[strongSwan-dev] StrongSwan 5.2 ipsec reload behaviour changed
James Hulka
jah at open.ch
Thu Feb 12 11:33:17 CET 2015
Hello Tobias,
thank you for the answer.
Please see my response inline.
>
>> Up to and including StrongSwan 5.0 'ipsec reload' would only
>> re-initialize tunnels that have been changed in the configuration.
>
> Actually, `ipsec reload` always removed and re-added ALL connections not
> only the changed ones. Use `ipsec update` to only reload the changed
> connections.
>
In our case, `ipsec reload` removes all policies from the Policies DB
and does not re-add them.
If however there are no policies in the Policies DB it adds them again.
>> Does anyone know why all policies are removed by 'ipsec reload'? It
>> seems that this should not happen UNLESS all tunnel configurations have
>> been removed or change in ipsec.conf.
>
> Since 5.0.1 removed and changed connections with `auto=route` are
> unrouted (same as `ipsec unroute <name>`), this properly allows changing
> `left|rightsubnet` or `auto` for such connections. But if you use
> `reload` instead of `update` all connections are considered to have
> changed, so all connections are unrouted and routed again.
We are not using auto=route.
This appears to be either a similar or exactly the same issue that was
reported here:
https://wiki.strongswan.org/issues/397
Best Regards,
James
More information about the Dev
mailing list