|SASYNCD(8)||System Manager's Manual||SASYNCD(8)|
sasyncddaemon synchronizes IPsec SA and SPD information between a number of failover IPsec gateways. The most typical scenario is to run
sasyncdon hosts also running isakmpd(8) or iked(8) and sharing a common IP address using carp(4).
The daemon runs either in master or slave mode, in which the master tracks all local IPsec SA changes and sends this information along to all slaves so they will have the same data.
When a slave connects, or reconnects, the master will transmit a snapshot of all its current IPsec SA and SPD information.
sasyncddoes not itself do any failover processing; the normal mode of operation is to track state changes on a specified carp(4) interface. Whenever it changes,
sasyncdwill follow suit. For debugging purposes, it is possible to “lock” the daemon to a particular state; see sasyncd.conf(5).
sasyncdwill transmit IPsec SA key and policy information over a network not guaranteed to be private,
sasyncdmessages are protected using AES and SHA. The shared key used for the encryption must be specified in /etc/sasyncd.conf. See sasyncd.conf(5) for more information. isakmpd(8), the
sasyncdhosts must have pfsync(4) enabled to synchronize the in-kernel SA replay counters. Without this replay counter synchronization the IPsec packets a host sends after failover will not be accepted by the remote VPN endpoint.
The options are as follows:
-coption specifies an alternate configuration file instead of /etc/sasyncd.conf.
-doption causes the daemon to run in the foreground, logging to stderr. Without this option,
sasyncdsends log messages to syslog(3).
-voption increases the verbosity level of the daemon, used primarily for debugging. This option may be specified several times.
sasyncddaemon first appeared in OpenBSD 3.8. It was written in 2004-2005 by Hakan Olsson, in part sponsored by Multicom Security AB, Sweden.
sasyncdonly works if the peers share the same hardware architecture.
|April 4, 2017||OpenBSD-current|