Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   11362 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

SASYNCD(8)		OpenBSD System Manager's Manual		    SASYNCD(8)

NAME
     sasyncd - IPsec SA synchronization daemon for failover gateways

SYNOPSIS
     sasyncd [-dv] [-c config-file]

DESCRIPTION
     The sasyncd daemon synchronizes IPsec SA and SPD information between a
     number of failover IPsec gateways.	 The most typical scenario is to run
     sasyncd on hosts also running isakmpd(8) or iked(8) and sharing a common
     IP address using carp(4).

     The daemon runs either in master or slave mode, in which the master
     tracks all local IPsec SA changes and sends this information along to all
     slaves so they will have the same data.

     When a slave connects, or reconnects, the master will transmit a snapshot
     of all its current IPsec SA and SPD information.

   Failover
     sasyncd does not itself do any failover processing; the normal mode of
     operation is to track state changes on a specified carp(4) interface.
     Whenever it changes, sasyncd will follow suit.  For debugging purposes,
     it is possible to "lock" the daemon to a particular state; see
     sasyncd.conf(5).

   sasyncd to sasyncd communication
     As sasyncd will transmit IPsec SA key and policy information over a
     network not guaranteed to be private, sasyncd messages are protected
     using AES and SHA.	 The shared key used for the encryption must be
     specified in /etc/sasyncd.conf.  See sasyncd.conf(5) for more
     information.

   SA replay counters
     For SAs with replay protection enabled, such as those created by
     isakmpd(8), the sasyncd hosts must have pfsync(4) enabled to synchronize
     the in-kernel SA replay counters.	Without this replay counter
     synchronization the IPsec packets a host sends after failover will not be
     accepted by the remote VPN endpoint.

     In most redundancy setups pfsync(4) is likely already activated to
     synchronize pf(4) states.	See pfsync(4) for more information.

     The options are as follows:

     -c config-file
	     If given, the -c option specifies an alternate configuration file
	     instead of /etc/sasyncd.conf.

     -d	     The -d option causes the daemon to run in the foreground, logging
	     to stderr.	 Without this option, sasyncd sends log messages to
	     syslog(3).

     -v	     The -v option increases the verbosity level of the daemon, used
	     primarily for debugging.  This option may be specified several
	     times.

FILES
     /etc/sasyncd.conf		   The default sasyncd configuration file.

SEE ALSO
     crypto(3), syslog(3), carp(4), ipsec(4), pfsync(4), sasyncd.conf(5),
     iked(8), isakmpd(8)

HISTORY
     The sasyncd daemon first appeared in OpenBSD 3.8.	It was written in
     2004-2005 by Hakan Olsson, in part sponsored by Multicom Security AB,
     Sweden.

BUGS
     Due to the absence of a proper on the wire SA transfer protocol, sasyncd
     only works if the peers share the same hardware architecture.

OpenBSD 4.9			 June 16, 2010			   OpenBSD 4.9

Vote for polarhome