Sasyncd… What was the problem ?
-
Hi all,
I don't know what was the problem to use sasyncd with pfSense, but it's a good tool to avoid vpn recreation in case of failover.
-
Another solved things…
After 2 weeks of parsing datas, I find a way to make sasyncd deamon work on freebsd... just for pfSense ;)
I need to debug it before realease.
If Scott Ullrich / cmb want it for testing, just PM.ps : now, with hoststated and sasyncd... we can have great things...
-
Can you provide a patch that you used for sasyncd? Did your port over the sysctl portions?
-
Hi Scott,
I doesn't touch anything else that the sasyncd sources itself.
Yes, I workaround the sysctl portion that are not (yet ?) include on freebsd.
Also, as I based this port on the OpenBSD 4.2 sasyncd, there is some unusable things on freebsd has there not implemented (carp group, isakmpd FIFO, etc) but the others improvements are good and more secure.I have both server running sasyncd fine, replication work fine.
I only need to debug some small extra things I have. -
Files upload on the cvs track.
http://cvstrac.pfsense.com/tktview?tn=1544
Possible improvement:
ioctl SIOCGIFDATA (to have the carp status more efficiently, instead of polling the carp interface to detect a switch between MASTER and BACKUP, listen to the routing socket for link change messages.)
ioctl SIOCSIFGATTR (to use sasyncd with the carp group/demote and carp multi master : Hold the carp demotion when booting, to prevent carp from preempting until sync's done with peers, etc)
These ioctl are not a must:
-
Currently carp status is found with another ioctl (SIOCGVH)
-
pfSense box don't play with multiples master on the same carp, and don't use groups.
When I have some time to spend on it, I'll have a look.
Impossible walkthrough:
ISAKMPD_FIFO (On openBSD, it’s used to set isakmpd into active or passive mode, according to the current carp state.)
I think that racoon doesn't have a similar feature (active/passive mode)
If it's the case, there is no way to have it without touching the racoon source code.
Regards,
-
-
Great work! Can you submit this to freebsd-net@freebsd.org as well for comments / directions from the community on how we can get this commited to the official FreeBSD tree?
Thanks for all the work on this!