[strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection

Emeric POUPON emeric.poupon at stormshield.eu
Fri Feb 20 18:10:54 CET 2015


Unfortunately, I am facing an issue with this patch.
For example, we may want to update the configuration file since the remote host's IP address has changed.
When charon receives the terminate stroke message, it sends the DELETE message but it may take minutes before giving up if the remote host is down!
Therefore the new configuration may be applied several minutes later, which is quite unexpected.

What do you think?


----- Mail original -----
De: "Christophe Gouault" <christophe.gouault at 6wind.com>
À: "Emeric POUPON" <emeric.poupon at stormshield.eu>
Cc: "Martin Willi" <martin at strongswan.org>, dev at lists.strongswan.org
Envoyé: Jeudi 29 Janvier 2015 16:52:12
Objet: Re: [strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection

2015-01-29 15:18 GMT+01:00 Emeric POUPON <emeric.poupon at stormshield.eu>:
> Hello,
> Thanks for your patch: I think it is definitely a good idea to flush connections that are no longer up to date with the configuration files.
> Did you manage to make an updated patch?

Hello Emeric,

I had to switch to priority tasks, so I let this patch in standby
(long term standby ;-)). I'll try to find some time to add an option
in strongswan.conf.

> I have another related problem:
> I have two CA certificates in ipsec.d/cacerts. I can see them using "ipsec listcacerts"
> If I remove one of them and perform a "ipsec rereadcacerts", I can see in charon's log that the only remaining CA certificate is reloaded.
> However, I still see the two CA certs using the "ipsec listcacerts" command. "ipsec purgecerts" does not seem to help.
> Remote peers successfully manage to authenticate using the removed CA cert, that is quite annoying.
> Any idea

Obviously additional clean up is desirable.

Best Regards,


More information about the Dev mailing list