[strongSwan] Recommended command order.

Ali Masoudi masoudi1983 at gmail.com
Sat Sep 21 08:37:29 CEST 2013


Hi

Regarding to my experience, using `ipsec reload` is usually unnecessary.
ipsec update and ipsec reread(secrets,all,...) is adequate. Besides, "ipsec
reload" sometimes makes running tunnels duplicate.

Best regards
Ali


On Thu, Sep 19, 2013 at 10:11 PM, Tom Rymes <trymes at rymes.com> wrote:

> We currently use a firewall distro that has a GUI to
> add/modfiy/delete/restart StrongSwan tunnels. The update to v5 of
> StrongSwan caused some issues, which were eventually traced back to the
> GUI issuing "ipsec reload", but not "ipsec rereadsecrets" when creating
> a PSK tunnel.
>
> My hunch here is that this worked with StrongSwan v4 and earlier because
> pluto restarted whenever 'ipsec reload' was issued, such that the entire
> configuration, including ipsec.secrets was reloaded, even if you did not
> explicitly issue "ipsec rereadsecrets" or "ipsec rereadall". However,
> beginning with v5, charon does not do this, and as such, issuing 'ipsec
> reload' without 'rereadsecrets' causes charon to see the new tunnel, but
> not the new PSK, and as such, fail to bring the tunnel up. This hunch is
> based on the fact that the docs say 'ipsec update' and 'ipsec reload'
> only determine changes in ipsec.conf, not in any other files, such as
> ipsec.secrets
> (http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand).
>
> In any case, that issue has been corrected in the GUI by adding 'ipsec
> rereadall' prior to issuing 'ipsec reload'. However, I am now wondering,
> what is the proper order of commands to issue once you have
> added/deleted/stopped a tunnel", such that similar situations can be
> avoided?
>
> For example: Does it also make sense to issue a rereadall command when
> deleting a tunnel, such that charon forgets the PSK and IDs?
>
> When would you issue a reload and not reread secrets/all/etc?
>
> Hopefully this isn't an overly obvious question, any thoughts appreciated.
>
> Tom
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130921/a7e8035b/attachment.html>


More information about the Users mailing list