[strongSwan-dev] StrongSwan 5.2 ipsec reload behaviour changed

James Hulka jah at open.ch
Thu Jan 29 15:24:59 CET 2015

In our acceptance testing for StrongSwan 5.2 we noticed a change in the
behaviour of the 'ipsec reload' command.

Up to and including StrongSwan 5.0 'ipsec reload' would only
re-initialize tunnels that have been changed in the configuration.

We currently experience the following behaviour:

no changes to ipsec.conf
ipsec reload # ALL policies removed from policy DB
ipsec reload # ALL policies added back to policy DB

'ipsec reload' triggers a user defined signal using the charon
starter process id:

kill -USR1 `cat $IPSEC_STARTER_PID` 2>/dev/null && rc=0

The code of this signal is in "strongswan-5.2.2/src/starter/starter.c"

It first runs the reload and then the update code:

line 234:  case SIGUSR1:
                   _action_ |= FLAG_ACTION_RELOAD;
                   _action_ |= FLAG_ACTION_UPDATE;

This has not changed since version 5.0 however the update functionality
(starting at line 748 in starter.c) has changed.

Does anyone know why all policies are removed by 'ipsec reload'? It
seems that this should not happen UNLESS all tunnel configurations have
been removed or change in ipsec.conf.

Best Regards,

James Hulka

james hulka
security engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich
t: +41 58 100 10 10
f: +41 58 100 10 11

jah at open.ch


More information about the Dev mailing list