1. Home
  2. pfSense® Software
  3. IPsec
  4. Sasyncd… What was the problem ?

Sasyncd… What was the problem ?

  • S

    Hi all,

    I don't know what was the problem to use sasyncd with pfSense, but it's a good tool to avoid vpn recreation in case of failover.

    0
  • S

    Another solved things…

    After 2 weeks of parsing datas, I find a way to make sasyncd deamon work on freebsd... just for pfSense ;)

    I need to debug it before realease.
    If Scott Ullrich / cmb want it for testing, just PM.

    ps : now, with hoststated and sasyncd... we can have great things...

    0
  • S

    Can you provide a patch that you used for sasyncd? Did your port over the sysctl portions?

    0
  • S

    Hi Scott,

    I doesn't touch anything else that the sasyncd sources itself.

    Yes, I workaround the sysctl portion that are not (yet ?) include on freebsd.
    Also, as I based this port on the OpenBSD 4.2 sasyncd, there is some unusable things on freebsd has there not implemented (carp group, isakmpd FIFO, etc) but the others improvements are good and more secure.

    I have both server running sasyncd fine, replication work fine.
    I only need to debug some small extra things I have.

    0
  • S

    Files upload on the cvs track.

    http://cvstrac.pfsense.com/tktview?tn=1544

    Possible improvement:

    ioctl SIOCGIFDATA (to have the carp status more efficiently, instead of polling the carp interface to detect a switch between MASTER and BACKUP, listen to the routing socket for link change messages.)

    ioctl SIOCSIFGATTR (to use sasyncd with the carp group/demote and carp multi master : Hold the carp demotion when booting, to prevent carp from preempting until sync's done with peers, etc)

    These ioctl are not a must:

    • Currently carp status is found with another ioctl (SIOCGVH)

    • pfSense box don't play with multiples master on the same carp, and don't use groups.

    When I have some time to spend on it, I'll have a look.

    Impossible walkthrough:

    ISAKMPD_FIFO (On openBSD, it’s used to set isakmpd into active or passive mode, according to the current carp state.)

    I think that racoon doesn't have a similar feature (active/passive mode)

    If it's the case, there is no way to have it without touching the racoon source code.

    Regards,

    0
  • S

    Great work!  Can you submit this to freebsd-net@freebsd.org as well for comments / directions from the community on how we can get this commited to the official FreeBSD tree?

    Thanks for all the work on this!

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy