VPNs and CARP (as of OpenBSD 3.9)

As of OpenBSD 3.9, sasyncd(8) is still a little broken. It can not fail back after a successful failover. Also, the SAs still seem to get out of sync. I'll have a look at this soon. In the meantime, I needed a workaround. Enter ifstated(8).

On the surface, you should be able to use ifstated to sense the status of the carp interfaces, starting and stopping isakmpd accordingly. Unfortunately, in my test setup, the carp interface sensing seems broken. Enter a perl script: carpstatus, which is simply this: 

#!/usr/bin/perl
open C0, "ifconfig carp0 |";
while (<0>) {
        if (/carp:\s+([A-Z]+)/) {
                $stat0 = $1;
        }
}
close C0;

open C1, "ifconfig carp1 |";
while (<C1>) {
        if (/carp:\s+([A-Z]+)/) {
                $stat1 = $1;
        }
}
close C1;

if (($stat0 eq $stat1) && ($stat1 eq "MASTER")) {
        exit 0;
}
exit 1;

This script simply issues a pair of ifconfigs and checks the carp status. If both carp interfaces are in MASTER mode, exit with success. Otherwise, exit with failure. Now this may be used with ifstated using this ifstated.conf. 

init-state back
carpstate = '( "/usr/local/sbin/carpstatus" every 10)'
state mast {
        init {
                run "ipsecadm flush"
                run "isakmpd"
        }
if ! $carpstate
        set-state back
}

state back {
        init {
                run "pkill isakmpd"
                run "ipsecadm flush"
        }
        if $carpstate
                set-state mast
}

Of course, this relies on you having a working isakmpd(8) setup, but that's not as hard as you might think. Hint: Don't use isakmpd -DA=99 -d to debug. Use a lower debug level; e.g. isakmpd -DA=20 -d.

pintday.org » Fresh every Tuesday.