[strongSwan] How to dynamically add and delete tunnels?

[dr. ir. Kees van Reeuwijk]

Hi,

I need to add and delete StrongSwan tunnels to a machine without user intervention.

The solution I have come up with is to create a special directory, let's call it  /strongswan, and then
put a separate configuration file into /strongswan for each tunnel. To do this I added an entry

    include /strongswan/*.conf

to /etc/ipsec.conf

Adding a tunnel then consists of writing a new file to /strongswan, and saying

   ipsec update

Removing a tunnel consists of removing its configuration file from /strongswan, and saying

    ipsec update

update.

Sadly, this does not work. A minor inconvenience is that strongSwan does not like it if the directory is empty, but that is easily solved with an empty dummy file. However, it seems that only the first `real' configuration file is read, and anything beyond that does not work. Also, I had expected that if I remove a configuration file, its tunnel goes away, but that doesn't seem to be the case. In fact, some of these tunnels do not go away, no matter what I do, and only a complete restart of the system helps.

It is quite possible that I'm doing something wrong, but before I start debugging I would like to ask a few questions: Is this a reasonable way to accomplish my goal? Is there a better way? Is there perhaps a limitation on the length of a connection name (so that what I think are two different names is treated as the same)?

Any help with this would be great.


-- 
Dr. Ir. Kees van Reeuwijk, Vrije Universiteit Amsterdam