[strongSwan] What is expected "ipsec update" & "ipsec reload" behavior?
Ansis Atteka
ansisatteka at gmail.com
Tue Feb 17 21:46:13 CET 2015
On 17 February 2015 at 07:16, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Ansis,
>
> > Does it try to say that, if IPsec tunnel was previously established and
> > then, if corresponding "conn" entry for that tunnel disappeared from the
> > ipsec.conf file, then after "ipsec update" call those tunnels would
> > still remain in the StrongSwan?
>
> That's what it says, yes. But connections might actually still be
> affected by these updates, see [1] and the related ticket for details.
> To not affect unchanged connections you should use `update` instead of
> `reload`, which replaces all configs.
>
Just curious, what are the use cases to not remove those tunnels that
disappeared from ipsec.conf?
If there are use-cases, then would it make sense to implement another
similar command to "ipsec update", but one that would also terminate those
tunnels that disappeared from the ipsec.conf? This would make it easier to
automate StrongSwan. Otherwise, the daemon that automates strongSwan needs
to keep track for which tunnels it called "ipsec stroke down-nb" and for
which it did not.
Anyway, thanks for the "ipsec stroke down-nb" tip.
>
> > If yes, then how can I force strongSwan to remove those tunnels that are
> > no longer in ipsec.conf file?
>
> You terminate them manually with `ipsec down`. To avoid blocking we
> added the `ipsec stroke down-nb` (and `up-nb`) command with 5.1.0 (a
> delete exchange is still initiated but the command itself does not block).
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/issues/129
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150217/40f6c3cd/attachment.html>
More information about the Users
mailing list