[strongSwan-dev] Removed SA/policies flush from starter

Emeric POUPON emeric.poupon at stormshield.eu
Thu Jun 30 13:43:06 CEST 2016


Thanks for your response
>> I was thinking about restoring this flush during libcharon
>> initialization/deinitialization.
> Why?

Well, if the daemon crashes it restarts in a desynchronized state with the kernel, which is difficult to debug/monitor.
- there is some IPsec traffic for quite a long time but charon has no IKE SA negotiated (no stat, no monitoring available using charon),
- if you perform a config reload just after a crash and the connection is no longer in the configuration, you will end up with the previous SA not flushed (we have a patch to remove the IKE SA/CHILD SA on deleted connections),
- if you perform an "ipsec stop" after a crash, nothing is done.

We could imagine an option (disabled by default) to enable this flush during startup?

More information about the Dev mailing list