[strongSwan] Strongswan 4.5.1 with sqlite database: update database and DPD

Andreas Steffen andreas.steffen at strongswan.org
Thu Mar 3 17:35:17 CET 2011

On 03/03/2011 10:55 AM, CETIAD - Fabrice Barconnière wrote:
> Hello Andreas,
> Thank you very much for the patch.
> Our ARV tool generate the same child_configs's name for each peer_configs.
> I think we must modify it if we want to execute "ipsec up child_name".
> Do you think so ?
Would it help you if you could start up the peer config and all attached
child configs would be started automatically, i.e. in our example

  ipsec up net-net

would start net-1, net-2, and net-3. This would happen only in the case
when there is no child config having the same name as the peer config.

> If we want connections to be up automatically after a restart or reboot,
> is there any contraindication to set start_action = 2 on each gateway or
> is it better to keep start_action=0 on one gateway and start_action=2 on
> the others and execute "ipsec up child_name/peer_name" command on either
> sphynx (start_action=0) or amon (start_action=2) gateway?
In the past usually two IKE_SAs and corresponding CHILD_SAs were
established and maintained over all subsequent rekeyings. This is
not harmful per se but creates twice the number of tunnels. I have
to check if the the INITIAL_CONTACT notification introduced with
strongSwan 4.5.1 has changed this behaviour.

> In /usr/sbin/ipsec script, line 278, /var/lock/subsys/ipsec file is
> created if /var/lock/subsys directory exists.
> If subsys directory doesn't exist, ipsec file is not created. Is it
> normal behaviour ?
I even didn't know that this statement was present in the ipsec script.
Probably has been there since the early FreeS/WAN times. So just forget
about it.

> In strongswan.conf file, we set log as following :
> charon {
>     ..............
>     filelog {
>         /var/log/charon.log {
>             time_format = %b %e %T
>             append = yes
>             default = 1
>        }
>     ..............
>     }
> Logrotate archives charon.log to charon.log.x.gz.
> How charon daemon can create and use a new charon.log file without
> restarting ipsec ?
Hmmm, rotation of log files doesn't seem to be supported. Only if you
use the syslogger.

> Best regards
> Fabrice

Kind regards


Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list