[strongSwan] Recommended command order.

Tom Rymes trymes at rymes.com
Thu Sep 19 20:41:02 CEST 2013

We currently use a firewall distro that has a GUI to 
add/modfiy/delete/restart StrongSwan tunnels. The update to v5 of 
StrongSwan caused some issues, which were eventually traced back to the 
GUI issuing "ipsec reload", but not "ipsec rereadsecrets" when creating 
a PSK tunnel.

My hunch here is that this worked with StrongSwan v4 and earlier because 
pluto restarted whenever 'ipsec reload' was issued, such that the entire 
configuration, including ipsec.secrets was reloaded, even if you did not 
explicitly issue "ipsec rereadsecrets" or "ipsec rereadall". However, 
beginning with v5, charon does not do this, and as such, issuing 'ipsec 
reload' without 'rereadsecrets' causes charon to see the new tunnel, but 
not the new PSK, and as such, fail to bring the tunnel up. This hunch is 
based on the fact that the docs say 'ipsec update' and 'ipsec reload' 
only determine changes in ipsec.conf, not in any other files, such as 

In any case, that issue has been corrected in the GUI by adding 'ipsec 
rereadall' prior to issuing 'ipsec reload'. However, I am now wondering, 
what is the proper order of commands to issue once you have 
added/deleted/stopped a tunnel", such that similar situations can be 

For example: Does it also make sense to issue a rereadall command when 
deleting a tunnel, such that charon forgets the PSK and IDs?

When would you issue a reload and not reread secrets/all/etc?

Hopefully this isn't an overly obvious question, any thoughts appreciated.


More information about the Users mailing list