I'll see if I can cobble some docs together or at least submit an example sasync.conf file. I pre-ordered 3.8, and am _now_ eagerly looking forward to bringing this up. I was not asking the list for a howto, I really had not even heard about this feature. The man page seems pretty straight forward, in fact OBSD's man pages are in general very useable, making howto's in general unnecessary.
Theo pointed out that sasync will not yet fail back after a dead peer has been brought back online. This could be a minor problem, i.e only bring failed units back online after hours. So I guess we would use ifstatd to sysctl net.inet.carp.allow=0 and keep the new master pegged until we can actually restart isakmpd .... Does that make sense?. if the SADB is being propagated around shouldn't we be able to run a tunnel from anyone who has a valid copy of the DB? I guess I have some poking to do, and interesting entries for November's TPS reports. > -----Original Message----- > From: Brian A. Seklecki [mailto:[EMAIL PROTECTED] > Sent: Friday, October 21, 2005 06:22 PM > To: [EMAIL PROTECTED] > Cc: misc@openbsd.org, 'Jason Dixon' > Subject: Re: Statefull VPN failover a fork from "Re: iptables vs pf" > > More to the point, "how to find this info". > > 1: Go to http://www.openbsd.org/cgi-bin/man.cgi > 2: click "apropos" > 3: make sure "current" is selected > 4: query "sync" > 5: click on "sasynchd(8)" and "sasychd.conf(5)" > > http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncd&sektion=8&apropos=0&manpath=OpenBSD+Current&arch=i386 > http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncd&sektion=8&apropos=0&manpath=OpenBSD+Current&arch=i386 > > 6: Once intimately familar with the process, write some Docs and submit > them for translation. > > Also, someone at NYC BSDcon 05 gave a presentation and had slides. Try to > find those too. > > Best of luck. > > ~BAS > > On Thu, 20 Oct 2005, [EMAIL PROTECTED] wrote: > > > I have been moving a single Linux FW to a pair of OBSD machines, lured by > > carp and pfsync. This has been working well in my test environment. This > > also lead me to vpns running with ISAKMPD, replaceing a Freeswan box, and > > forestalling purchasing proprietary products for site to site partner vpns. > > > > > > > > > > > > THE POINT: Where will I find docs that explains how this is done "Oh, and > > when your 3.8 VPNs failover statefully, too. :)" ? > > > > > > > > > >> -----Original Message----- > >> From: Jason Dixon [mailto:[EMAIL PROTECTED] > >> Sent: Thursday, October 20, 2005 02:07 AM > >> To: 'Edy Purnomo' > >> Cc: misc@openbsd.org > >> Subject: Re: iptables vs pf > >> > >> On Oct 19, 2005, at 6:21 PM, Edy Purnomo wrote: > >> > >>> i suggested to my friend to replace his linux box to openbsd. > >>> he uses mailnly for internet gateway : pf + squid proxy > >>> after 2 weeks later he switched it back linux and said : linux much > >>> faster to respond the http requests (he had a same configuration on > >>> openbsd, pf + squid proxy). > >>> > >>> is there any program that can proof what he says ? > >>> thanks. > >> > >> Three points: > >> > >> 1) No way in hell is iptables faster than PF. > >> > >> 2) His box _may_ pass traffic faster, but this is almost certainly > >> due to the support level of the hardware. Without real information, > >> it's hard to qualify this. > >> > >> 3) Who cares? Why are you worried about what your friend uses? If > >> it works for him, so be it. Rather than trying to bring him over > >> "cuz PF is l33t", just make sure you mention how cool it is when your > >> stateful firewalls run 24x7. Oh, and when your 3.8 VPNs failover > >> statefully, too. :) > >> > >> http://www.openbsd.org/goals.html > >> > >> > >> -- > >> Jason Dixon > >> DixonGroup Consulting > >> http://www.dixongroup.net > > > > > > l8* > -lava > > x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
