[strongSwan] Connectivity between Windows 2019 server and Ubuntu 16.04 stops; can TS be explicitly specified

Tobias Brunner tobias at strongswan.org
Thu Sep 17 10:18:08 CEST 2020


Hi Karuna,

> As you clarified `ipsec update` or `ipsec reload` don't pick up the
> changes in ipsec.secrets and ipsec.d subfolders. Which command
> load/reloads the changes in ipsec.secrets and ipsec.d subfolders?

See [1].  But I'd actually recommend you switch to swanctl/vici [2],
which can handle such stuff much better.  For one, changed certificates
referenced in configs are detected, and you can even avoid referencing
certificates (just configure the identity) and (re-)load them separately.

> Would
> this command terminate and re-establish the SA?

No, as I said before, existing connections are not affected by config
changes.

> And with the intent to
> avoid network disruption and since authentication only takes place when
> IKE SA is first established or re-negotiated, is there a way to make the
> new certificate effective only when the IKE SA is re-negotiated?

Depends on whether you are responder or initiator of the
reauthentication and whether the certificate is explicitly referenced in
the config.  As responder the new config/certificate would be picked up,
as initiator only if the certificate is not explicitly referenced in the
config.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ipseccommand
[2] https://wiki.strongswan.org/projects/strongswan/wiki/swanctl


More information about the Users mailing list