Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sasyncd… What was the problem ?

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SurfceS
      last edited by

      Hi all,

      I don't know what was the problem to use sasyncd with pfSense, but it's a good tool to avoid vpn recreation in case of failover.

      1 Reply Last reply Reply Quote 0
      • S
        SurfceS
        last edited by

        Another solved things…

        After 2 weeks of parsing datas, I find a way to make sasyncd deamon work on freebsd... just for pfSense ;)

        I need to debug it before realease.
        If Scott Ullrich / cmb want it for testing, just PM.

        ps : now, with hoststated and sasyncd... we can have great things...

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by

          Can you provide a patch that you used for sasyncd? Did your port over the sysctl portions?

          1 Reply Last reply Reply Quote 0
          • S
            SurfceS
            last edited by

            Hi Scott,

            I doesn't touch anything else that the sasyncd sources itself.

            Yes, I workaround the sysctl portion that are not (yet ?) include on freebsd.
            Also, as I based this port on the OpenBSD 4.2 sasyncd, there is some unusable things on freebsd has there not implemented (carp group, isakmpd FIFO, etc) but the others improvements are good and more secure.

            I have both server running sasyncd fine, replication work fine.
            I only need to debug some small extra things I have.

            1 Reply Last reply Reply Quote 0
            • S
              SurfceS
              last edited by

              Files upload on the cvs track.

              http://cvstrac.pfsense.com/tktview?tn=1544

              Possible improvement:

              ioctl SIOCGIFDATA (to have the carp status more efficiently, instead of polling the carp interface to detect a switch between MASTER and BACKUP, listen to the routing socket for link change messages.)

              ioctl SIOCSIFGATTR (to use sasyncd with the carp group/demote and carp multi master : Hold the carp demotion when booting, to prevent carp from preempting until sync's done with peers, etc)

              These ioctl are not a must:

              • Currently carp status is found with another ioctl (SIOCGVH)

              • pfSense box don't play with multiples master on the same carp, and don't use groups.

              When I have some time to spend on it, I'll have a look.

              Impossible walkthrough:

              ISAKMPD_FIFO (On openBSD, it’s used to set isakmpd into active or passive mode, according to the current carp state.)

              I think that racoon doesn't have a similar feature (active/passive mode)

              If it's the case, there is no way to have it without touching the racoon source code.

              Regards,

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                Great work!  Can you submit this to freebsd-net@freebsd.org as well for comments / directions from the community on how we can get this commited to the official FreeBSD tree?

                Thanks for all the work on this!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.