1.\" $OpenBSD: sasyncd.8,v 1.12 2017/04/04 22:37:01 jsg Exp $ 2.\" 3.\" Copyright (c) 2005 H�kan Olsson. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25.\" 26.\" This code was written under funding by Multicom Security AB. 27.\" 28.\" Manual page for sasyncd 29.\" 30.Dd $Mdocdate: April 4 2017 $ 31.Dt SASYNCD 8 32.Os 33.Sh NAME 34.Nm sasyncd 35.Nd IPsec SA synchronization daemon for failover gateways 36.Sh SYNOPSIS 37.Nm 38.Op Fl dnv 39.Op Fl c Ar config-file 40.Sh DESCRIPTION 41The 42.Nm 43daemon synchronizes IPsec SA and SPD information between a number of 44failover IPsec gateways. 45The most typical scenario is to run 46.Nm 47on hosts also running 48.Xr isakmpd 8 49or 50.Xr iked 8 51and sharing a common IP address using 52.Xr carp 4 . 53.Pp 54The daemon runs either in master or slave mode, in which the master 55tracks all local IPsec SA changes and sends this information along to 56all slaves so they will have the same data. 57.Pp 58When a slave connects, or reconnects, the master will transmit a 59snapshot of all its current IPsec SA and SPD information. 60.Ss Failover 61.Nm 62does not itself do any failover processing; the normal mode of 63operation is to track state changes on a specified 64.Xr carp 4 65interface. 66Whenever it changes, 67.Nm 68will follow suit. 69For debugging purposes, it is possible to 70.Qq lock 71the daemon to a particular state; see 72.Xr sasyncd.conf 5 . 73.Ss sasyncd to sasyncd communication 74As 75.Nm 76will transmit IPsec SA key and policy information over a network not 77guaranteed to be private, 78.Nm 79messages are protected using AES and SHA. 80The shared key used for the encryption must be specified in 81.Pa /etc/sasyncd.conf . 82See 83.Xr sasyncd.conf 5 84for more information. 85.Ss SA replay counters 86For SAs with replay protection enabled, such as those created by 87.Xr isakmpd 8 , 88the 89.Nm 90hosts must have 91.Xr pfsync 4 92enabled to synchronize the in-kernel SA replay counters. 93Without this replay counter synchronization the IPsec packets a host 94sends after failover will not be accepted by the remote VPN endpoint. 95.Pp 96In most redundancy setups 97.Xr pfsync 4 98is likely already activated to synchronize 99.Xr pf 4 100states. 101See 102.Xr pfsync 4 103for more information. 104.Pp 105The options are as follows: 106.Bl -tag -width Ds 107.It Fl c Ar config-file 108If given, the 109.Fl c 110option specifies an alternate configuration file instead of 111.Pa /etc/sasyncd.conf . 112.It Fl d 113The 114.Fl d 115option causes the daemon to run in the foreground, logging to stderr. 116Without this option, 117.Nm 118sends log messages to 119.Xr syslog 3 . 120.It Fl n 121Configtest mode. 122Only check the configuration file for validity. 123.It Fl v 124The 125.Fl v 126option increases the verbosity level of the daemon, used primarily for 127debugging. 128This option may be specified several times. 129.El 130.Sh FILES 131.Bl -tag -width /etc/ssl/private/sasyncd.key -compact 132.It Pa /etc/sasyncd.conf 133The default 134.Nm 135configuration file. 136.El 137.Sh SEE ALSO 138.Xr crypto 3 , 139.Xr syslog 3 , 140.Xr carp 4 , 141.Xr ipsec 4 , 142.Xr pfsync 4 , 143.Xr sasyncd.conf 5 , 144.Xr iked 8 , 145.Xr isakmpd 8 146.Sh HISTORY 147The 148.Nm 149daemon first appeared in 150.Ox 3.8 . 151It was written in 2004-2005 by Hakan Olsson, in part sponsored by 152Multicom Security AB, Sweden. 153.Sh BUGS 154Due to the absence of a proper on the wire SA transfer protocol, 155.Nm 156only works if the peers share the same hardware architecture. 157