[strongSwan] What is expected "ipsec update" & "ipsec reload" behavior?
Tobias Brunner
tobias at strongswan.org
Tue Feb 17 16:16:16 CET 2015
Hi Ansis,
> Does it try to say that, if IPsec tunnel was previously established and
> then, if corresponding "conn" entry for that tunnel disappeared from the
> ipsec.conf file, then after "ipsec update" call those tunnels would
> still remain in the StrongSwan?
That's what it says, yes. But connections might actually still be
affected by these updates, see [1] and the related ticket for details.
To not affect unchanged connections you should use `update` instead of
`reload`, which replaces all configs.
> If yes, then how can I force strongSwan to remove those tunnels that are
> no longer in ipsec.conf file?
You terminate them manually with `ipsec down`. To avoid blocking we
added the `ipsec stroke down-nb` (and `up-nb`) command with 5.1.0 (a
delete exchange is still initiated but the command itself does not block).
Regards,
Tobias
[1] https://wiki.strongswan.org/issues/129
More information about the Users
mailing list