[strongSwan-dev] StrongSwan 5.2 ipsec reload behaviour changed

James Hulka jah at open.ch
Thu Feb 12 11:33:17 CET 2015

Hello Tobias,

thank you for the answer.

Please see my response inline.

>> Up to and including StrongSwan 5.0 'ipsec reload' would only
>> re-initialize tunnels that have been changed in the configuration.
> Actually, `ipsec reload` always removed and re-added ALL connections not
> only the changed ones.  Use `ipsec update` to only reload the changed
> connections.

In our case, `ipsec reload` removes all policies from the Policies DB
and does not re-add them.

If however there are no policies in the Policies DB it adds them again.

>> Does anyone know why all policies are removed by 'ipsec reload'? It
>> seems that this should not happen UNLESS all tunnel configurations have
>> been removed or change in ipsec.conf.
> Since 5.0.1 removed and changed connections with `auto=route` are
> unrouted (same as `ipsec unroute <name>`), this properly allows changing
> `left|rightsubnet` or `auto` for such connections.  But if you use
> `reload` instead of `update` all connections are considered to have
> changed, so all connections are unrouted and routed again.

We are not using auto=route.

This appears to be either a similar or exactly the same issue that was
reported here:


Best Regards,


More information about the Dev mailing list