[strongSwan] Is it possible to update the host certificate without ipsec restart?

Martin Willi martin at strongswan.org
Mon Mar 23 10:01:45 CET 2015


Hi,

> i need to change the host certificate (/etc/ipsec.d/certs/xxx.pem

Certificates from the ipsec.d/certs directory do not get loaded
implicitly, but get referenced in your ipsec.conf conn definition. Use
"ipsec update" or "ipsec reload" to reload the connection, refer to the
manpage for details.

> & /etc/ipsec.d/private/xxx_key.pem)

Secrets such as private keys are not bound to a connection, use "ipsec
rereadsecrets" to reload an updated private key.

> and it should reflect for tunnel establishment/rekey without doing
> "ipsec restart".

"ipsec update/reload" does not affect established tunnels, but only the
configuration. You'll have to manually terminate any affected connection
using "ipsec down", and optionally use "ipsec up" to restart the
connection.

Regards
Martin





More information about the Users mailing list