IPsec SA synchronization daemon for
sasyncd daemon synchronizes IPsec SA
and SPD information between a number of failover IPsec gateways. The most
typical scenario is to run
sasyncd on hosts also
running isakmpd(8) or iked(8) and sharing a common IP address using
The daemon runs either in master or slave mode, in which the master tracks all local IPsec SA changes and sends this information along to all slaves so they will have the same data.
When a slave connects, or reconnects, the master will transmit a snapshot of all its current IPsec SA and SPD information.
sasyncd does not itself do any failover
processing; the normal mode of operation is to track state changes on a
specified carp(4) interface. Whenever it changes,
sasyncd will follow suit. For debugging purposes, it
is possible to "lock" the daemon to a particular state; see
sasyncd to sasyncd communication
sasyncd will transmit IPsec SA key and
policy information over a network not guaranteed to be private,
sasyncd messages are protected using AES and SHA.
The shared key used for the encryption must be specified in
sasyncd.conf(5) for more information.
SA replay counters
For SAs with replay protection enabled, such as those created by
sasyncd hosts must have
enabled to synchronize the in-kernel SA replay counters. Without this replay
counter synchronization the IPsec packets a host sends after failover will
not be accepted by the remote VPN endpoint.
In most redundancy setups pfsync(4) is likely already activated to synchronize pf(4) states. See pfsync(4) for more information.
The options are as follows:
- If given, the
-coption specifies an alternate configuration file instead of /etc/sasyncd.conf.
-doption causes the daemon to run in the foreground, logging to stderr. Without this option,
sasyncdsends log messages to syslog(3).
- Configtest mode. Only check the configuration file for validity.
-voption increases the verbosity level of the daemon, used primarily for debugging. This option may be specified several times.
- The default
crypto(3), syslog(3), carp(4), ipsec(4), pfsync(4), sasyncd.conf(5), iked(8), isakmpd(8)
sasyncd daemon first appeared in
OpenBSD 3.8. It was written in 2004-2005 by Hakan
Olsson, in part sponsored by Multicom Security AB, Sweden.
Due to the absence of a proper on the wire SA transfer protocol,
sasyncd only works if the peers share the same