Bug #12075


Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync

Added by Jim Pingle about 1 month ago. Updated about 1 month ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


When synchronizing settings over XMLRPC, the secondary only reconfigures the IPsec daemon if IPsec is enabled or disabled as a whole and not for other changes.

If a setting is changed on an existing setup, such as altering a PSK or adding a new tunnel, the secondary gets the settings in config.xml but they are not activated in strongswan. For example, new settings are not reflected in /var/etc/swanctl.conf until something else comes along and reloads them (e.g. manually, reboot, etc).

Normally the settings should be applied on sync, but in some cases that could lead to the secondary interfering in active tunnels, so testing and care is needed to ensure it is not disruptive. Settings could also be applied during transition to CARP master but that could be prone to timing issues.

Actions #1

Updated by Marcos Mendoza about 1 month ago

Perhaps it could be treated similarly to FRR and OpenVPN where the secondary checks whether its interface is CARP, and if so, it only starts the service if it's interface is in master.

Actions #3

Updated by Viktor Gurov about 1 month ago

PH1 entries with BACKUP VIP or VIPs aliased to BACKUP CARP must be skipped in `ipsec_get_phase1_src()` (see also - otherwise secondary node tries to start CARP-binded PH1 entries after reboot

Actions #4

Updated by Jim Pingle about 1 month ago

  • Status changed from New to Pull Request Review
Actions #5

Updated by Jim Pingle about 1 month ago

Copied from my comments on the PR:

Skipping entries negates the entire point of doing the configure during XMLRPC sync. You may as well just reconfigure during the CARP transition if you're going to do that.

Rather than skipping entries, set the child SA start action to 'none' on sync when using a CARP VIP in backup status, and then when it changes to master, resync and let it be whatever the user set (or default if unset). When child SA start action is 'none' it won't attempt to automatically initiate.

Actions #6

Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions #7

Updated by Viktor Gurov about 1 month ago

  • % Done changed from 0 to 100

Also available in: Atom PDF