SASYNCD(8) OpenBSD System Manager's Manual SASYNCD(8)NAMEsasyncd - IPsec SA synchronization daemon for failover gateways
SYNOPSISsasyncd [-dv] [-c config-file]
DESCRIPTION
The sasyncd daemon synchronizes IPsec SA and SPD information between a
number of failover IPsec gateways. The most typical scenario is to run
sasyncd on hosts also running isakmpd(8) or iked(8) and sharing a common
IP address using carp(4).
The daemon runs either in master or slave mode, in which the master
tracks all local IPsec SA changes and sends this information along to all
slaves so they will have the same data.
When a slave connects, or reconnects, the master will transmit a snapshot
of all its current IPsec SA and SPD information.
Failover
sasyncd does not itself do any failover processing; the normal mode of
operation is to track state changes on a specified carp(4) interface.
Whenever it changes, sasyncd will follow suit. For debugging purposes,
it is possible to "lock" the daemon to a particular state; see
sasyncd.conf(5).
sasyncd to sasyncd communication
As sasyncd will transmit IPsec SA key and policy information over a
network not guaranteed to be private, sasyncd messages are protected
using AES and SHA. The shared key used for the encryption must be
specified in /etc/sasyncd.conf. See sasyncd.conf(5) for more
information.
SA replay counters
For SAs with replay protection enabled, such as those created by
isakmpd(8), the sasyncd hosts must have pfsync(4) enabled to synchronize
the in-kernel SA replay counters. Without this replay counter
synchronization the IPsec packets a host sends after failover will not be
accepted by the remote VPN endpoint.
In most redundancy setups pfsync(4) is likely already activated to
synchronize pf(4) states. See pfsync(4) for more information.
The options are as follows:
-c config-file
If given, the -c option specifies an alternate configuration file
instead of /etc/sasyncd.conf.
-d The -d option causes the daemon to run in the foreground, logging
to stderr. Without this option, sasyncd sends log messages to
syslog(3).
-v The -v option increases the verbosity level of the daemon, used
primarily for debugging. This option may be specified several
times.
FILES
/etc/sasyncd.conf The default sasyncd configuration file.
SEE ALSOcrypto(3), syslog(3), carp(4), ipsec(4), pfsync(4), sasyncd.conf(5),
iked(8), isakmpd(8)HISTORY
The sasyncd daemon first appeared in OpenBSD 3.8. It was written in
2004-2005 by Hakan Olsson, in part sponsored by Multicom Security AB,
Sweden.
BUGS
Due to the absence of a proper on the wire SA transfer protocol, sasyncd
only works if the peers share the same hardware architecture.
OpenBSD 4.9 June 16, 2010 OpenBSD 4.9