[strongSwan-dev] StrongSwan 5.2 ipsec reload behaviour changed

Tobias Brunner tobias at strongswan.org
Thu Feb 12 14:42:41 CET 2015

Hi James,

>>> Up to and including StrongSwan 5.0 'ipsec reload' would only
>>> re-initialize tunnels that have been changed in the configuration.
>> Actually, `ipsec reload` always removed and re-added ALL connections not
>> only the changed ones.  Use `ipsec update` to only reload the changed
>> connections.
> In our case, `ipsec reload` removes all policies from the Policies DB
> and does not re-add them.
> If however there are no policies in the Policies DB it adds them again.

`reload` should not directly affect existing connections unless
`auto=route` is used (and even then policies should get re-added).
Connections with `auto=start` do probably get initiated, though, so that
might have an effect on existing connections (especially if you reload
connections on both involved hosts concurrently).  Could you provide
logs that show the behavior you describe above?

#397 could be an issue if multiple conn sections in your config get
merged (i.e. added as child configs to one single IKE config).  And as
described in #129 `ipsec reload` also has an effect on existing
connections when they are later rekeyed.  So using `update` instead is
definitely preferable (for changed connections these bugs still apply so
they should probably be terminated before updating the config).


More information about the Dev mailing list