Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync
When synchronizing settings over XMLRPC, the secondary only reconfigures the IPsec daemon if IPsec is enabled or disabled as a whole and not for other changes.
If a setting is changed on an existing setup, such as altering a PSK or adding a new tunnel, the secondary gets the settings in config.xml but they are not activated in strongswan. For example, new settings are not reflected in
/var/etc/swanctl.conf until something else comes along and reloads them (e.g. manually, reboot, etc).
Normally the settings should be applied on sync, but in some cases that could lead to the secondary interfering in active tunnels, so testing and care is needed to ensure it is not disruptive. Settings could also be applied during transition to CARP master but that could be prone to timing issues.
Updated by Viktor Gurov 4 months ago
Updated by Jim Pingle 4 months ago
Copied from my comments on the PR:
Skipping entries negates the entire point of doing the configure during XMLRPC sync. You may as well just reconfigure during the CARP transition if you're going to do that.
Rather than skipping entries, set the child SA start action to 'none' on sync when using a CARP VIP in backup status, and then when it changes to master, resync and let it be whatever the user set (or default if unset). When child SA start action is 'none' it won't attempt to automatically initiate.
Updated by Max Leighton 16 days ago
This seems to work for me. When I make changes to an existing tunnel's encryption settings, interface, local ID, etc, /var/etc/ipsec/swanctl.conf on the secondary immediately reflects the changes without any manual intervention. However, I am not able to replicate the initial problem in 2.5.2 so it's not clear if this only affected earlier builds 2.6?
built on Sat Oct 09 05:20:31 UTC 2021