SA synchronization daemon for failover gateways
daemon synchronizes IPsec SA and SPD
information between a number of failover IPsec gateways. The most typical
scenario is to run sasyncd
on hosts also running
and sharing a common IP
address using carp(4)
The daemon runs either in master or slave mode, in which the master tracks all
local IPsec SA changes and sends this information along to all slaves so they
will have the same data.
When a slave connects, or reconnects, the master will transmit a snapshot of all
its current IPsec SA and SPD information.
does not itself do any failover processing;
the normal mode of operation is to track state changes on a specified
interface. Whenever it
will follow suit. For debugging
purposes, it is possible to “lock” the daemon to a particular
will transmit IPsec SA key and policy
information over a network not guaranteed to be private,
messages are protected using AES and SHA.
The shared key used for the encryption must be specified in
For SAs with replay protection enabled, such as those created by
hosts must have
enabled to synchronize
the in-kernel SA replay counters. Without this replay counter synchronization
the IPsec packets a host sends after failover will not be accepted by the
remote VPN endpoint.
In most redundancy setups
is likely already
activated to synchronize pf(4)
states. See pfsync(4)
The options are as follows:
- If given, the -c option
specifies an alternate configuration file instead of
- The -d option causes the
daemon to run in the foreground, logging to stderr. Without this option,
sasyncd sends log messages to
- The -v option increases the
verbosity level of the daemon, used primarily for debugging. This option
may be specified several times.
- The default sasyncd
daemon first appeared in
. It was written in 2004-2005 by Hakan
Olsson, in part sponsored by Multicom Security AB, Sweden.
Due to the absence of a proper on the wire SA transfer protocol,
only works if the peers share the same