[strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection

Emeric POUPON emeric.poupon at stormshield.eu
Thu Jan 29 15:18:46 CET 2015


Thanks for your patch: I think it is definitely a good idea to flush connections that are no longer up to date with the configuration files.
Did you manage to make an updated patch?

I have another related problem:
I have two CA certificates in ipsec.d/cacerts. I can see them using "ipsec listcacerts"
If I remove one of them and perform a "ipsec rereadcacerts", I can see in charon's log that the only remaining CA certificate is reloaded.
However, I still see the two CA certs using the "ipsec listcacerts" command. "ipsec purgecerts" does not seem to help.
Remote peers successfully manage to authenticate using the removed CA cert, that is quite annoying.

Any idea?

Best Regards,


----- Mail original -----
De: "Christophe Gouault" <christophe.gouault at 6wind.com>
À: "Martin Willi" <martin at strongswan.org>
Cc: dev at lists.strongswan.org
Envoyé: Jeudi 2 Octobre 2014 10:13:33
Objet: Re: [strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a	connection

2014-10-02 10:08 GMT+02:00 Martin Willi <martin at strongswan.org>:
> Hi Christophe,
> Thanks for your patch.
>> Do a little cleanup when deleting a connection via "ipsec update"
>> command:
>> - delete all established CHILD_SAs
>> - unroute the connection
>> - delete IKE_SAs that have no more CHILD_SAs
>> - delete the connection
>> - make sure to refuse an undesired negotiation request from the peer,
>>   by deleting the connection before terminating it.
> These chances certainly make sense in some scenarios. However, the
> behavioral change is non-trivial. That an "update" of connections
> deletes all associated SAs is not that obvious, especially as we did not
> do that before. I'd guess we'd break many scripted installations with
> that change.
> If we introduce such a behavioral change, I think we need to make that
> optional, and probably disable it by default.
> Regards
> Martin

Hi Martin,

You're right, this makes sense. I'll provide an update that makes it optional.

Best regards,
Dev mailing list
Dev at lists.strongswan.org

More information about the Dev mailing list