[strongSwan-dev] StrongSwan 5.2 ipsec reload behaviour changed

Tobias Brunner tobias at strongswan.org
Wed Feb 11 16:44:03 CET 2015


Hi James,

> Up to and including StrongSwan 5.0 'ipsec reload' would only
> re-initialize tunnels that have been changed in the configuration.

Actually, `ipsec reload` always removed and re-added ALL connections not
only the changed ones.  Use `ipsec update` to only reload the changed
connections.

> Does anyone know why all policies are removed by 'ipsec reload'? It
> seems that this should not happen UNLESS all tunnel configurations have
> been removed or change in ipsec.conf.

Since 5.0.1 removed and changed connections with `auto=route` are
unrouted (same as `ipsec unroute <name>`), this properly allows changing
`left|rightsubnet` or `auto` for such connections.  But if you use
`reload` instead of `update` all connections are considered to have
changed, so all connections are unrouted and routed again.

Regards,
Tobias



More information about the Dev mailing list