[strongSwan] Connectivity between Windows 2019 server and Ubuntu 16.04 stops; can TS be explicitly specified

Karuna Sagar Krishna karunasagark at gmail.com
Thu Sep 17 10:06:16 CEST 2020


Hi Tobias,

I'm referring to certification rotation when I say certificate thumbprint
changed. In this case, the following are updated - certificate references
in the ipsec.secrets and ipsec.conf files, new file containing the
certificate itself in ipsec.d/private and ipsec.d/certs. We are retaining
the same CN for the certificate, however the thumbprint, expiry and other
properties change on the certificate.

As you clarified `ipsec update` or `ipsec reload` don't pick up the changes
in ipsec.secrets and ipsec.d subfolders. Which command load/reloads the
changes in ipsec.secrets and ipsec.d subfolders? Would this command
terminate and re-establish the SA? And with the intent to avoid network
disruption and since authentication only takes place when IKE SA is first
established or re-negotiated, is there a way to make the new certificate
effective only when the IKE SA is re-negotiated?

--karuna



On Wed, Sep 16, 2020 at 2:32 AM Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Karuna,
>
> > Would `ipsec update` also work when I update the cert thumbprint in
> > ipsec.secrets file?
>
> I'm not exactly sure what you are referring to with "cert thumbprint",
> but changed certificates are not detected by `update` unless the name
> has changed.  And ipsec.secrets and files in ipsec.d subfolders are
> (re-)loaded with separate commands, never with `update` or `reload`.
>
> > I'm assuming that until the IKE SA is re-negotiated the
> > existing IKE SA and child ESP SA will continue to work, correct?
>
> Since existing connections are not affected by config changes that's the
> case anyway.  However, e.g. as client if the SA is reauthenticated, and
> the certificate expired, for instance, the old certificate of the
> existing connection would be used.  So if the config is updated due to
> such a change, it's necessary to manually terminate and re-establish the
> SA.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200917/741140ad/attachment-0001.html>


More information about the Users mailing list