From owner-freebsd-pf@FreeBSD.ORG Thu Apr 5 20:38:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7A60616A4CD; Thu, 5 Apr 2007 20:38:32 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id AB63413C4F3; Thu, 5 Apr 2007 20:38:29 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1HZW0I-00075D-4K; Thu, 05 Apr 2007 17:44:10 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1HZW0I-0000MI-0y; Thu, 05 Apr 2007 17:44:10 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 21B9F8E131; Thu, 5 Apr 2007 12:44:00 -0500 (CDT) Date: Thu, 5 Apr 2007 12:44:00 -0500 From: David DeSimone To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20070405174359.GA23665@verio.net> Mail-Followup-To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline User-Agent: Mutt/1.5.9i Cc: Subject: Status of sasyncd for IPSEC? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Apr 2007 20:38:32 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Lists - Sorry for the cross-post, but I am not actually sure which list this question belongs on. I have been working on building HA firewall/VPN systems using PF and IPSEC and CARP. The systems work quite well, however there is a small gap in the desired feature set: HA VPN. I believe OpenBSD has a daemon called sasyncd(8) which utilizes pfsync(4) to synchronize the negotiated SA's between the cluster members. So, if one firewall fails, the other can pick up and continue not only firewall state but VPN activity without a hitch. So I am wondering, what is the status of a port of sasyncd to FreeBSD? Any pointers appreciated. I am also wondering about IKE synchronization. My understanding is that sasyncd keeps the IPSEC SA's sync'd between cluster members, but the IKE negotiations are not synchronized. I imagine that racoon(8) would have to take on that role, and I am curious if any work has been done to facilitate this. If there is any further work needed, I would like to look into completing it, but I don't want to start from scratch unless I have to. Please let me know what info is available. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGFTVfFSrKRjX5eCoRAuYoAKCiZqpY7dr1XdxaFr7oU2faK95qqgCdGrQb HreD59KGGG9G18Qbp/uflYk= =Cl2M -----END PGP SIGNATURE-----