[strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection

Martin Willi martin at strongswan.org
Thu Oct 2 10:08:26 CEST 2014

Hi Christophe,

Thanks for your patch.

> Do a little cleanup when deleting a connection via "ipsec update"
> command:
> - delete all established CHILD_SAs
> - unroute the connection
> - delete IKE_SAs that have no more CHILD_SAs
> - delete the connection
> - make sure to refuse an undesired negotiation request from the peer,
>   by deleting the connection before terminating it.

These chances certainly make sense in some scenarios. However, the
behavioral change is non-trivial. That an "update" of connections
deletes all associated SAs is not that obvious, especially as we did not
do that before. I'd guess we'd break many scripted installations with
that change.

If we introduce such a behavioral change, I think we need to make that
optional, and probably disable it by default.


More information about the Dev mailing list