*** UNIX MANUAL PAGE BROWSER ***

A Nergahak database for man pages research.

Navigation

Location: Home > OpenBSD > Section 8 > sasyncd
Quick Actions: [Home] [Up]

Directory Browser

1Browse 4.4BSD4.4BSD
1Browse Digital UNIXDigital UNIX 4.0e
1Browse FreeBSDFreeBSD 14.3
1Browse MINIXMINIX 3.4.0rc6-d5e4fc0
1Browse NetBSDNetBSD 10.1
1Browse OpenBSDOpenBSD 7.7
1Browse UNIX v7Version 7 UNIX
1Browse UNIX v10Version 10 UNIX

Manual Page Search

Manual Page Result

0 Command: sasyncd | Section: 8 | Source: OpenBSD | File: sasyncd.8
SASYNCD(8) FreeBSD System Manager's Manual SASYNCD(8) NAME sasyncd - IPsec SA synchronization daemon for failover gateways SYNOPSIS sasyncd [-dnv] [-c config-file] DESCRIPTION The sasyncd daemon synchronizes IPsec SA and SPD information between a number of failover IPsec gateways. The most typical scenario is to run sasyncd on hosts also running isakmpd(8) or iked(8) and sharing a common IP address using carp(4). The daemon runs either in master or slave mode, in which the master tracks all local IPsec SA changes and sends this information along to all slaves so they will have the same data. When a slave connects, or reconnects, the master will transmit a snapshot of all its current IPsec SA and SPD information. Failover sasyncd does not itself do any failover processing; the normal mode of operation is to track state changes on a specified carp(4) interface. Whenever it changes, sasyncd will follow suit. For debugging purposes, it is possible to "lock" the daemon to a particular state; see sasyncd.conf(5). sasyncd to sasyncd communication As sasyncd will transmit IPsec SA key and policy information over a network not guaranteed to be private, sasyncd messages are protected using AES and SHA. The shared key used for the encryption must be specified in /etc/sasyncd.conf. See sasyncd.conf(5) for more information. SA replay counters For SAs with replay protection enabled, such as those created by isakmpd(8), the sasyncd hosts must have pfsync(4) enabled to synchronize the in-kernel SA replay counters. Without this replay counter synchronization the IPsec packets a host sends after failover will not be accepted by the remote VPN endpoint. In most redundancy setups pfsync(4) is likely already activated to synchronize pf(4) states. See pfsync(4) for more information. The options are as follows: -c config-file If given, the -c option specifies an alternate configuration file instead of /etc/sasyncd.conf. -d The -d option causes the daemon to run in the foreground, logging to stderr. Without this option, sasyncd sends log messages to syslog(3). -n Configtest mode. Only check the configuration file for validity. -v The -v option increases the verbosity level of the daemon, used primarily for debugging. This option may be specified several times. FILES /etc/sasyncd.conf The default sasyncd configuration file. SEE ALSO crypto(3), syslog(3), carp(4), ipsec(4), pfsync(4), sasyncd.conf(5), iked(8), isakmpd(8) HISTORY The sasyncd daemon first appeared in OpenBSD 3.8. It was written in 2004-2005 by Hakan Olsson, in part sponsored by Multicom Security AB, Sweden. BUGS Due to the absence of a proper on the wire SA transfer protocol, sasyncd only works if the peers share the same hardware architecture. FreeBSD 14.1-RELEASE-p8 April 4, 2017 FreeBSD 14.1-RELEASE-p8

Navigation Options

Actions: [Home] [Back] [New Search]
Browse: [Browse OpenBSD] [Section 8]
Print/Export: [Print] [Raw Text]
Date: 2025-08-18 Time: 19:34:13 SAST |
Page generated in 0.0388 seconds
Nergahak ManpageViewer v1.4
[Back to Top]