[strongSwan-dev] Removed SA/policies flush from starter
Emeric POUPON
emeric.poupon at stormshield.eu
Thu Jun 30 13:43:06 CEST 2016
Hello,
Thanks for your response
>> I was thinking about restoring this flush during libcharon
>> initialization/deinitialization.
>
> Why?
Well, if the daemon crashes it restarts in a desynchronized state with the kernel, which is difficult to debug/monitor.
Examples:
- there is some IPsec traffic for quite a long time but charon has no IKE SA negotiated (no stat, no monitoring available using charon),
- if you perform a config reload just after a crash and the connection is no longer in the configuration, you will end up with the previous SA not flushed (we have a patch to remove the IKE SA/CHILD SA on deleted connections),
- if you perform an "ipsec stop" after a crash, nothing is done.
We could imagine an option (disabled by default) to enable this flush during startup?
More information about the Dev
mailing list