1.\" $OpenBSD: sasyncd.conf.5,v 1.20 2021/02/01 16:39:50 sthen Exp $ 2.\" 3.\" Copyright (c) 2005 H�kan Olsson. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25.\" 26.\" This code was written under funding by Multicom Security AB. 27.\" 28.\" Manual page for sasyncd.conf 29.\" 30.Dd $Mdocdate: February 1 2021 $ 31.Dt SASYNCD.CONF 5 32.Os 33.Sh NAME 34.Nm sasyncd.conf 35.Nd configuration file for sasyncd 36.Sh DESCRIPTION 37.Nm 38is the configuration file for the 39.Xr sasyncd 8 40daemon. 41.Pp 42The current line can be extended over multiple lines using a backslash 43.Pq Sq \e . 44Comments can be put anywhere in the file using a hash mark 45.Pq Sq # , 46and extend to the end of the current line. 47Care should be taken when commenting out multi-line text: 48the comment is effective until the end of the entire block. 49.Pp 50Since the file contains the shared secret key used to encrypt data 51between this host and the others, 52.Pa /etc/sasyncd.conf 53must be owned either by 54.Dq root 55or the 56.Dq _isakmpd 57pseudo user and be readable only by this owner, e.g.\& 58.Bd -literal -offset indent 59# chown root /etc/sasyncd.conf 60# chmod 0600 /etc/sasyncd.conf 61.Ed 62.Pp 63The following configuration settings are understood: 64.Bl -tag -width Ds 65.It Xo 66.Ic interface 67.Ar interface 68.Xc 69Specify which 70.Xr carp 4 71interface 72.Xr sasyncd 8 73should track master/slave state on. 74.It Xo 75.Ic group 76.Ar group 77.Xc 78Specify on which interface group 79.Xr sasyncd 8 80should increase the demotion counter. 81This has the effect of suppressing 82.Xr carp 4 83preemption while initial 84.Xr sasyncd 8 85state is established. 86The default is to use the 87.Dq carp 88group. 89.Pp 90For more information on interface groups, 91see the 92.Ic group 93keyword in 94.Xr ifconfig 8 . 95.It Ic flushmode sync | startup | never 96Controls how the 97.Xr sasyncd 8 98master host handles SADB_FLUSH messages to its slaves. 99.Pp 100.Bl -tag -width "startupXX" -offset indent -compact 101.It Ic sync 102Pass any SADB_FLUSH messages along. 103For example, in this mode 104.Xr sasyncd 8 105will synchronize an 106.Ic ipsecctl -F 107command to all connected slaves. 108For more information, see 109.Xr ipsecctl 8 . 110.It Ic startup 111Send a SADB_FLUSH message to the slaves as they connect, and act as 112.Ic sync 113afterwards. 114This is the default. 115.It Ic never 116Never send SADB_FLUSH messages. 117.El 118.It Xo 119.Ic listen on Ar address 120.Op Ar family 121.Op Ic port Ar port 122.Xc 123Specify a local IP address, hostname, or interface the 124.Xr sasyncd 8 125daemon should listen on. 126The default is to listen on all local addresses. 127When using an interface name, 128.Ar family 129may be given as 130.Dq inet 131or 132.Dq inet6 133to only bind using the specified address family. 134Finally, 135.Ar port 136can be used to specify which TCP port 137.Xr sasyncd 8 138should listen to. 139The default is to listen to port 500. 140.It Ic mode master | slave 141Force the daemon to run as master or slave. 142Normally only intended for debugging use. 143.It Ic mode skipslave 144Prevent the daemon from syncing SA or SPD messages where the source or 145destination address is one of the configured peers. 146Intended to permit IPsec 147.Xr pfsync 4 148protection. 149This mode is experimental. 150.It Ic peer Ar address 151Specify a 152.Xr sasyncd 8 153peer IP address or hostname. 154May be specified multiple times. 155For example: 156.Bd -literal -offset indent 157peer 10.0.0.2 158peer 10.0.0.3 159peer 10.0.0.4 160.Ed 161.It Ic sharedkey Ar key 162The shared AES key used to encrypt messages between 163.Xr sasyncd 8 164hosts. 165This configuration setting is required and must be either 16, 24 or 32 166bytes long (corresponding to AES using a 128, 192 or 256 bit key). 167.It Ic control isakmpd | iked | all | none 168By default, 169.Xr sasyncd 8 170tracks its local master/slave mode and toggles the passive mode of 171.Xr isakmpd 8 172accordingly. 173This option can be changed to control 174.Xr iked 8 175instead, 176to control all supported daemons at the same time, 177or to turn it off to synchronize SAs only. 178.El 179.Sh FILES 180.Bl -tag -width /etc/examples/sasyncd.conf -compact 181.It Pa /etc/sasyncd.conf 182.It Pa /etc/examples/sasyncd.conf 183.El 184.Sh SEE ALSO 185.Xr chmod 1 , 186.Xr carp 4 , 187.Xr chown 8 , 188.Xr ipsecctl 8 , 189.Xr sasyncd 8 190.Sh HISTORY 191The 192.Nm 193file format first appeared in 194.Ox 3.8 . 195