[strongSwan] Recommended command order.
Tom Rymes
trymes at rymes.com
Thu Sep 19 20:41:02 CEST 2013
We currently use a firewall distro that has a GUI to
add/modfiy/delete/restart StrongSwan tunnels. The update to v5 of
StrongSwan caused some issues, which were eventually traced back to the
GUI issuing "ipsec reload", but not "ipsec rereadsecrets" when creating
a PSK tunnel.
My hunch here is that this worked with StrongSwan v4 and earlier because
pluto restarted whenever 'ipsec reload' was issued, such that the entire
configuration, including ipsec.secrets was reloaded, even if you did not
explicitly issue "ipsec rereadsecrets" or "ipsec rereadall". However,
beginning with v5, charon does not do this, and as such, issuing 'ipsec
reload' without 'rereadsecrets' causes charon to see the new tunnel, but
not the new PSK, and as such, fail to bring the tunnel up. This hunch is
based on the fact that the docs say 'ipsec update' and 'ipsec reload'
only determine changes in ipsec.conf, not in any other files, such as
ipsec.secrets
(http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand).
In any case, that issue has been corrected in the GUI by adding 'ipsec
rereadall' prior to issuing 'ipsec reload'. However, I am now wondering,
what is the proper order of commands to issue once you have
added/deleted/stopped a tunnel", such that similar situations can be
avoided?
For example: Does it also make sense to issue a rereadall command when
deleting a tunnel, such that charon forgets the PSK and IDs?
When would you issue a reload and not reread secrets/all/etc?
Hopefully this isn't an overly obvious question, any thoughts appreciated.
Tom
More information about the Users
mailing list