[strongSwan] Connectivity between Windows 2019 server and Ubuntu 16.04 stops; can TS be explicitly specified
tobias at strongswan.org
Thu Sep 17 10:18:08 CEST 2020
> As you clarified `ipsec update` or `ipsec reload` don't pick up the
> changes in ipsec.secrets and ipsec.d subfolders. Which command
> load/reloads the changes in ipsec.secrets and ipsec.d subfolders?
See . But I'd actually recommend you switch to swanctl/vici ,
which can handle such stuff much better. For one, changed certificates
referenced in configs are detected, and you can even avoid referencing
certificates (just configure the identity) and (re-)load them separately.
> this command terminate and re-establish the SA?
No, as I said before, existing connections are not affected by config
> And with the intent to
> avoid network disruption and since authentication only takes place when
> IKE SA is first established or re-negotiated, is there a way to make the
> new certificate effective only when the IKE SA is re-negotiated?
Depends on whether you are responder or initiator of the
reauthentication and whether the certificate is explicitly referenced in
the config. As responder the new config/certificate would be picked up,
as initiator only if the certificate is not explicitly referenced in the
More information about the Users