22.55.12 to 172.22.55.13 spi 0x8a0d95c7 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.3 to 172.22.56.2 spi 0x906dd7fd auth hmac-sha2-256 enc aes
esp transport from 172.22.58.2 to 172.22.58.3 spi 0xab88d522 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.3 to 172.22.57.2 spi 0xca1ba00f auth hmac-sha2-256 enc aes
esp transport from 172.22.58.3 to 172.22.58.2 spi 0xe66ba82a auth hmac-sha2-256 enc aes

FwB:

FLOWS:
flow esp in proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.2 srcid 172.22.58.3/32 dstid 172.22.58.2/32 type use
flow esp out proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.2 srcid 172.22.58.3/32 dstid 172.22.58.2/32 type require
flow esp in proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.2 srcid 172.22.57.3/32 dstid 172.22.57.2/32 type use
flow esp out proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.2 srcid 172.22.57.3/32 dstid 172.22.57.2/32 type require
flow esp in proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.2 srcid 172.22.56.3/32 dstid 172.22.56.2/32 type use
flow esp out proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.2 srcid 172.22.56.3/32 dstid 172.22.56.2/32 type require
flow esp in proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.2 srcid 172.22.54.3/32 dstid 172.22.54.2/32 type use
flow esp out proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.2 srcid 172.22.54.3/32 dstid 172.22.54.2/32 type require
flow esp in proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.2 srcid 172.30.77.3/32 dstid 172.30.77.2/32 type use
flow esp out proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.2 srcid 172.30.77.3/32 dstid 172.30.77.2/32 type require
flow esp in proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.12 srcid 172.22.55.13/32 dstid 172.22.55.12/32 type use
flow esp out proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.12 srcid 172.22.55.13/32 dstid 172.22.55.12/32 type require

SAD:
esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth hmac-sha2-256 enc aes
esp transport from 172.22.55.13 to 172.22.55.12 spi 0x54d57373 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.2 to 172.22.57.3 spi 0x57f09d05 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.2 to 172.22.56.3 spi 0x5a171e12 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.2 to 172.30.77.3 spi 0x5e1cc51a auth hmac-sha2-256 enc aes
esp transport from 172.22.54.2 to 172.22.54.3 spi 0x6a7415a2 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.3 to 172.30.77.2 spi 0x77435d2a auth hmac-sha2-256 enc aes
esp transport from 172.22.55.12 to 172.22.55.13 spi 0x8a0d95c7 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.3 to 172.22.56.2 spi 0x906dd7fd auth hmac-sha2-256 enc aes
esp transport from 172.22.58.2 to 172.22.58.3 spi 0xab88d522 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.3 to 172.22.57.2 spi 0xca1ba00f auth hmac-sha2-256 enc aes
esp transport from 172.22.58.3 to 172.22.58.2 spi 0xe66ba82a auth hmac-sha2-256 enc aes


..But I see a lof of "bad ip cksum 0!" messages on both firewalls ...

***@obsdfw:~# tcpdump -ttt -env -i enc0
Aug 01 07:40:58.546678 (authentic,confidential): SPI 0x5e1cc51a: carp 172.30.77.2 > 172.30.77.3: CARPv2-advertise 36: vhid=4 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 64496, len 56, bad ip cksum 0! -> 8d12)
Aug 01 07:40:58.546703 (authentic,confidential): SPI 0x8a0d95c7: carp 172.22.55.12 > 172.22.55.13: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 22255, len 56, bad ip cksum 0! -> 5e10)
Aug 01 07:40:58.556680 (authentic,confidential): SPI 0x5a171e12: carp 172.22.56.2 > 172.22.56.3: CARPv2-advertise 36: vhid=8 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 56036, len 56, bad ip cksum 0! -> d82e)
Aug 01 07:40:58.556704 (authentic,confidential): SPI 0x6a7415a2: carp 172.22.54.2 > 172.22.54.3: CARPv2-advertise 36: vhid=6 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 8717, len 56, bad ip cksum 0! -> 9506)
Aug 01 07:40:58.566679 (authentic,confidential): SPI 0xab88d522: carp 172.22.58.2 > 172.22.58.3: CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 37779, len 56, bad ip cksum 0! -> 1b80)
Aug 01 07:40:58.566704 (authentic,confidential): SPI 0x57f09d05: carp 172.22.57.2 > 172.22.57.3: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 53311, len 56, bad ip cksum 0! -> e0d3)
Aug 01 07:40:59.036637 (authentic,confidential): SPI 0x5e1cc51a: carp 172.30.77.2 > 172.30.77.3: CARPv2-advertise 36: vhid=3 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 31401, len 56, bad ip cksum 0! -> e5a)
Aug 01 07:40:59.036662 (authentic,confidential): SPI 0x8a0d95c7: carp 172.22.55.12 > 172.22.55.13: CARPv2-advertise 36: vhid=1 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 3795, len 56, bad ip cksum 0! -> a62c)
Aug 01 07:40:59.046674 (authentic,confidential): SPI 0x5a171e12: carp 172.22.56.2 > 172.22.56.3: CARPv2-advertise 36: vhid=7 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 11562, len 56, bad ip cksum 0! -> 85e9)
Aug 01 07:40:59.046698 (authentic,confidential): SPI 0x6a7415a2: carp 172.22.54.2 > 172.22.54.3: CARPv2-advertise 36: vhid=5 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 15246, len 56, bad ip cksum 0! -> 7b85)
Aug 01 07:40:59.066676 (authentic,confidential): SPI 0xab88d522: carp 172.22.58.2 > 172.22.58.3: CARPv2-advertise 36: vhid=11 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 41397, len 56, bad ip cksum 0! -> d5e)
Aug 01 07:40:59.066700 (authentic,confidential): SPI 0x57f09d05: carp 172.22.57.2 > 172.22.57.3: CARPv2-advertise 36: vhid=9 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 55275, len 56, bad ip cksum 0! -> d927)
Aug 01 07:40:59.111564 (authentic,confidential): SPI 0x77435d2a: carp 172.30.77.3 > 172.30.77.2: CARPv2-advertise 36: vhid=4 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 687, len 56)
Aug 01 07:40:59.111580 (authentic,confidential): SPI 0x54d57373: carp 172.22.55.13 > 172.22.55.12: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 52601, len 56)
Aug 01 07:40:59.121572 (authentic,confidential): SPI 0x906dd7fd: carp 172.22.56.3 > 172.22.56.2: CARPv2-advertise 36: vhid=8 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 49105, len 56)
Aug 01 07:40:59.121589 (authentic,confidential): SPI 0x1ee8aacd: carp 172.22.54.3 > 172.22.54.2: CARPv2-advertise 36: vhid=6 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 33217, len 56)
Aug 01 07:40:59.131609 (authentic,confidential): SPI 0xe66ba82a: carp 172.22.58.3 > 172.22.58.2: CARPv2-advertise 36: vhid=12 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 61641, len 56)
Aug 01 07:40:59.131626 (authentic,confidential): SPI 0xca1ba00f: carp 172.22.57.3 > 172.22.57.2: CARPv2-advertise 36: vhid=10 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 19054, len 56)
Aug 01 07:40:59.341642 (authentic,confidential): SPI 0x77435d2a: carp 172.30.77.3 > 172.30.77.2: CARPv2-advertise 36: vhid=3 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 3431, len 56)
Aug 01 07:40:59.341658 (authentic,confidential): SPI 0x54d57373: carp 172.22.55.13 > 172.22.55.12: CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 31759, len 56)
Aug 01 07:40:59.351583 (authentic,confidential): SPI 0x906dd7fd: carp 172.22.56.3 > 172.22.56.2: CARPv2-advertise 36: vhid=7 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 907, len 56)
Aug 01 07:40:59.351613 (authentic,confidential): SPI 0x1ee8aacd: carp 172.22.54.3 > 172.22.54.2: CARPv2-advertise 36: vhid=5 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 34989, len 56)

And I think that could be te reason why carp interfaces are in MASTER mode in both firewalls ...

Disabling IPsec, carp interfaces shows the correct state:

FwA:

carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
state BACKUP vhid 1 advskew 100
state MASTER vhid 2 advskew 0
groups: carp
status: backup
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
state BACKUP vhid 3 advskew 100
state MASTER vhid 4 advskew 0
groups: carp
status: backup
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7

FwB:

carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
state MASTER vhid 1 advskew 0
state BACKUP vhid 2 advskew 100
groups: carp
status: master
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
state MASTER vhid 3 advskew 0
state BACKUP vhid 4 advskew 100
groups: carp
status: master
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7


Arrived to this point, what am I doing wrong?? Or maybe is it a bug?

Thanks.
--
Greetings,
C. L. Martinez
C. L. Martinez
2016-08-02 07:54:08 UTC
Permalink
Post by C. L. Martinez
Post by Kapetanakis Giannis
Post by C. L. Martinez
Hi all,
I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
carppeer peer_address
Send the carp advertisements to a specified point-to-point peer or
multicast group instead of sending the messages to the default carp
multicast group. The peer_address is the IP address of the other host
taking part in the carp cluster. With this option, carp(4) traffic can
be protected using ipsec(4) and it may be desired in networks that do
not allow or have problems with IPv4 multicast traffic.
And the last sentence describes the type of problem that I want to
avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
desired in networks that do not allow or have problems with IPv4
multicast traffic".
But I don't see how to implement this feature. If I am not wrong, I
need to configure ipsec in transport mode. But how to encrypt carp
protocol only and keep all others services and protocols out of ipsec
tunnels??
Any tip or sample??
check proto (from protocol) in ipsec.conf(5)
G
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
state MASTER vhid 1 advskew 100
state MASTER vhid 2 advskew 0
groups: carp
status: master
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
state MASTER vhid 3 advskew 100
state MASTER vhid 4 advskew 0
groups: carp
status: master
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
....
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
state MASTER vhid 1 advskew 0
state MASTER vhid 2 advskew 100
groups: carp
status: master
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
state MASTER vhid 3 advskew 0
state MASTER vhid 4 advskew 100
groups: carp
status: master
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid 172.22.57.2/32 dstid 172.22.57.3/32 type use
flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require
flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid 172.22.58.2/32 dstid 172.22.58.3/32 type use
flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require
flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use
flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require
flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid 172.30.77.2/32 dstid 172.30.77.3/32 type use
flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 srcid 172.30.77.2/32 dstid 172.30.77.3/32 type require
flow esp in proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.3 srcid 172.22.54.2/32 dstid 172.22.54.3/32 type use
flow esp out proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.3 srcid 172.22.54.2/32 dstid 172.22.54.3/32 type require
flow esp in proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.3 srcid 172.22.56.2/32 dstid 172.22.56.3/32 type use
flow esp out proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.3 srcid 172.22.56.2/32 dstid 172.22.56.3/32 type require
esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth hmac-sha2-256 enc aes
esp transport from 172.22.55.13 to 172.22.55.12 spi 0x54d57373 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.2 to 172.22.57.3 spi 0x57f09d05 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.2 to 172.22.56.3 spi 0x5a171e12 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.2 to 172.30.77.3 spi 0x5e1cc51a auth hmac-sha2-256 enc aes
esp transport from 172.22.54.2 to 172.22.54.3 spi 0x6a7415a2 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.3 to 172.30.77.2 spi 0x77435d2a auth hmac-sha2-256 enc aes
esp transport from 172.22.55.12 to 172.22.55.13 spi 0x8a0d95c7 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.3 to 172.22.56.2 spi 0x906dd7fd auth hmac-sha2-256 enc aes
esp transport from 172.22.58.2 to 172.22.58.3 spi 0xab88d522 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.3 to 172.22.57.2 spi 0xca1ba00f auth hmac-sha2-256 enc aes
esp transport from 172.22.58.3 to 172.22.58.2 spi 0xe66ba82a auth hmac-sha2-256 enc aes
flow esp in proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.2 srcid 172.22.58.3/32 dstid 172.22.58.2/32 type use
flow esp out proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.2 srcid 172.22.58.3/32 dstid 172.22.58.2/32 type require
flow esp in proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.2 srcid 172.22.57.3/32 dstid 172.22.57.2/32 type use
flow esp out proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.2 srcid 172.22.57.3/32 dstid 172.22.57.2/32 type require
flow esp in proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.2 srcid 172.22.56.3/32 dstid 172.22.56.2/32 type use
flow esp out proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.2 srcid 172.22.56.3/32 dstid 172.22.56.2/32 type require
flow esp in proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.2 srcid 172.22.54.3/32 dstid 172.22.54.2/32 type use
flow esp out proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.2 srcid 172.22.54.3/32 dstid 172.22.54.2/32 type require
flow esp in proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.2 srcid 172.30.77.3/32 dstid 172.30.77.2/32 type use
flow esp out proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.2 srcid 172.30.77.3/32 dstid 172.30.77.2/32 type require
flow esp in proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.12 srcid 172.22.55.13/32 dstid 172.22.55.12/32 type use
flow esp out proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.12 srcid 172.22.55.13/32 dstid 172.22.55.12/32 type require
esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth hmac-sha2-256 enc aes
esp transport from 172.22.55.13 to 172.22.55.12 spi 0x54d57373 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.2 to 172.22.57.3 spi 0x57f09d05 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.2 to 172.22.56.3 spi 0x5a171e12 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.2 to 172.30.77.3 spi 0x5e1cc51a auth hmac-sha2-256 enc aes
esp transport from 172.22.54.2 to 172.22.54.3 spi 0x6a7415a2 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.3 to 172.30.77.2 spi 0x77435d2a auth hmac-sha2-256 enc aes
esp transport from 172.22.55.12 to 172.22.55.13 spi 0x8a0d95c7 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.3 to 172.22.56.2 spi 0x906dd7fd auth hmac-sha2-256 enc aes
esp transport from 172.22.58.2 to 172.22.58.3 spi 0xab88d522 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.3 to 172.22.57.2 spi 0xca1ba00f auth hmac-sha2-256 enc aes
esp transport from 172.22.58.3 to 172.22.58.2 spi 0xe66ba82a auth hmac-sha2-256 enc aes
..But I see a lof of "bad ip cksum 0!" messages on both firewalls ...
Aug 01 07:40:58.546678 (authentic,confidential): SPI 0x5e1cc51a: carp 172.30.77.2 > 172.30.77.3: CARPv2-advertise 36: vhid=4 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 64496, len 56, bad ip cksum 0! -> 8d12)
Aug 01 07:40:58.546703 (authentic,confidential): SPI 0x8a0d95c7: carp 172.22.55.12 > 172.22.55.13: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 22255, len 56, bad ip cksum 0! -> 5e10)
Aug 01 07:40:58.556680 (authentic,confidential): SPI 0x5a171e12: carp 172.22.56.2 > 172.22.56.3: CARPv2-advertise 36: vhid=8 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 56036, len 56, bad ip cksum 0! -> d82e)
Aug 01 07:40:58.556704 (authentic,confidential): SPI 0x6a7415a2: carp 172.22.54.2 > 172.22.54.3: CARPv2-advertise 36: vhid=6 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 8717, len 56, bad ip cksum 0! -> 9506)
Aug 01 07:40:58.566679 (authentic,confidential): SPI 0xab88d522: carp 172.22.58.2 > 172.22.58.3: CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 37779, len 56, bad ip cksum 0! -> 1b80)
Aug 01 07:40:58.566704 (authentic,confidential): SPI 0x57f09d05: carp 172.22.57.2 > 172.22.57.3: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 53311, len 56, bad ip cksum 0! -> e0d3)
Aug 01 07:40:59.036637 (authentic,confidential): SPI 0x5e1cc51a: carp 172.30.77.2 > 172.30.77.3: CARPv2-advertise 36: vhid=3 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 31401, len 56, bad ip cksum 0! -> e5a)
Aug 01 07:40:59.036662 (authentic,confidential): SPI 0x8a0d95c7: carp 172.22.55.12 > 172.22.55.13: CARPv2-advertise 36: vhid=1 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 3795, len 56, bad ip cksum 0! -> a62c)
Aug 01 07:40:59.046674 (authentic,confidential): SPI 0x5a171e12: carp 172.22.56.2 > 172.22.56.3: CARPv2-advertise 36: vhid=7 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 11562, len 56, bad ip cksum 0! -> 85e9)
Aug 01 07:40:59.046698 (authentic,confidential): SPI 0x6a7415a2: carp 172.22.54.2 > 172.22.54.3: CARPv2-advertise 36: vhid=5 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 15246, len 56, bad ip cksum 0! -> 7b85)
Aug 01 07:40:59.066676 (authentic,confidential): SPI 0xab88d522: carp 172.22.58.2 > 172.22.58.3: CARPv2-advertise 36: vhid=11 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 41397, len 56, bad ip cksum 0! -> d5e)
Aug 01 07:40:59.066700 (authentic,confidential): SPI 0x57f09d05: carp 172.22.57.2 > 172.22.57.3: CARPv2-advertise 36: vhid=9 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 55275, len 56, bad ip cksum 0! -> d927)
Aug 01 07:40:59.111564 (authentic,confidential): SPI 0x77435d2a: carp 172.30.77.3 > 172.30.77.2: CARPv2-advertise 36: vhid=4 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 687, len 56)
Aug 01 07:40:59.111580 (authentic,confidential): SPI 0x54d57373: carp 172.22.55.13 > 172.22.55.12: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 52601, len 56)
Aug 01 07:40:59.121572 (authentic,confidential): SPI 0x906dd7fd: carp 172.22.56.3 > 172.22.56.2: CARPv2-advertise 36: vhid=8 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 49105, len 56)
Aug 01 07:40:59.121589 (authentic,confidential): SPI 0x1ee8aacd: carp 172.22.54.3 > 172.22.54.2: CARPv2-advertise 36: vhid=6 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 33217, len 56)
Aug 01 07:40:59.131609 (authentic,confidential): SPI 0xe66ba82a: carp 172.22.58.3 > 172.22.58.2: CARPv2-advertise 36: vhid=12 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 61641, len 56)
Aug 01 07:40:59.131626 (authentic,confidential): SPI 0xca1ba00f: carp 172.22.57.3 > 172.22.57.2: CARPv2-advertise 36: vhid=10 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 19054, len 56)
Aug 01 07:40:59.341642 (authentic,confidential): SPI 0x77435d2a: carp 172.30.77.3 > 172.30.77.2: CARPv2-advertise 36: vhid=3 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 3431, len 56)
Aug 01 07:40:59.341658 (authentic,confidential): SPI 0x54d57373: carp 172.22.55.13 > 172.22.55.12: CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 31759, len 56)
Aug 01 07:40:59.351583 (authentic,confidential): SPI 0x906dd7fd: carp 172.22.56.3 > 172.22.56.2: CARPv2-advertise 36: vhid=7 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 907, len 56)
Aug 01 07:40:59.351613 (authentic,confidential): SPI 0x1ee8aacd: carp 172.22.54.3 > 172.22.54.2: CARPv2-advertise 36: vhid=5 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 34989, len 56)
And I think that could be te reason why carp interfaces are in MASTER mode in both firewalls ...
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
state BACKUP vhid 1 advskew 100
state MASTER vhid 2 advskew 0
groups: carp
status: backup
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
state BACKUP vhid 3 advskew 100
state MASTER vhid 4 advskew 0
groups: carp
status: backup
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
state MASTER vhid 1 advskew 0
state BACKUP vhid 2 advskew 100
groups: carp
status: master
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
state MASTER vhid 3 advskew 0
state BACKUP vhid 4 advskew 100
groups: carp
status: master
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
Arrived to this point, what am I doing wrong?? Or maybe is it a bug?
Thanks.
Please, any help with this??
--
Greetings,
C. L. Martinez
C. L. Martinez
2016-08-04 12:30:56 UTC
Permalink
Post by C. L. Martinez
Post by Kapetanakis Giannis
Post by C. L. Martinez
Hi all,
I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
carppeer peer_address
Send the carp advertisements to a specified point-to-point peer or
multicast group instead of sending the messages to the default carp
multicast group. The peer_address is the IP address of the other host
taking part in the carp cluster. With this option, carp(4) traffic can
be protected using ipsec(4) and it may be desired in networks that do
not allow or have problems with IPv4 multicast traffic.
And the last sentence describes the type of problem that I want to
avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
desired in networks that do not allow or have problems with IPv4
multicast traffic".
But I don't see how to implement this feature. If I am not wrong, I
need to configure ipsec in transport mode. But how to encrypt carp
protocol only and keep all others services and protocols out of ipsec
tunnels??
Any tip or sample??
check proto (from protocol) in ipsec.conf(5)
G
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
state MASTER vhid 1 advskew 100
state MASTER vhid 2 advskew 0
groups: carp
status: master
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
state MASTER vhid 3 advskew 100
state MASTER vhid 4 advskew 0
groups: carp
status: master
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
....
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
state MASTER vhid 1 advskew 0
state MASTER vhid 2 advskew 100
groups: carp
status: master
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
state MASTER vhid 3 advskew 0
state MASTER vhid 4 advskew 100
groups: carp
status: master
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid 172.22.57.2/32 dstid 172.22.57.3/32 type use
flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require
flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid 172.22.58.2/32 dstid 172.22.58.3/32 type use
flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require
flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use
flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require
flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid 172.30.77.2/32 dstid 172.30.77.3/32 type use
flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 srcid 172.30.77.2/32 dstid 172.30.77.3/32 type require
flow esp in proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.3 srcid 172.22.54.2/32 dstid 172.22.54.3/32 type use
flow esp out proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.3 srcid 172.22.54.2/32 dstid 172.22.54.3/32 type require
flow esp in proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.3 srcid 172.22.56.2/32 dstid 172.22.56.3/32 type use
flow esp out proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.3 srcid 172.22.56.2/32 dstid 172.22.56.3/32 type require
esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth hmac-sha2-256 enc aes
esp transport from 172.22.55.13 to 172.22.55.12 spi 0x54d57373 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.2 to 172.22.57.3 spi 0x57f09d05 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.2 to 172.22.56.3 spi 0x5a171e12 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.2 to 172.30.77.3 spi 0x5e1cc51a auth hmac-sha2-256 enc aes
esp transport from 172.22.54.2 to 172.22.54.3 spi 0x6a7415a2 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.3 to 172.30.77.2 spi 0x77435d2a auth hmac-sha2-256 enc aes
esp transport from 172.22.55.12 to 172.22.55.13 spi 0x8a0d95c7 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.3 to 172.22.56.2 spi 0x906dd7fd auth hmac-sha2-256 enc aes
esp transport from 172.22.58.2 to 172.22.58.3 spi 0xab88d522 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.3 to 172.22.57.2 spi 0xca1ba00f auth hmac-sha2-256 enc aes
esp transport from 172.22.58.3 to 172.22.58.2 spi 0xe66ba82a auth hmac-sha2-256 enc aes
flow esp in proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.2 srcid 172.22.58.3/32 dstid 172.22.58.2/32 type use
flow esp out proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.2 srcid 172.22.58.3/32 dstid 172.22.58.2/32 type require
flow esp in proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.2 srcid 172.22.57.3/32 dstid 172.22.57.2/32 type use
flow esp out proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.2 srcid 172.22.57.3/32 dstid 172.22.57.2/32 type require
flow esp in proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.2 srcid 172.22.56.3/32 dstid 172.22.56.2/32 type use
flow esp out proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.2 srcid 172.22.56.3/32 dstid 172.22.56.2/32 type require
flow esp in proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.2 srcid 172.22.54.3/32 dstid 172.22.54.2/32 type use
flow esp out proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.2 srcid 172.22.54.3/32 dstid 172.22.54.2/32 type require
flow esp in proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.2 srcid 172.30.77.3/32 dstid 172.30.77.2/32 type use
flow esp out proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.2 srcid 172.30.77.3/32 dstid 172.30.77.2/32 type require
flow esp in proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.12 srcid 172.22.55.13/32 dstid 172.22.55.12/32 type use
flow esp out proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.12 srcid 172.22.55.13/32 dstid 172.22.55.12/32 type require
esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth hmac-sha2-256 enc aes
esp transport from 172.22.55.13 to 172.22.55.12 spi 0x54d57373 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.2 to 172.22.57.3 spi 0x57f09d05 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.2 to 172.22.56.3 spi 0x5a171e12 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.2 to 172.30.77.3 spi 0x5e1cc51a auth hmac-sha2-256 enc aes
esp transport from 172.22.54.2 to 172.22.54.3 spi 0x6a7415a2 auth hmac-sha2-256 enc aes
esp transport from 172.30.77.3 to 172.30.77.2 spi 0x77435d2a auth hmac-sha2-256 enc aes
esp transport from 172.22.55.12 to 172.22.55.13 spi 0x8a0d95c7 auth hmac-sha2-256 enc aes
esp transport from 172.22.56.3 to 172.22.56.2 spi 0x906dd7fd auth hmac-sha2-256 enc aes
esp transport from 172.22.58.2 to 172.22.58.3 spi 0xab88d522 auth hmac-sha2-256 enc aes
esp transport from 172.22.57.3 to 172.22.57.2 spi 0xca1ba00f auth hmac-sha2-256 enc aes
esp transport from 172.22.58.3 to 172.22.58.2 spi 0xe66ba82a auth hmac-sha2-256 enc aes
..But I see a lof of "bad ip cksum 0!" messages on both firewalls ...
Aug 01 07:40:58.546678 (authentic,confidential): SPI 0x5e1cc51a: carp 172.30.77.2 > 172.30.77.3: CARPv2-advertise 36: vhid=4 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 64496, len 56, bad ip cksum 0! -> 8d12)
Aug 01 07:40:58.546703 (authentic,confidential): SPI 0x8a0d95c7: carp 172.22.55.12 > 172.22.55.13: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 22255, len 56, bad ip cksum 0! -> 5e10)
Aug 01 07:40:58.556680 (authentic,confidential): SPI 0x5a171e12: carp 172.22.56.2 > 172.22.56.3: CARPv2-advertise 36: vhid=8 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 56036, len 56, bad ip cksum 0! -> d82e)
Aug 01 07:40:58.556704 (authentic,confidential): SPI 0x6a7415a2: carp 172.22.54.2 > 172.22.54.3: CARPv2-advertise 36: vhid=6 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 8717, len 56, bad ip cksum 0! -> 9506)
Aug 01 07:40:58.566679 (authentic,confidential): SPI 0xab88d522: carp 172.22.58.2 > 172.22.58.3: CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 37779, len 56, bad ip cksum 0! -> 1b80)
Aug 01 07:40:58.566704 (authentic,confidential): SPI 0x57f09d05: carp 172.22.57.2 > 172.22.57.3: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 53311, len 56, bad ip cksum 0! -> e0d3)
Aug 01 07:40:59.036637 (authentic,confidential): SPI 0x5e1cc51a: carp 172.30.77.2 > 172.30.77.3: CARPv2-advertise 36: vhid=3 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 31401, len 56, bad ip cksum 0! -> e5a)
Aug 01 07:40:59.036662 (authentic,confidential): SPI 0x8a0d95c7: carp 172.22.55.12 > 172.22.55.13: CARPv2-advertise 36: vhid=1 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 3795, len 56, bad ip cksum 0! -> a62c)
Aug 01 07:40:59.046674 (authentic,confidential): SPI 0x5a171e12: carp 172.22.56.2 > 172.22.56.3: CARPv2-advertise 36: vhid=7 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 11562, len 56, bad ip cksum 0! -> 85e9)
Aug 01 07:40:59.046698 (authentic,confidential): SPI 0x6a7415a2: carp 172.22.54.2 > 172.22.54.3: CARPv2-advertise 36: vhid=5 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 15246, len 56, bad ip cksum 0! -> 7b85)
Aug 01 07:40:59.066676 (authentic,confidential): SPI 0xab88d522: carp 172.22.58.2 > 172.22.58.3: CARPv2-advertise 36: vhid=11 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 41397, len 56, bad ip cksum 0! -> d5e)
Aug 01 07:40:59.066700 (authentic,confidential): SPI 0x57f09d05: carp 172.22.57.2 > 172.22.57.3: CARPv2-advertise 36: vhid=9 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 55275, len 56, bad ip cksum 0! -> d927)
Aug 01 07:40:59.111564 (authentic,confidential): SPI 0x77435d2a: carp 172.30.77.3 > 172.30.77.2: CARPv2-advertise 36: vhid=4 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 687, len 56)
Aug 01 07:40:59.111580 (authentic,confidential): SPI 0x54d57373: carp 172.22.55.13 > 172.22.55.12: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 52601, len 56)
Aug 01 07:40:59.121572 (authentic,confidential): SPI 0x906dd7fd: carp 172.22.56.3 > 172.22.56.2: CARPv2-advertise 36: vhid=8 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 49105, len 56)
Aug 01 07:40:59.121589 (authentic,confidential): SPI 0x1ee8aacd: carp 172.22.54.3 > 172.22.54.2: CARPv2-advertise 36: vhid=6 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 33217, len 56)
Aug 01 07:40:59.131609 (authentic,confidential): SPI 0xe66ba82a: carp 172.22.58.3 > 172.22.58.2: CARPv2-advertise 36: vhid=12 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 61641, len 56)
Aug 01 07:40:59.131626 (authentic,confidential): SPI 0xca1ba00f: carp 172.22.57.3 > 172.22.57.2: CARPv2-advertise 36: vhid=10 advbase=1 advskew=100 demote=0 [tos 0x10] (ttl 255, id 19054, len 56)
Aug 01 07:40:59.341642 (authentic,confidential): SPI 0x77435d2a: carp 172.30.77.3 > 172.30.77.2: CARPv2-advertise 36: vhid=3 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 3431, len 56)
Aug 01 07:40:59.341658 (authentic,confidential): SPI 0x54d57373: carp 172.22.55.13 > 172.22.55.12: CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 31759, len 56)
Aug 01 07:40:59.351583 (authentic,confidential): SPI 0x906dd7fd: carp 172.22.56.3 > 172.22.56.2: CARPv2-advertise 36: vhid=7 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 907, len 56)
Aug 01 07:40:59.351613 (authentic,confidential): SPI 0x1ee8aacd: carp 172.22.54.3 > 172.22.54.2: CARPv2-advertise 36: vhid=5 advbase=1 advskew=0 demote=0 [tos 0x10] (ttl 255, id 34989, len 56)
And I think that could be te reason why carp interfaces are in MASTER mode in both firewalls ...
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
state BACKUP vhid 1 advskew 100
state MASTER vhid 2 advskew 0
groups: carp
status: backup
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
state BACKUP vhid 3 advskew 100
state MASTER vhid 4 advskew 0
groups: carp
status: backup
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
state MASTER vhid 1 advskew 0
state BACKUP vhid 2 advskew 100
groups: carp
status: master
inet 172.22.55.14 netmask 0xffff19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
state MASTER vhid 3 advskew 0
state BACKUP vhid 4 advskew 100
groups: carp
status: master
inet 172.30.77.1 netmask 0xfffffff8 broadcast 172.30.77.7
Arrived to this point, what am I doing wrong?? Or maybe is it a bug?
Thanks.
I have done more tests under an ESXi 6 host (using e1000 nics) and results are the same. Reading pfsync(4) man page:

BUGS
pfsync does not currently work with ipsec(4).

OpenBSD 5.9 June 25, 2015 OpenBSD 5.9

Maybe is the same problem with carp??

Thanks.
--
Greetings,
C. L. Martinez
Loading...