[strongSwan] Connectivity between Windows 2019 server and Ubuntu 16.04 stops; can TS be explicitly specified
Karuna Sagar Krishna
karunasagark at gmail.com
Thu Sep 17 10:06:16 CEST 2020
I'm referring to certification rotation when I say certificate thumbprint
changed. In this case, the following are updated - certificate references
in the ipsec.secrets and ipsec.conf files, new file containing the
certificate itself in ipsec.d/private and ipsec.d/certs. We are retaining
the same CN for the certificate, however the thumbprint, expiry and other
properties change on the certificate.
As you clarified `ipsec update` or `ipsec reload` don't pick up the changes
in ipsec.secrets and ipsec.d subfolders. Which command load/reloads the
changes in ipsec.secrets and ipsec.d subfolders? Would this command
terminate and re-establish the SA? And with the intent to avoid network
disruption and since authentication only takes place when IKE SA is first
established or re-negotiated, is there a way to make the new certificate
effective only when the IKE SA is re-negotiated?
On Wed, Sep 16, 2020 at 2:32 AM Tobias Brunner <tobias at strongswan.org>
> Hi Karuna,
> > Would `ipsec update` also work when I update the cert thumbprint in
> > ipsec.secrets file?
> I'm not exactly sure what you are referring to with "cert thumbprint",
> but changed certificates are not detected by `update` unless the name
> has changed. And ipsec.secrets and files in ipsec.d subfolders are
> (re-)loaded with separate commands, never with `update` or `reload`.
> > I'm assuming that until the IKE SA is re-negotiated the
> > existing IKE SA and child ESP SA will continue to work, correct?
> Since existing connections are not affected by config changes that's the
> case anyway. However, e.g. as client if the SA is reauthenticated, and
> the certificate expired, for instance, the old certificate of the
> existing connection would be used. So if the config is updated due to
> such a change, it's necessary to manually terminate and re-establish the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users