[strongSwan] What is expected "ipsec update" & "ipsec reload" behavior?

Tobias Brunner tobias at strongswan.org
Tue Feb 17 16:16:16 CET 2015

Hi Ansis,

> Does it try to say that, if IPsec tunnel was previously established and
> then, if corresponding "conn" entry for that tunnel disappeared from the
> ipsec.conf file, then after "ipsec update" call those tunnels would
> still remain in the StrongSwan?

That's what it says, yes.  But connections might actually still be
affected by these updates, see [1] and the related ticket for details.
To not affect unchanged connections you should use `update` instead of
`reload`, which replaces all configs.

> If yes, then how can I force strongSwan to remove those tunnels that are
> no longer in ipsec.conf file?

You terminate them manually with `ipsec down`.  To avoid blocking we
added the `ipsec stroke down-nb` (and `up-nb`) command with 5.1.0 (a
delete exchange is still initiated but the command itself does not block).


[1] https://wiki.strongswan.org/issues/129

More information about the Users mailing list