Contributed by mbalmer on from the if-it-fails-it-does-not-fail dept.
Late in 2005 when OpenBSD 3.8 came out, a sasyncd daemon first appeared. It was written by Håkan Olsson and funded by Multicom Security AB. As many know by now, sasyncd brought us true failover of VPNs with state. Håkan raised the bar considerably and to my knowledge OpenBSD is again the first to ever achieve this. Since many of us maintain VPNs, this was a blessing that we only dreamed of having come true.
We soon discovered that sasyncd was not quite polished and we also hoped that most of it would be finished during this year's hackathon. Ryan McBride (mcbride@) worked on fixing sasyncd while Hans Hoexer (hshoexer@) and Mathieu Sauve-Frankel (msf@) worked on ipsecctl (the isakmpd.conf killer). My role was simply to test and give feedback. I was also one of those guys who resisted change (isakmpd.conf --> ipsec.conf) even though Theo told me well in advance that isakmpd.conf was going the way of the Dodo bird real soon (not in those same words, of course). So it was an awkward situation when I kept telling Ryan that his diffs weren't working and he then finally replied, "You're using ipsec.conf, right?" Theo was in spitting distance to me and I thought for sure that I was going to get 50 lashes with a wet tip when I said, "ah, no ...I'm still using isakmpd.conf." *ducks for cover* Theo did warn me about changes forthcoming and I saw signs of this when I noticed that ipsecadm was taken out of the tree. I asked how do we manually flush tunnels now that ipsecadm was gone. Reyk Floeter (reyk@) turns to me and says, "ipsecctl -F". I kept thinking to myself, "duh, of course, even without reading the man page, that should have been obvious." Well, needless to say, that was the turning point for me but I needed help as I could never get ipsec.conf working for CARP'd VPNs.
Todd Fries (todd@) helped me to get ipsec.conf setup properly but it took us into the wee hours of the morning to do so. After a lot of troubleshooting we realized that we overlooked one very important thing when setting up ipsec.conf for use with CARP'd VPN Servers. We needed to specify the "local <localip>" to listen on the carp interface. Again, a silly oversight as I had specified this in my isakmpd.conf files. Anyhow, when we made that addition, it just magically worked and my huge isakmpd.conf file was turned into a one line ipsec.conf file! Even though we were both exhausted, it was like we just won the Super Bowl :)
The next day, I tackled sasyncd with my four box VPN system using the new ipsec.conf configuration and tried to fail over the VPN but without success. I noticed that when I failed over the MASTER VPN Server, the Security Associations (SA) were deleted on the other end (VPN peers). However, if I pulled the power on the MASTER, then the VPN failed over as expected. I sat down with Hans Hoexer and he told me that he knew how to fix it and that it would be a simple fix. Shortly thereafter I received a diff from Hans and it did the job! His change made sure that the flows were not deleted on a graceful failover. I could now failover the VPN with state using ipsec.conf rather than isakmpd.conf. Yet, there was one last piece of the puzzle that needed to be fixed -- sasyncd. By the time the hackathon was almost over, on the last day in fact, Ryan did his usual magic and had finished sasyncd to start and synchronize the SA only after the rc scripts were completed on boot taking into account if it was MASTER or BACKUP.
True VPN failover while keeping state is now a reality!
(Comments are closed)