On 2013/12/04 10:19, Andy wrote:
> Yea I had the same problem with sasynd but I found a simple solution that
> allows for faster failover than DPD.
>
> The issue I found was that when isakmpd starts on the carp 'backup', the -S
> stops it from chatting which is great, but, I also found it also seems to
> stop it from reading the ipsec.conf file! So when you switch over isakmpd
> doesn't know about the policies even though it has the phase 1 and phase 2
> policies from the master.
>
> The solution I found was to edit /etc/rc.d/sasyncd adding;
>
> rc_start() {
> sleep 10
> ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
> sleep 5
> ipsecctl -f /etc/ipsec.conf
> }
>
> It is still not perfect as a VPN failover as it still seems to take a few
> seconds as the trust relationship cannot be fully replicated by sasyncd, so
> some sort of renegotiation is still needed, but not a full rebuild.
>
> I've been meaning to look at testing this more and maybe adding this to the
> code if I can prove it (allong with many other things I want to contribute,
> but I'm so busy and the learning curve of a new code base means all the
> things I want to contribute will take me an age).
>
> Andy
This is definitely worth investigation, but this seems different to what
I saw: the machines got in a state where not even shutting down ipsec
related daemons and "ipsecctl -F" was enough to get them out of it.
However thinking about this again today, I wonder if some badness was
getting synced by pfsync instead... (this was on quite an old setup though,
and I don't have the kit to test on now).
