[strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection

Martin Willi martin at strongswan.org
Tue Mar 10 17:05:13 CET 2015

> I also tried to have a look at the "flush" method of the ike_sa_manager
> to see of the "delete" with no ack is performed: maybe we would need
> something similar in order to synchronously flush the connections that
> are no longer handled in the configuration file?

Note that a hard delete without a confirmed exchange is something we
should avoid when possible; The peer might think that the tunnel is
still alive, and sends traffic to a black hole.

Having that said, you may try to issue two subsequent "down" commands.
The first will trigger a graceful tunnel shutdown with confirmation.
Once in the DELETING state, an additional "down" command will
immediately remove the IKE_SA.

> BTW, configuration reloading is quite a common subject on the
> strongswan's mailing lists, I am wondering if one of the official
> developers has already some ideas about this topic and things that may
> be done?

As we can see in this and other discussions, the topic is not trivial.
One reason for this is that the internal configuration hierarchy in
charon does not match very well to the ipsec.conf format inherited from

The current behavior is therefore limited to reloading connection
definitions, while keeping existing tunnels (which I think is absolutely
legitimate). It requires that the administrator manually closes/
initiates affected tunnels if he wants to. Of course that won't work
well in a scripted environment, but this is something where the stroke
interface has been bad at ever since.

In my opinion, I think we should focus more on the swanctl interface and
the underlying vici IPC mechanism. It avoids many problems by closer
resembling the configuration hierarchy in swanctl.conf. When reloading
connections, it inverses any specified start_action, and so basically
affects established connection (not manually initiated). This is all
relatively new, and certainly far away from perfect. But as we have a
better configuration format and a proper return channel in vici, the
foundation is much better to implement such functionality.


More information about the Dev mailing list