[strongSwan-dev] ipsec rereadsecrets restarts tunnels
James Hulka
jah at open.ch
Tue Mar 5 11:49:15 CET 2013
Hello Tobias,
thank you for the clarification and the patches. Please see my comments
inline.
Best Regards,
James
On 03/01/2013 05:16 PM, Tobias Brunner wrote:
> Hi James,
>
>> This has the effect that currently established tunnels are deleted and
>> re-initiated
>
> Hm, how so? There is no code that would cause the daemon to terminate
> any established connections or establish new ones on a simple call to
> ipsec rereadsecrets.
>> loading secrets from '/etc/ipsec.secrets'
>> loaded RSA private key from '/etc/ipsec.d/private/a.pem'
>>
>> received stroke: delete connection 'a_to_b'
>> deleted connection 'a_to_b'
>>
>> received stroke: add connection 'a_to_b'
>> loaded RSA public key for "a.a.a.a" from '/etc/ipsec.d/public/a.pub'
>> loaded RSA public key for "b.b.b.b" from '/etc/ipsec.d/public/b.pub'
>> added configuration 'a_to_b'
>> received stroke: initiate 'a_to_b'
>
> It seems there is a rereadsecret and a reload/update happening at the
> same time (plus you seem to use auto=start). What command(s) did you
> execute exactly?
I am running a ipsec reload after the ipsec rereadsecrets call.
>> I have a situation where I would like to load a second private key to be
>> used with a second interface w/o the tunnels on the first interface
>> being interrupted.
>
> Existing tunnels should not be interrupted by ipsec rereadsecrets, but
> there is a race condition if the daemon tries to establish an SA (as
> initiator or responder) while secrets are concurrently loaded. This is
> because secrets are first cleared and only then loaded again, so there
> is a short timeframe in which some of the secrets loaded earlier might
> not be available anymore. I pushed two patches [1] that address this
> issue. Let me know if they solve your problem.
With your patches + StrongSwan v5.0.2 the ipsec rereadsecrets + ipsec
reload behavior remains the same.
When I change the ipsec reload to ipsec update the already established
connection is not being affected by the update call and thus solves my
problem.
> Regards,
> Tobias
>
> [1]
> http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/fix-rereadsecrets
>
More information about the Dev
mailing list