[strongSwan] Connectivity between Windows 2019 server and Ubuntu 16.04 stops; can TS be explicitly specified
Tobias Brunner
tobias at strongswan.org
Wed Sep 16 11:32:16 CEST 2020
Hi Karuna,
> Would `ipsec update` also work when I update the cert thumbprint in
> ipsec.secrets file?
I'm not exactly sure what you are referring to with "cert thumbprint",
but changed certificates are not detected by `update` unless the name
has changed. And ipsec.secrets and files in ipsec.d subfolders are
(re-)loaded with separate commands, never with `update` or `reload`.
> I'm assuming that until the IKE SA is re-negotiated the
> existing IKE SA and child ESP SA will continue to work, correct?
Since existing connections are not affected by config changes that's the
case anyway. However, e.g. as client if the SA is reauthenticated, and
the certificate expired, for instance, the old certificate of the
existing connection would be used. So if the config is updated due to
such a change, it's necessary to manually terminate and re-establish the SA.
Regards,
Tobias
More information about the Users
mailing list