[strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection

Christophe Gouault christophe.gouault at 6wind.com
Thu Jan 29 16:52:12 CET 2015


2015-01-29 15:18 GMT+01:00 Emeric POUPON <emeric.poupon at stormshield.eu>:
> Hello,
>
> Thanks for your patch: I think it is definitely a good idea to flush connections that are no longer up to date with the configuration files.
> Did you manage to make an updated patch?

Hello Emeric,

I had to switch to priority tasks, so I let this patch in standby
(long term standby ;-)). I'll try to find some time to add an option
in strongswan.conf.

> I have another related problem:
> I have two CA certificates in ipsec.d/cacerts. I can see them using "ipsec listcacerts"
> If I remove one of them and perform a "ipsec rereadcacerts", I can see in charon's log that the only remaining CA certificate is reloaded.
> However, I still see the two CA certs using the "ipsec listcacerts" command. "ipsec purgecerts" does not seem to help.
> Remote peers successfully manage to authenticate using the removed CA cert, that is quite annoying.
>
> Any idea

Obviously additional clean up is desirable.

Best Regards,

Christophe


More information about the Dev mailing list