>> Searching in google and reading some docs, I have several doubts >> about which one to choose. If I am not wrong, iked doesn't supports >> sasyncd, is it correct?? > > I am *much* happier with my use of isakmpd since I got rid of sasyncd > and just rely on dead peer detection (DPD), I use ifstated to kill > isakmpd and flush ipsec if the state of the carp interface changes to > backup, or start isakmpd and load ipsec rules when the state changes > to master. When I used sasyncd I got into various situations where > things wouldn't work until I disabled it and rebooted both vpn > gateways.. Obviously this only works if your clients support DPD.
Interesting. I've got sasyncd to work pretty well by introducing a rather long sleep before restoring the carp demote, with my main problem being the fallback/restore to the designated master after a short period of the backup being active (the failover from master to backup works well). However, with a "standard" IKE config, the tunnel restores itself within some time. I'm keen on debugging sasyncd; was you issues similar?
