[strongSwan] Connectivity between Windows 2019 server and Ubuntu 16.04 stops; can TS be explicitly specified

Tobias Brunner tobias at strongswan.org
Wed Sep 16 11:32:16 CEST 2020

Hi Karuna,

> Would `ipsec update` also work when I update the cert thumbprint in
> ipsec.secrets file?

I'm not exactly sure what you are referring to with "cert thumbprint",
but changed certificates are not detected by `update` unless the name
has changed.  And ipsec.secrets and files in ipsec.d subfolders are
(re-)loaded with separate commands, never with `update` or `reload`.

> I'm assuming that until the IKE SA is re-negotiated the
> existing IKE SA and child ESP SA will continue to work, correct?

Since existing connections are not affected by config changes that's the
case anyway.  However, e.g. as client if the SA is reauthenticated, and
the certificate expired, for instance, the old certificate of the
existing connection would be used.  So if the config is updated due to
such a change, it's necessary to manually terminate and re-establish the SA.


More information about the Users mailing list