Hi SS team,<br><br>When I make changes to the traffic selector of an IPsec connection that uses "auto=route",  "ipsec update" fails to update  IPsec policies in the kernel. The only way I can get around this is issue is by using "ipsec unroute", followed by "ipsec update".<br>
<br>I am using strongswan 5.0.1. Is this a bug? Any fix?<br><br>ipsec.conf:<br><b>conn site2site</b><br>        keyexchange=ikev1<br>        left=172.16.20.2<br>        right=172.16.20.3<br>      <b>  leftsubnet=<a href="http://172.16.40.0/24">172.16.40.0/24</a><br>
        rightsubnet=<a href="http://172.16.50.0/24">172.16.50.0/24</a></b><br>        leftid=172.16.20.2<br>        rightid=172.16.20.3<br>        type=tunnel<br>        ike=aes128-sha1-modp1536!<br>        esp=aes128-sha1!<br>
        ikelifetime=86400s<br>        keylife=3600s<br>        leftauth=secret<br>        rightauth=secret<br>        auto=route<br>    <br>ipsec status <br>Connections:<br>   site2site:  172.16.20.2...172.16.20.3  IKEv1<br>
   site2site:   local:  [172.16.20.2] uses pre-shared key authentication<br>   site2site:   remote: [172.16.20.3] uses pre-shared key authentication<br>   <b>site2site:   child:  <a href="http://172.16.40.0/24">172.16.40.0/24</a> === <a href="http://172.16.50.0/24">172.16.50.0/24</a> TUNNEL</b><br>
Routed Connections:<br>   site2site{1}:  ROUTED, TUNNEL<br>   <b>site2site{1}:   <a href="http://172.16.40.0/24">172.16.40.0/24</a> === <a href="http://172.16.50.0/24">172.16.50.0/24</a></b><br>Security Associations (0 up, 0 connecting):<br>
  none<br><br>left/rightsubnet updated:<br><br>conn site2site<br>        keyexchange=ikev1<br>        left=172.16.20.2<br>        right=172.16.20.3<br>        <b>leftsubnet=<a href="http://172.16.70.0/24">172.16.70.0/24</a><br>
        rightsubnet=<a href="http://172.16.80.0/24">172.16.80.0/24</a></b><br>        leftid=172.16.20.2<br>        rightid=172.16.20.3<br>        type=tunnel<br>        ike=aes128-sha1-modp1536!<br>        esp=aes128-sha1!<br>
        ikelifetime=86400s<br>        keylife=3600s<br>        leftauth=secret<br>        rightauth=secret<br>        auto=route<br>    <br>ipsec update followed by ipsec stausall <br>.....<br>Connections:<br>   site2site:  172.16.20.2...172.16.20.3  IKEv1<br>
   site2site:   local:  [172.16.20.2] uses pre-shared key authentication<br>   site2site:   remote: [172.16.20.3] uses pre-shared key authentication<br><b>   site2site:   child:  <a href="http://172.16.70.0/24">172.16.70.0/24</a> === <a href="http://172.16.80.0/24">172.16.80.0/24</a> TUNNEL</b><br>
Routed Connections:<br>   site2site{1}:  ROUTED, TUNNEL<br><b>   site2site{1}:   <a href="http://172.16.40.0/24">172.16.40.0/24</a> === <a href="http://172.16.50.0/24">172.16.50.0/24</a></b><br>Security Associations (0 up, 0 connecting):<br>
<br>Thanks!<br><br>Jordan.<br><br>