Date: Thu, 5 Apr 2007 12:44:00 -0500 From: David DeSimone <fox@verio.net> To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Status of sasyncd for IPSEC? Message-ID: <20070405174359.GA23665@verio.net>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Lists - Sorry for the cross-post, but I am not actually sure which list this question belongs on. I have been working on building HA firewall/VPN systems using PF and IPSEC and CARP. The systems work quite well, however there is a small gap in the desired feature set: HA VPN. I believe OpenBSD has a daemon called sasyncd(8) which utilizes pfsync(4) to synchronize the negotiated SA's between the cluster members. So, if one firewall fails, the other can pick up and continue not only firewall state but VPN activity without a hitch. So I am wondering, what is the status of a port of sasyncd to FreeBSD? Any pointers appreciated. I am also wondering about IKE synchronization. My understanding is that sasyncd keeps the IPSEC SA's sync'd between cluster members, but the IKE negotiations are not synchronized. I imagine that racoon(8) would have to take on that role, and I am curious if any work has been done to facilitate this. If there is any further work needed, I would like to look into completing it, but I don't want to start from scratch unless I have to. Please let me know what info is available. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGFTVfFSrKRjX5eCoRAuYoAKCiZqpY7dr1XdxaFr7oU2faK95qqgCdGrQb HreD59KGGG9G18Qbp/uflYk= =Cl2M -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070405174359.GA23665>